vincentchalamon/.gitlab-ci.yml

## .gitlab-ci.yml
variables:
    # Use TLS https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#tls-enabled
    DOCKER_HOST: tcp://docker:2376
    DOCKER_TLS_CERTDIR: "/certs"
    DOCKER_DRIVER: overlay2

.bake:
    image: docker:latest
    services:
        - docker:dind
    parallel:
        matrix:
            - PHP_VERSION: ['8.2', '8.3']
    variables:
        CI_REGISTRY_IMAGE_TAG: coopTilleuls/php:$PHP_VERSION
    before_script:
        # image is pushed to Docker Registry (docker.io)
        - docker login -u $HUB_REGISTRY_USER -p $HUB_REGISTRY_PASSWORD
        # cache is pushed to GitLab Registry (registry.gitlab.com)
        - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
        # must create context to use buildx with Docker TLS
        - docker context create builder
        - docker context use builder
        - docker buildx create --driver docker-container --platform linux/amd64 --use builder
        - docker buildx inspect --bootstrap --builder builder

test:
    only:
        - merge_requests
    extends: .bake
    cache:
        - key: trivy-cache
          paths:
              - .trivy/
    script:
        - docker buildx bake
            --print
            --pull
            --load
            --set *.platform=linux/amd64
            --set "*.cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
            -f docker-bake.hcl
        - docker buildx bake
            --pull
            --load
            --set *.platform=linux/amd64
            --set "*.cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
            -f docker-bake.hcl
        - docker run
            -v /var/run/docker.sock:/var/run/docker.sock
            -v ./.trivy:/.trivy aquasec/trivy
            image --ignore-unfixed --severity HIGH,CRITICAL --scanners vuln --cache-dir /.trivy $CI_REGISTRY_IMAGE_TAG

build-and-push:
    only:
        - main
    extends: .bake
    script:
        - docker buildx bake
            --print
            --pull
            --load
            --set *.platform=linux/amd64
            --set "*.cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
            --set "*.cache-to=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
            -f docker-bake.hcl
        - docker buildx bake
            --pull
            --push
            --load
            --set *.platform=linux/amd64
            --set "*.cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
            --set "*.cache-to=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
            -f docker-bake.hcl

## docker-bake.hcl
variable "PHP_VERSION" {
  default = "8.3"
}

variable "CI_REGISTRY_IMAGE_TAG" {
  default = "coopTilleuls/php:${PHP_VERSION}"
}

group "default" {
  targets = ["php"]
}

target "php" {
  dockerfile = "./Dockerfile"
  tags = ["${CI_REGISTRY_IMAGE_TAG}"]
  args = {
    PHP_VERSION = "${PHP_VERSION}"
  }
}
	variables:
	# Use TLS https://docs.gitlab.com/ee/ci/docker/using_docker_build.html#tls-enabled
	DOCKER_HOST: tcp://docker:2376
	DOCKER_TLS_CERTDIR: "/certs"
	DOCKER_DRIVER: overlay2

	.bake:
	image: docker:latest
	services:
	- docker:dind
	parallel:
	matrix:
	- PHP_VERSION: ['8.2', '8.3']
	variables:
	CI_REGISTRY_IMAGE_TAG: coopTilleuls/php:$PHP_VERSION
	before_script:
	# image is pushed to Docker Registry (docker.io)
	- docker login -u $HUB_REGISTRY_USER -p $HUB_REGISTRY_PASSWORD
	# cache is pushed to GitLab Registry (registry.gitlab.com)
	- docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
	# must create context to use buildx with Docker TLS
	- docker context create builder
	- docker context use builder
	- docker buildx create --driver docker-container --platform linux/amd64 --use builder
	- docker buildx inspect --bootstrap --builder builder

	test:
	only:
	- merge_requests
	extends: .bake
	cache:
	- key: trivy-cache
	paths:
	- .trivy/
	script:
	- docker buildx bake
	--print
	--pull
	--load
	--set *.platform=linux/amd64
	--set "*.cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
	-f docker-bake.hcl
	- docker buildx bake
	--pull
	--load
	--set *.platform=linux/amd64
	--set "*.cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
	-f docker-bake.hcl
	- docker run
	-v /var/run/docker.sock:/var/run/docker.sock
	-v ./.trivy:/.trivy aquasec/trivy
	image --ignore-unfixed --severity HIGH,CRITICAL --scanners vuln --cache-dir /.trivy $CI_REGISTRY_IMAGE_TAG

	build-and-push:
	only:
	- main
	extends: .bake
	script:
	- docker buildx bake
	--print
	--pull
	--load
	--set *.platform=linux/amd64
	--set "*.cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
	--set "*.cache-to=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
	-f docker-bake.hcl
	- docker buildx bake
	--pull
	--push
	--load
	--set *.platform=linux/amd64
	--set "*.cache-from=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
	--set "*.cache-to=type=registry,ref=$CI_REGISTRY_IMAGE:$PHP_VERSION,mode=max"
	-f docker-bake.hcl
	variable "PHP_VERSION" {
	default = "8.3"
	}

	variable "CI_REGISTRY_IMAGE_TAG" {
	default = "coopTilleuls/php:${PHP_VERSION}"
	}

	group "default" {
	targets = ["php"]
	}

	target "php" {
	dockerfile = "./Dockerfile"
	tags = ["${CI_REGISTRY_IMAGE_TAG}"]
	args = {
	PHP_VERSION = "${PHP_VERSION}"
	}
	}