itk-dev · cableman · Sep 5, 2025 · Sep 5, 2025 · Sep 5, 2025 · Oct 28, 2025
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,68 @@
+/.git
+!/.git/config
+
+# Unneeded application files
+/.docker
+/.github
+/docs
+/fixtures
+/public/build
+/public/fixtures
+/public/media/*
+!public/media/thumbnail_other.png
+!public/media/thumbnail_video.png
+/scripts
+/tests
+
+###> symfony/framework-bundle ###
+/.env.local
+/.env.local.php
+/.env.*.local
+/config/secrets/prod/prod.decrypt.private.php
+/var/
+/vendor/
+###< symfony/framework-bundle ###
+
+###> friendsofphp/php-cs-fixer ###
+/.php-cs-fixer.php
+/.php-cs-fixer.cache
+###< friendsofphp/php-cs-fixer ###
+
+###> phpunit/phpunit ###
+/phpunit.xml
+.phpunit.result.cache
+###< phpunit/phpunit ###
+
+###> lexik/jwt-authentication-bundle ###
+/config/jwt/*.pem
+###< lexik/jwt-authentication-bundle ###
+
+xdebug.ini
+launch.json
+
+###> pentatrion/vite-bundle ###
+/node_modules/
+###< pentatrion/vite-bundle ###
+
+#> Playwright
+/test-results/
+/playwright-report/
+/blob-report/
+/playwright/.cache/
+#< Playwright
+
+###> vincentlanglet/twig-cs-fixer ###
+/.twig-cs-fixer.cache
+###< vincentlanglet/twig-cs-fixer ###
+
+docker-compose.*
+phpstan.dist.neon
+psalm*
+playwright.*
+phpunit.*
+rector.php
+Taskfile.yml
+.markdown*
+.php-cs-fixer.dist.php
+.twig-cs-fixer.dist.php
+.prettier
diff --git a/.env b/.env
@@ -19,7 +19,7 @@ ITKDEV_TEMPLATE=symfony-6
 
 ###> symfony/framework-bundle ###
 APP_ENV=dev
-APP_SECRET=22d8a60c047b96413b3337e3ddae3da9
+APP_SECRET=CHANGE_ME
 TRUSTED_PROXIES=127.0.0.1,REMOTE_ADDR
 ###< symfony/framework-bundle ###
 
@@ -42,7 +42,7 @@ CORS_ALLOW_ORIGIN='^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$'
 ###> lexik/jwt-authentication-bundle ###
 JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
 JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
-JWT_PASSPHRASE=APP_JWT_PASSPHRASE
+JWT_PASSPHRASE=CHANGE_ME
 # Default: 1 hour
 JWT_TOKEN_TTL=3600
 # Default: 15 days

diff --git a/.github/workflows/apispec.yaml b/.github/workflows/apispec.yaml
@@ -1,6 +1,7 @@
 on: pull_request
 
 name: Api Spec
+run-name: "Api Spec - ${{ github.head_ref || github.ref_name }}"
 
 jobs:
   apispec:
@@ -9,7 +10,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: ["8.3"]
+        php: ["8.4"]
     steps:
       - name: Checkout
         uses: actions/checkout@v4

diff --git a/.github/workflows/changelog.yaml b/.github/workflows/changelog.yaml
@@ -7,6 +7,7 @@
 ### Checks that changelog has been updated
 
 name: Changelog
+run-name: "Changelog - ${{ github.head_ref || github.ref_name }}"
 
 on:
   pull_request:

diff --git a/.github/workflows/composer.yaml b/.github/workflows/composer.yaml
@@ -24,6 +24,7 @@
 ###    ```
 
 name: Composer
+run-name: "Composer - ${{ github.head_ref || github.ref_name }}"
 
 env:
   COMPOSE_USER: runner

diff --git a/.github/workflows/composer_install.yaml b/.github/workflows/composer_install.yaml
@@ -1,6 +1,7 @@
 on: pull_request
 
