From d20f1613c32d682cc77d204cddea323e411691af Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 08:16:03 +0200
Subject: [PATCH 01/12] ci: refactor build workflows

---
 .github/actions/build-docker-image/action.yml | 99 +++++++++++++++++++
 .../actions/build-docker-image/markdown.tpl   | 33 +++++++
 .github/workflows/alpine.yml                  | 25 +----
 3 files changed, 137 insertions(+), 20 deletions(-)
 create mode 100644 .github/actions/build-docker-image/action.yml
 create mode 100644 .github/actions/build-docker-image/markdown.tpl

diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml
new file mode 100644
index 00000000..80d5fc7c
--- /dev/null
+++ b/.github/actions/build-docker-image/action.yml
@@ -0,0 +1,99 @@
+name: Build Docker image
+description: Builds a Docker image
+inputs:
+  context:
+    description: The directory containing the Dockerfile
+    required: true
+  file:
+    description: The Dockerfile to use
+    required: false
+  platforms:
+    description: The platforms to build for
+    required: false
+    default: linux/amd64,linux/arm64
+  push:
+    description: Whether to push the image to the registry
+    required: true
+  primaryTag:
+    description: The primary tag to use for the image
+    required: true
+  tags:
+    description: The tags to use for the image
+    required: false
+  args:
+    description: List of build-time variables
+    required: false
+  cache-from:
+    description: List of external cache sources for buildx
+    required: false
+  cache-to:
+    description: List of cache export destinations for buildx
+    required: false
+  no-cache:
+    description: Do not use cache when building the image
+    required: false
+    default: 'false'
+  registry:
+    description: The registry to use
+    required: false
+    default: https://ghcr.io
+  username:
+    description: The username to use for the registry
+    required: false
+    default: ${{ github.actor }}
+  password:
+    description: The password to use for the registry
+    required: false
+    default: ${{ github.token }}
+runs:
+  using: composite
+  steps:
+    - name: Set up QEMU
+      uses: docker/setup-qemu-action@v3
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@v3
+
+    - name: Log in to Docker Registry
+      uses: docker/login-action@v3
+      with:
+        registry: ${{ inputs.registry }}
+        username: ${{ inputs.username }}
+        password: ${{ inputs.password }}
+      if: ${{ inputs.push }}
+
+    - name: Build and push container image
+      uses: docker/build-push-action@v5
+      with:
+        context: ${{ inputs.context }}
+        file: ${{ inputs.file }}
+        platforms: ${{ inputs.platforms }}
+        push: ${{ inputs.push }}
+        tags: |
+          ${{ inputs.primaryTag }}
+          ${{ inputs.tags }}
+        build-args: ${{ inputs.args }}
+        cache-from: ${{ inputs.cache-from }}
+        cache-to: ${{ inputs.cache-to }}
+        no-cache: ${{ inputs.no-cache }}
+
+    - name: Load image to local Docker
+      uses: docker/build-push-action@v5
+      with:
+        load: true
+        push: false
+        context: ${{ inputs.context }}
+        file: ${{ inputs.file }}
+        tags: |
+          ${{ inputs.primaryTag }}
+          ${{ inputs.tags }}
+        build-args: ${{ inputs.args }}
+
+    - name: Security Scan
+      uses: aquasecurity/trivy-action@master
+      id: scan
+      with:
+        image-ref: ${{ inputs.primaryTag }}
+        format: template
+        template: "@.github/actions/build-docker-image/markdown.tpl"
+        output: trivy.md
diff --git a/.github/actions/build-docker-image/markdown.tpl b/.github/actions/build-docker-image/markdown.tpl
new file mode 100644
index 00000000..b7e1c954
--- /dev/null
+++ b/.github/actions/build-docker-image/markdown.tpl
@@ -0,0 +1,33 @@
+## Trivy Scan Report
+{{- if . }}
+{{- range . }}
+## {{ .Target }}
+### Vulnerabilities
+{{- if (eq (len .Vulnerabilities) 0) }}
+No vulnerabilities found.
+{{- else }}
+| Package | Vulnerability ID | Severity | Installed Version | Fixed Version | Links |
+| ------- | ---------------- | :------: | ----------------- | ------------- | ----- |
+{{- range .Vulnerabilities }}
+| {{ .PkgName }} | {{ .VulnerabilityID }} | {{ .Vulnerability.Severity }} | {{ .InstalledVersion }} | {{ .FixedVersion }} | {{ .PrimaryURL }} |
+{{- end }}
+
+{{- end }} <!-- Vulnerabilities -->
+
+### Misconfigurations
+{{- if (eq (len .Misconfigurations ) 0) }}
+No misconfigurations found.
+{{- else }}
+| Type | Misconfiguration ID | Check | Severity | Message |
+| ---- | ------------------- | ----- | -------- | ------- |
+{{- range .Misconfigurations }}
+| {{ .Type }} | {{ .ID }} | {{ .Title }} | {{ .Severity }} | {{ .Message }}<br>{{ .PrimaryURL }} |
+{{- end }}
+
+{{- end }} <!-- Misconfigurations -->
+
+{{- end }} <!-- Targets -->
+
+{{- else }}
+Trivy Returned Empty Report
+{{- end }}
diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml
index dc8efc8a..91d41ddf 100644
--- a/.github/workflows/alpine.yml
+++ b/.github/workflows/alpine.yml
@@ -30,31 +30,16 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Get image version
         id: getversion
-        run: echo "version=$(head -n 1 alpine/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT
+        run: echo "version=$(head -n 1 alpine/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}"
 
