feat: add lint, build, test, push pipeline with SHA-pinned actions

- Split single build job into 4 jobs: lint, build, test, push
- SHA-pin all actions for supply chain security
- Use ChristopherHX artifact actions (Gitea-compatible)
- Add tests/test.sh with Docker bridge gateway networking
- Add hadolint ignore for apt/brace patterns

.gitea/workflows/docker-build.yaml

@@ -9,38 +9,74 @@ on:
     - cron: '0 0 * * *'
 
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+
+      - name: Hadolint
+        uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf  # v3.1.0
+        with:
+          dockerfile: Dockerfile
+
   build:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
 
-      - name: Set up Docker Buildx
+      - name: Build image
-        uses: docker/setup-buildx-action@v4
+        run: docker build -t ci-image:${{ github.sha }} .
+
+      - name: Save image
+        run: docker save -o image.tar ci-image:${{ github.sha }}
+
+      - name: Upload artifact
+        uses: https://github.com/ChristopherHX/gitea-upload-artifact@62ac910c5d3dfa85c7cb2df15afe2e342b2407c2  # main
+        with:
+          name: docker-image
+          path: image.tar
+          retention-days: 1
+
+  test:
+    runs-on: ubuntu-latest
+    needs: [lint, build]
+    steps:
+      - name: Checkout
+        uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6
+
+      - name: Download artifact
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7  # main
+        with:
+          name: docker-image
+
+      - name: Load image
+        run: docker load < image.tar
+
+      - name: Run tests
+        run: bash tests/test.sh ci-image:${{ github.sha }}
+
+  push:
+    runs-on: ubuntu-latest
+    needs: test
+    if: github.event_name != 'pull_request'
+    steps:
+      - name: Download artifact
+        uses: https://github.com/ChristopherHX/gitea-download-artifact@75635f32b4c1c41c4b3d64e8f85210112ed4c9c7  # main
+        with:
+          name: docker-image
+
+      - name: Load image
+        run: docker load < image.tar
 
       - name: Login to Docker Hub
-        if: github.event_name != 'pull_request'
+        uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee  # v4
-        uses: docker/login-action@v4
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Docker metadata
+      - name: Tag and push
-        id: meta
+        run: |
-        uses: docker/metadata-action@v6
+          docker tag ci-image:${{ github.sha }} jcabillot/phpapache:latest
-        with:
+          docker push jcabillot/phpapache:latest
-          images: jcabillot/phpapache
-          tags: |
-            #type=ref,event=branch
-            #type=ref,event=pr
-            #type=sha
-            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
-
-      - name: Build and push
-        uses: docker/build-push-action@v7
-        with:
-          context: .
-          push: ${{ github.event_name != 'pull_request' }}
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          pull: true

Dockerfile

@@ -1,6 +1,7 @@
 FROM "php:8.3-apache"
 LABEL maintainer="Julien Cabillot <dockerimages@cabillot.eu>"
 
+# hadolint ignore=DL3008,DL3015,SC3009
 RUN export DEBIAN_FRONTEND="noninteractive" && \
     sed -i'' 's/ServerSignature On/ServerSignature Off/; s/ServerTokens OS/ServerTokens Prod/' "/etc/apache2/conf-enabled/security.conf" && \
     sed -i'' 's/^Listen 80$/Listen 8080/' "/etc/apache2/ports.conf" && \

tests/test.sh

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+IMAGE="${1:?Usage: test.sh <image>}"
+CONTAINER_NAME="test-$(echo "$IMAGE" | tr ':/' '-')-$$"
+PASSED=0
+FAILED=0
+TOTAL=0
+
+cleanup() {
+  docker rm -f "$CONTAINER_NAME" >/dev/null 2>&1 || true
+}
+trap cleanup EXIT
+
+assert() {
+  local name="$1" expected="$2" actual="$3"
+  TOTAL=$((TOTAL + 1))
+  if [ "$expected" = "$actual" ]; then
+    echo "  PASS: $name"
+    PASSED=$((PASSED + 1))
+  else
+    echo "  FAIL: $name (expected: '$expected', got: '$actual')"
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+assert_in() {
+  local name="$1" expected="$2" actual="$3"
+  TOTAL=$((TOTAL + 1))
+  if [ "$actual" -ge "$expected" ] && [ "$actual" -lt 500 ]; then
+    echo "  PASS: $name (got: $actual)"
+    PASSED=$((PASSED + 1))
+  else
+    echo "  FAIL: $name (expected < 500, got: $actual)"
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+assert_match() {
+  local name="$1" pattern="$2" actual="$3"
+  TOTAL=$((TOTAL + 1))
+  if echo "$actual" | grep -qE "$pattern"; then
+    echo "  PASS: $name"
+    PASSED=$((PASSED + 1))
+  else
+    echo "  FAIL: $name (pattern: '$pattern', got: '$actual')"
+    FAILED=$((FAILED + 1))
+  fi
+}
+
+echo "Running container: $IMAGE"
+docker run -d --name "$CONTAINER_NAME" -p 8080:8080 "$IMAGE" >/dev/null
+
+DOCKER_GW=$(docker network inspect bridge --format '{{range .IPAM.Config}}{{.Gateway}}{{end}}')
+BASE_URL="http://${DOCKER_GW}:8080"
+
+echo "Waiting for container on ${DOCKER_GW}:8080..."
+for i in $(seq 1 30); do
+  if curl -sf -o /dev/null "$BASE_URL/" 2>/dev/null || [ "$(curl -s -o /dev/null -w '%{http_code}' "$BASE_URL/" 2>/dev/null)" != "000" ]; then
+    echo "Container ready after ${i}s"
+    break
+  fi
+  if [ "$i" -eq 30 ]; then
+    echo "FAIL: Container did not become ready within 30s"
+    docker logs "$CONTAINER_NAME"
+    exit 1
+  fi
+  sleep 1
+done
+
+echo ""
+echo "Test: GET / (Apache responds on port 8080)"
+RESPONSE=$(curl -s -D - "$BASE_URL/")
+STATUS=$(echo "$RESPONSE" | head -1 | grep -oP '\d{3}')
+SERVER=$(echo "$RESPONSE" | grep -i '^server:' | tr -d '\r' | cut -d: -f2- | xargs)
+
+assert_in "HTTP status is valid" 200 "$STATUS"
+assert_match "Server is Apache" "[Aa]pache" "$SERVER"
+
+echo ""
+echo "Results: $PASSED/$TOTAL passed, $FAILED failed"
+[ "$FAILED" -eq 0 ]