 name: Composer install
+run-name: "Composer install - ${{ github.head_ref || github.ref_name }}"
 
 jobs:
   test-composer-install:
@@ -10,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: ["8.3"]
+        php: ["8.4"]
     name: Composer install in prod mode (PHP ${{ matrix.php}})
     steps:
       - name: Checkout

diff --git a/...flows/os2display_docker_build_develop.yml → ...hub/workflows/docker_build_stg_images.yml b/...flows/os2display_docker_build_develop.yml → ...hub/workflows/docker_build_stg_images.yml
@@ -2,10 +2,11 @@
 on:
   push:
     branches:
-      - "develop"
+      - "release/*"
 
-# This Action builds to os2display/* using ./infrastructure/os2display/*
-name: OS2display - Build docker image (develop)
+# This Action builds to os2display/* using ./infrastructure/*
+name: Build docker image (develop)
+run-name: "Build docker image (staging) - ${{ github.head_ref || github.ref_name }}"
 
 jobs:
   docker:
@@ -14,15 +15,18 @@ jobs:
       APP_VERSION: develop
       COMPOSER_ALLOW_SUPERUSER: 1
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
       - name: Login to DockerHub
         uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
       # Build api
       - name: Docker meta (API)
         id: meta-api
@@ -31,15 +35,18 @@ jobs:
           images: os2display/display-api-service
 
       - name: Build and push (API)
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
-          context: ./infrastructure/os2display/display-api-service/
-          file: ./infrastructure/os2display/display-api-service/Dockerfile
+          context: ./infrastructure/display-api-service/
+          file: ./infrastructure/display-api-service/Dockerfile
           build-args: |
             VERSION=${{ env.APP_VERSION }}
           push: true
           tags: ${{ steps.meta-api.outputs.tags }}
           labels: ${{ steps.meta-api.outputs.labels }}
+          provenance: mode=max
+          sbom: true
+          platforms: linux/amd64,linux/arm64
 
       # Build nginx (depends on api build)
       - name: Docker meta (Nginx)
@@ -49,12 +56,15 @@ jobs:
           images: os2display/display-api-service-nginx
 
       - name: Build and push (Nginx)
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
-          context: ./infrastructure/os2display/nginx/
-          file: ./infrastructure/os2display/nginx/Dockerfile
+          context: ./infrastructure/nginx/
+          file: ./infrastructure/nginx/Dockerfile
           build-args: |
             APP_VERSION=${{ env.APP_VERSION }}
           push: true
           tags: ${{ steps.meta-nginx.outputs.tags }}
           labels: ${{ steps.meta-nginx.outputs.labels }}
+          provenance: mode=max
+          sbom: true
+          platforms: linux/amd64,linux/arm64
diff --git a/.github/workflows/doctrine.yaml b/.github/workflows/doctrine.yaml
@@ -1,6 +1,7 @@
 on: pull_request
 
 name: Doctrine
+run-name: "Doctrine - ${{ github.head_ref || github.ref_name }}"
 
 jobs:
   validate-doctrine-shema:
@@ -10,7 +11,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        php: ["8.3"]
+        php: ["8.4"]
     name: Validate Schema (PHP ${{ matrix.php}})
     services:
       mariadb:

diff --git a/.github/workflows/github_build_release.yml b/.github/workflows/github_build_release.yml
@@ -1,45 +1,140 @@
+# This workflow builds a GitHub release on tag creation and then builds and
+# pushes Docker images to GitHub Container Registry.
+
 on:
   push:
     tags:
-      - "*.*.*"
+      - "*"
 
 name: Create Github Release
+run-name: "Create Github Release - ${{ github.head_ref || github.ref_name }}"
 