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: alpine
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=alpine
           cache-to: type=gha,mode=max,scope=alpine
-          tags: |
-            ghcr.io/automattic/vip-container-images/alpine:latest
-            ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }}
+          primaryTag: ghcr.io/automattic/vip-container-images/alpine:${{ steps.getversion.outputs.version }}
+          tags: ghcr.io/automattic/vip-container-images/alpine:latest

From da4d1492a92fee97bd64e4ef81c93222090ab7cd Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 08:42:36 +0200
Subject: [PATCH 02/12] ci: post Trivy Scan Report as a comment

---
 .github/actions/build-docker-image/action.yml | 26 ++++++++++++++++++-
 .github/workflows/alpine.yml                  |  3 +++
 2 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml
index 80d5fc7c..d28ee5ae 100644
--- a/.github/actions/build-docker-image/action.yml
+++ b/.github/actions/build-docker-image/action.yml
@@ -91,9 +91,33 @@ runs:
 
     - name: Security Scan
       uses: aquasecurity/trivy-action@master
-      id: scan
       with:
         image-ref: ${{ inputs.primaryTag }}
         format: template
         template: "@.github/actions/build-docker-image/markdown.tpl"
         output: trivy.md
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'
+
+    - name: Security Scan
+      uses: aquasecurity/trivy-action@master
+      with:
+        image-ref: ${{ inputs.primaryTag }}
+        format: table
+      if: github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name != github.event.pull_request.base.repo.full_name || github.event.sender.login == 'dependabot[bot]'
+
+    - name: Find Trivy Scan Report comment
+      uses: peter-evans/find-comment@v2
+      id: fc
+      with:
+        issue-number: ${{ github.event.pull_request.number }}
+        body-includes: "## Trivy Scan Report"
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'
+
+    - name: Create or update comment
+      uses: peter-evans/create-or-update-comment@v3
+      with:
+        comment-id: ${{ steps.fc.outputs.comment-id }}
+        issue-number: ${{ github.event.pull_request.number }}
+        body-path: trivy.md
+        edit-mode: replace
+      if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'
diff --git a/.github/workflows/alpine.yml b/.github/workflows/alpine.yml
index 91d41ddf..06b3063a 100644
--- a/.github/workflows/alpine.yml
+++ b/.github/workflows/alpine.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "alpine/**"
       - ".github/workflows/alpine.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "alpine/**"
       - ".github/workflows/alpine.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,6 +28,7 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4

From 5c883d7169a93854a3a54ee7bb403ab0d58c45ef Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 08:44:55 +0200
Subject: [PATCH 03/12] ci: add support for multiple images

---
 .github/actions/build-docker-image/action.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/actions/build-docker-image/action.yml b/.github/actions/build-docker-image/action.yml
index d28ee5ae..7d8655d3 100644
--- a/.github/actions/build-docker-image/action.yml
+++ b/.github/actions/build-docker-image/action.yml
@@ -110,7 +110,7 @@ runs:
       id: fc
       with:
         issue-number: ${{ github.event.pull_request.number }}
-        body-includes: "## Trivy Scan Report"
+        body-includes: ${{ inputs.primaryTag }}
       if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.event.pull_request.base.repo.full_name && github.event.sender.login != 'dependabot[bot]'
 
     - name: Create or update comment

From 22d320e46aae1f326eff1caeb3891fdfbb24e679 Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 08:49:43 +0200
Subject: [PATCH 04/12] ci: refactor dev-tools.yml

