Security hardening, upgrade php to 8.4 (#177)

* feat: enable zstd and gzip compression in Caddyfile. * dev: mount Caddyfile and php.ini in webapp * refactor: remove all local port bindings in docker-compose.yml * build: bump php base images to 8.4.4 * tweak: use high UID for container app user * CI: use step-security/harden-runner and pinned commit hashes * ci: use php 8.4 in CI runner
2025-10-04 21:24:45 +08:00 · 2025-03-15 12:32:22 -06:00 · 2025-03-15 12:32:22 -06:00 · f7531d105f
commit f7531d105f
parent 4600ac095a
7 changed files with 33 additions and 27 deletions
--- a/.github/workflows/run-checks.yaml
+++ b/.github/workflows/run-checks.yaml
@ -6,17 +6,25 @@ on:
  pull_request:
    branches: [ main ]

+permissions: # added using https://github.com/step-security/secure-repo
+  contents: read
+
 jobs:
  build:
    runs-on: ubuntu-latest

    steps:
-      - uses: actions/checkout@v4
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

      - name: Setup PHP
-        uses: shivammathur/setup-php@v2
+        uses: shivammathur/setup-php@9e72090525849c5e82e596468b86eb55e9cc5401 # v2
        with:
-          php-version: '8.3'
+          php-version: '8.4'

      - name: Install Composer dependencies
        run: composer install
--- a/docker-compose.override.yml.dist
+++ b/docker-compose.override.yml.dist
@ -2,17 +2,18 @@
 # This is an example file only, and is NOT loaded by default.

 services:
-  webapp:
-    environment:
-        - XDEBUG_CONFIG=idekey=PHPSTORM start_with_request=true var_display_max_depth=-1 max_nesting_level=3000 client_host=172.17.0.1
-        - PHP_IDE_CONFIG=serverName=application.local
-        - XDEBUG_MODE=develop,debug,coverage
+    webapp:
+        ports:
+            - ${LOCAL_HTTP_PORT:-8099}:80
+        environment:
+            - XDEBUG_CONFIG=idekey=PHPSTORM start_with_request=true var_display_max_depth=-1 max_nesting_level=3000 client_host=172.17.0.1
+            - PHP_IDE_CONFIG=serverName=application.local
+            - XDEBUG_MODE=develop,debug,coverage

-    ports: !reset []
-
-  nginx:
-    ports: !reset []
-
-  postgres:
-    ports: !reset []
+    postgres:
+        ports:
+            - "${LOCAL_POSTGRES_PORT:-5432}:5432"

+    mailpit:
+        ports:
+            - "${LOCAL_MAILPIT_PORT:-8025}:8025"
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -4,10 +4,10 @@ services:
            context: .
            dockerfile: docker/webapp/Dockerfile
            target: dev
-        ports:
-            - ${LOCAL_HTTP_PORT:-8099}:80
        volumes:
            - .:/app
+            - ./docker/webapp/Caddyfile:/etc/caddy/Caddyfile
+            - ./docker/webapp/php.ini:/usr/local/etc/php/php.ini
        networks:
            traefik: ~
            app-net: ~
@ -31,8 +31,6 @@ services:
            - POSTGRES_PASSWORD=password
            - PGDATA=/opt/pgdata
            - POSTGRES_DB=aspirecloud
-        ports:
-            - "${LOCAL_POSTGRES_PORT:-5432}:5432"
        volumes:
            - postgresdata:/opt/pgdata
        networks:
@ -68,8 +66,6 @@ services:
    mailpit:
        image: axllent/mailpit:v1.21.4
        restart: unless-stopped
-        ports:
-            - "${LOCAL_MAILPIT_PORT:-8025}:8025"
        networks:
            app-net: ~
            aspire-net:
--- a/docker/cli/Dockerfile
+++ b/docker/cli/Dockerfile
@ -1,4 +1,4 @@
-FROM php:8.4-cli AS base
+FROM php:8.4.4-cli-bookworm AS base

 COPY --from=composer:2.8.5 /usr/bin/composer /usr/bin/composer
 ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/2.7.14/install-php-extensions /usr/local/bin/
@ -9,7 +9,7 @@ RUN install-php-extensions pdo pdo_pgsql zip intl redis

 COPY ./docker/cli/php.ini /usr/local/etc/php/php.ini

-RUN useradd --create-home --shell /bin/bash app
+RUN useradd --uid 100000 --create-home --shell /bin/bash app

 WORKDIR /app

--- a/docker/laravel-worker/Dockerfile
+++ b/docker/laravel-worker/Dockerfile
@ -1,4 +1,4 @@
-FROM php:8.3-cli AS base
+FROM php:8.4.4-cli-bookworm AS base

 COPY --from=composer:2.8.5 /usr/bin/composer /usr/bin/composer
 ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/2.7.14/install-php-extensions /usr/local/bin/
@ -9,7 +9,7 @@ RUN install-php-extensions pdo pdo_pgsql zip intl opcache redis

 COPY ./docker/cli/php.ini /usr/local/etc/php/php.ini

-RUN useradd --create-home --shell /bin/bash app
+RUN useradd --uid 100000 --create-home --shell /bin/bash app

 WORKDIR /app

--- a/docker/webapp/Caddyfile
+++ b/docker/webapp/Caddyfile
@ -10,4 +10,5 @@ http:// {
    root * /app/public
    php_server
    log
+    encode zstd gzip
 }
--- a/docker/webapp/Dockerfile
+++ b/docker/webapp/Dockerfile
@ -1,4 +1,4 @@
-FROM dunglas/frankenphp:1.4.1-php8.4.3-bookworm AS base
+FROM dunglas/frankenphp:1.4.4-php8.4.4-bookworm AS base

 COPY --from=composer:2.8.5 /usr/bin/composer /usr/bin/composer
 ADD --chmod=0755 https://github.com/mlocati/docker-php-extension-installer/releases/download/2.7.14/install-php-extensions /usr/local/bin/
@ -15,7 +15,7 @@ COPY ./docker/webapp/php.ini /usr/local/etc/php/php.ini

 # frankenphp sets XDG_CONFIG_HOME=/config and XDG_DATA_HOME=/data, and I won't change these in case they're hardwired

-RUN useradd --create-home --shell /bin/bash app \
+RUN useradd --uid 100000 --create-home --shell /bin/bash app \
    && chown -R app:app /config /data \
    && apt update \
    && apt install -y nodejs npm postgresql-client