-permissions:
-  contents: write
+env:
+  COMPOSE_USER: runner
 
 jobs:
   create-release:
     runs-on: ubuntu-latest
-    env:
-      COMPOSER_ALLOW_SUPERUSER: 1
-      APP_ENV: prod
+    permissions:
+      contents: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
-      - name: Composer install
+      - name: Setup docker network
         run: |
           docker network create frontend
-          docker compose run --rm --user=root --env APP_ENV=prod phpfpm composer install --no-dev -o --classmap-authoritative
-          docker compose run --rm --user=root --env APP_ENV=prod phpfpm composer clear-cache
+
+      - name: Install dependencies with composer
+        run: |
+          docker compose run --rm --env APP_ENV=prod phpfpm composer install --no-dev -o --classmap-authoritative
+          docker compose run --rm --env APP_ENV=prod phpfpm composer clear-cache
+
+      - name: Installs node dependencies with npm
+        run: |
+          docker compose run --rm node npm install
+          docker compose run --rm node npm run build
+
+      - name: Cleanup after install
+        run: |
+          sudo chown -R runner:runner .
+          rm -rf docs
           rm -rf infrastructure
+          rm -rf fixtures
+          rm -rf tests
+          rm -rf node_modules
 
       - name: Make assets dir
         run: |
           mkdir -p ../assets
 
       - name: Create archive
         run: |
-          tar \
-            -zcf ../assets/${{ github.event.repository.name }}-${{ github.ref_name }}.tar.gz ./*
+          tar -zcf ../assets/${{ github.event.repository.name }}-${{ github.ref_name }}.tar.gz ./*
 
       - name: Create checksum
         run: sha256sum ../assets/${{ github.event.repository.name }}-${{ github.ref_name }}.tar.gz > ../assets/checksum.txt
 
       - name: Create a release in GitHub and uploads assets
         run: |
-          gh release create ${{ github.ref_name }} --verify-tag --generate-notes ../assets/*.*
+          gh release create ${{ github.ref_name }} --verify-tag --generate-notes ${{ steps.prerelease.outputs.flag }} ../assets/*.*
         env:
           GITHUB_TOKEN: ${{ github.TOKEN }}
         shell: bash
+
+  images:
+    needs: create-release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+      attestations: write
+      id-token: write
+    env:
+      REGISTRY: ghcr.io
+      IMAGE_NAME_MAIN: ${{ github.repository }}
+      IMAGE_NAME_NGINX: ${{ github.repository }}-nginx
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+        with:
+          ref: ${{ github.ref_name }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@65b78e6e13532edd9afa3aa52ac7964289d1a9c1
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      # Build main
+      - name: Docker meta (main)
+        id: meta-main
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_MAIN }}
+          tags: |
+            type=raw,value=${{ github.ref_name }}
+
+      - name: Build and push Docker image (main)
+        id: push-main
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: .
+          file: ./infrastructure/display-api-service/Dockerfile
+          build-args: |
+            APP_VERSION=${{ github.ref_name }}
+          push: true
+          tags: ${{ steps.meta-main.outputs.tags }}
+          labels: ${{ steps.meta-main.outputs.labels }}
+          sbom: true
+
+      # Build Nginx (depends on main)
+      - name: Docker meta (nginx)
+        id: meta-nginx
+        uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME_NGINX }}
+          tags: |
+            type=raw,value=${{ github.ref_name }}
+
+      - name: Build and push Docker image (nginx)
+        id: push-nginx
+        uses: docker/build-push-action@f2a1d5e99d037542a71f64918e516c093c6f3fc4
+        with:
+          context: ./infrastructure/nginx/
+          file: ./infrastructure/nginx/Dockerfile
+          build-args: |
+            APP_VERSION=${{ github.ref_name }}
+            APP_IMAGE=${{ env.IMAGE_NAME_MAIN }}
+          push: true
+          pull: true
+          tags: ${{ steps.meta-nginx.outputs.tags }}
+          labels: ${{ steps.meta-nginx.outputs.labels }}
+          sbom: true
-Original file line number
+Diff line change
@@ Expand Up / @@ -24,6 +24,7 @@ @@
     ###    ```
     name: Composer
+    run-name: "Composer - ${{ github.head_ref || github.ref_name }}"
     env:
       COMPOSE_USER: runner
@@ Expand Down @@