---
 .github/workflows/dev-tools.yml | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/dev-tools.yml b/.github/workflows/dev-tools.yml
index c63f38be..acf86608 100644
--- a/.github/workflows/dev-tools.yml
+++ b/.github/workflows/dev-tools.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "dev-tools/**"
       - ".github/workflows/dev-tools.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "dev-tools/**"
       - ".github/workflows/dev-tools.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,31 +28,17 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: dev-tools
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=dev-tools
           cache-to: type=gha,mode=max,scope=dev-tools
-          tags: |
-            ghcr.io/automattic/vip-container-images/dev-tools:latest
-            ghcr.io/automattic/vip-container-images/dev-tools:0.9
+          primaryTag: ghcr.io/automattic/vip-container-images/dev-tools:0.9
+          tags: ghcr.io/automattic/vip-container-images/dev-tools:0.9

From bbb3b22138379ddc2fce149d3aff425182c46a6c Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 08:52:31 +0200
Subject: [PATCH 05/12] ci: refactor mu-plugins.yml

---
 .github/workflows/mu-plugins.yml | 27 +++++++--------------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/mu-plugins.yml b/.github/workflows/mu-plugins.yml
index 6624aecd..2c42b3c9 100644
--- a/.github/workflows/mu-plugins.yml
+++ b/.github/workflows/mu-plugins.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "mu-plugins/**"
       - ".github/workflows/mu-plugins.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "mu-plugins/**"
       - ".github/workflows/mu-plugins.yml"
+      - ".github/actions/build-docker-image/**"
   workflow_dispatch:
   repository_dispatch:
     types:
@@ -30,30 +32,15 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-        if: github.event_name != 'pull_request'
-
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: mu-plugins
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
-          tags: |
-            ghcr.io/automattic/vip-container-images/mu-plugins:latest
-            ghcr.io/automattic/vip-container-images/mu-plugins:0.1
+          primaryTag: ghcr.io/automattic/vip-container-images/mu-plugins:0.1
+          tags: ghcr.io/automattic/vip-container-images/mu-plugins:latest

From 3ba43867f5a66f90e7dc6db5ccff96f11208a5e5 Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 08:59:50 +0200
Subject: [PATCH 06/12] ci: refactor nginx.yml

---
 .github/workflows/nginx.yml | 33 ++++++++++++---------------------
 1 file changed, 12 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml
index 5c52ea57..8ff48cac 100644
--- a/.github/workflows/nginx.yml
+++ b/.github/workflows/nginx.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "nginx/**"
       - ".github/workflows/nginx.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "nginx/**"
       - ".github/workflows/nginx.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,35 +28,24 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Get image version
         id: getversion
-        run: echo "version=$(head -n 1 nginx/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT
+        run: echo "version=$(head -n 1 nginx/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}"
 
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: nginx
-          platforms: linux/amd64,linux/arm64
+          push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=nginx
           cache-to: type=gha,mode=max,scope=nginx
-          push: ${{ github.base_ref == null }}
-          tags: |
-            ghcr.io/automattic/vip-container-images/nginx:latest
-            ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }}
+          primaryTag: ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }}
+          tags: ghcr.io/automattic/vip-container-images/nginx:latest
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

From 121dc30a787dbb333d1e905da930911bfa908486 Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 09:03:07 +0200
Subject: [PATCH 07/12] ci: refactor photon.yml

---
 .github/workflows/photon.yml | 27 +++++++++------------------
 1 file changed, 9 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/photon.yml b/.github/workflows/photon.yml
index c99a1709..63823277 100644
--- a/.github/workflows/photon.yml
+++ b/.github/workflows/photon.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "photon/**"
       - ".github/workflows/photon.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "photon/**"
       - ".github/workflows/photon.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,30 +28,19 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: photon
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=photon
           cache-to: type=gha,mode=max,scope=photon
-          tags: |
-            ghcr.io/automattic/vip-container-images/photon:latest
+          primaryTag: ghcr.io/automattic/vip-container-images/photon:latest
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

From a7dfd60faf3eedcca9c50e2f5af5c97d14511115 Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 09:05:15 +0200
Subject: [PATCH 08/12] ci: refactor php-fpm.yml

---
 .github/workflows/php-fpm.yml | 28 ++++++++++------------------
 1 file changed, 10 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/php-fpm.yml b/.github/workflows/php-fpm.yml
index 18805684..9d50d96d 100644
--- a/.github/workflows/php-fpm.yml
+++ b/.github/workflows/php-fpm.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "php-fpm/**"
       - ".github/workflows/php-fpm.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "php-fpm/**"
       - ".github/workflows/php-fpm.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,6 +28,7 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     strategy:
       fail-fast: false
       matrix:
@@ -44,27 +47,16 @@ jobs:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: php-fpm
-          platforms: linux/amd64,linux/arm64
           file: php-fpm/Dockerfile.${{ matrix.php.suffix }}
           push: ${{ github.base_ref == null }}
-          pull: true
           cache-from: type=gha,scope=php-fpm-${{ matrix.php.suffix }}
           cache-to: type=gha,mode=max,scope=php-fpm-${{ matrix.php.suffix }}
-          tags: ghcr.io/automattic/vip-container-images/php-fpm-alt:${{ matrix.php.name }}, ghcr.io/automattic/vip-container-images/php-fpm:${{ matrix.php.name }}
+          primaryTag: ghcr.io/automattic/vip-container-images/php-fpm:${{ matrix.php.name }}
+          tags: ghcr.io/automattic/vip-container-images/php-fpm-alt:${{ matrix.php.name }}
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

From 3a71519f92724a0ea608a8d0333e40b792150390 Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 09:08:01 +0200
Subject: [PATCH 09/12] ci: refactor skeleton.yml

---
 .github/workflows/skeleton.yml | 24 ++++++------------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/skeleton.yml b/.github/workflows/skeleton.yml
index 90be73f4..b0477589 100644
--- a/.github/workflows/skeleton.yml
+++ b/.github/workflows/skeleton.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "skeleton/**"
       - ".github/workflows/skeleton.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "skeleton/**"
       - ".github/workflows/skeleton.yml"
+      - ".github/actions/build-docker-image/**"
   workflow_dispatch:
 
 permissions:
@@ -27,28 +29,14 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: skeleton
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
-          tags: |
-            ghcr.io/automattic/vip-container-images/skeleton:latest
+          primaryTag: ghcr.io/automattic/vip-container-images/skeleton:latest

From bfe7f3cbf9e03ad4827df5605c833002bf60d56d Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 09:11:13 +0200
Subject: [PATCH 10/12] ci: refactor traefik.yml

---
 .github/workflows/traefik.yml | 28 ++++++++--------------------
 1 file changed, 8 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/traefik.yml b/.github/workflows/traefik.yml
index 177fb450..1efd4f03 100644
--- a/.github/workflows/traefik.yml
+++ b/.github/workflows/traefik.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "traefik/**"
       - ".github/workflows/traefik.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "traefik/**"
       - ".github/workflows/traefik.yml"
+      - ".github/actions/build-docker-image/**"
 
 permissions:
   contents: read
@@ -26,35 +28,21 @@ jobs:
     permissions:
       packages: write
       contents: read
+      pull-requests: write
     steps:
       - name: Check out the repo
         uses: actions/checkout@v4
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Get image version
         id: getversion
-        run: echo "version=$(head -n 1 traefik/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> $GITHUB_OUTPUT
+        run: echo "version=$(head -n 1 traefik/Dockerfile | sed -r -e 's/^([^:]+):([^ @$-]+).*/\2/')" >> "${GITHUB_OUTPUT}"
 
-      - name: Build container image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
           context: traefik
-          platforms: linux/amd64,linux/arm64
           push: ${{ github.base_ref == null }}
           cache-from: type=gha,scope=traefik
           cache-to: type=gha,mode=max,scope=traefik
-          tags: |
-            ghcr.io/automattic/vip-container-images/traefik_openssl:${{ steps.getversion.outputs.version }}
-            ghcr.io/automattic/vip-container-images/traefik_openssl:latest
+          primaryTag: ghcr.io/automattic/vip-container-images/traefik_openssl:${{ steps.getversion.outputs.version }}
+          tags: ghcr.io/automattic/vip-container-images/traefik_openssl:latest

From 159b7f893b25c4c19aca9f64493ace0506a8b75a Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Mon, 30 Oct 2023 09:14:17 +0200
Subject: [PATCH 11/12] ci: refactor wordpress.yml

---
 .github/workflows/wordpress.yml | 32 +++++++++++---------------------
 1 file changed, 11 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/wordpress.yml b/.github/workflows/wordpress.yml
index c329ba61..78621f9a 100644
--- a/.github/workflows/wordpress.yml
+++ b/.github/workflows/wordpress.yml
@@ -7,10 +7,12 @@ on:
     paths:
       - "wordpress/**"
       - ".github/workflows/wordpress.yml"
+      - ".github/actions/build-docker-image/**"
   pull_request:
     paths:
       - "wordpress/**"
       - ".github/workflows/wordpress.yml"
+      - ".github/actions/build-docker-image/**"
   workflow_dispatch:
 
 permissions:
@@ -44,6 +46,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      pull-requests: write
     strategy:
       fail-fast: false
       matrix:
@@ -61,30 +64,17 @@ jobs:
             echo "tags=" >> $GITHUB_OUTPUT
           fi
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-
-      - name: Log in to GitHub Docker Registry
-        uses: docker/login-action@v3
-        if: ${{ github.base_ref == null }}
-        with:
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build WordPress image
-        uses: docker/build-push-action@v5
+      - name: Build and push image
+        uses: ./.github/actions/build-docker-image
         with:
-          platforms: linux/amd64,linux/arm64
           context: wordpress
           push: ${{ github.base_ref == null }}
-          build-args: WP_GIT_REF=${{ matrix.wp.ref }}
+          args: WP_GIT_REF=${{ matrix.wp.ref }}
           cache-from: type=gha,scope=wordpress-${{ matrix.wp.ref }}
           cache-to: type=gha,mode=max,scope=wordpress-${{ matrix.wp.ref }}
           no-cache: ${{ matrix.wp.cacheable == false }}
-          tags: |
-            ghcr.io/automattic/vip-container-images/wordpress:${{ matrix.wp.tag }}
-            ${{ steps.extra-tags.outputs.tags }}
+          primaryTag: ghcr.io/automattic/vip-container-images/wordpress:${{ matrix.wp.tag }}
+          tags: ${{ steps.extra-tags.outputs.tags }}
+          registry: https://ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}

From e7f72911a19bb1461157604a48201748ae479c2d Mon Sep 17 00:00:00 2001
From: Volodymyr Kolesnykov <volodymyr@wildwolf.name>
Date: Tue, 31 Oct 2023 03:12:13 +0200
Subject: [PATCH 12/12] ci: remove fields with default values

---
 .github/workflows/nginx.yml     | 3 ---
 .github/workflows/photon.yml    | 3 ---
 .github/workflows/php-fpm.yml   | 3 ---
 .github/workflows/wordpress.yml | 3 ---
 4 files changed, 12 deletions(-)

diff --git a/.github/workflows/nginx.yml b/.github/workflows/nginx.yml
index 8ff48cac..8f39053f 100644
--- a/.github/workflows/nginx.yml
+++ b/.github/workflows/nginx.yml
@@ -46,6 +46,3 @@ jobs:
           cache-to: type=gha,mode=max,scope=nginx
           primaryTag: ghcr.io/automattic/vip-container-images/nginx:${{ steps.getversion.outputs.version }}
           tags: ghcr.io/automattic/vip-container-images/nginx:latest
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/photon.yml b/.github/workflows/photon.yml
index 63823277..38a968fd 100644
--- a/.github/workflows/photon.yml
+++ b/.github/workflows/photon.yml
@@ -41,6 +41,3 @@ jobs:
           cache-from: type=gha,scope=photon
           cache-to: type=gha,mode=max,scope=photon
           primaryTag: ghcr.io/automattic/vip-container-images/photon:latest
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/php-fpm.yml b/.github/workflows/php-fpm.yml
index 9d50d96d..8beae6e4 100644
--- a/.github/workflows/php-fpm.yml
+++ b/.github/workflows/php-fpm.yml
@@ -57,6 +57,3 @@ jobs:
           cache-to: type=gha,mode=max,scope=php-fpm-${{ matrix.php.suffix }}
           primaryTag: ghcr.io/automattic/vip-container-images/php-fpm:${{ matrix.php.name }}
           tags: ghcr.io/automattic/vip-container-images/php-fpm-alt:${{ matrix.php.name }}
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/wordpress.yml b/.github/workflows/wordpress.yml
index 78621f9a..3e58735c 100644
--- a/.github/workflows/wordpress.yml
+++ b/.github/workflows/wordpress.yml
@@ -75,6 +75,3 @@ jobs:
           no-cache: ${{ matrix.wp.cacheable == false }}
           primaryTag: ghcr.io/automattic/vip-container-images/wordpress:${{ matrix.wp.tag }}
           tags: ${{ steps.extra-tags.outputs.tags }}
-          registry: https://ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}