🐳 Add matrix for multiple versions

[LegeBeker]

🔍 Samenvatting

Deze PR verbeterd de security van de image

✅ Checklist

• Code is lokaal getest
• Tests zijn toegevoegd/aangepast
• Documentatie bijgewerkt (indien nodig)

[coderabbitai]

Walkthrough

The changes introduce Dependabot automation for dependency updates, restructure CI/CD workflows to support multi-version PHP builds, and migrate the Docker base image from Debian-based FrankenPHP to Alpine-based with parameterized PHP versions. The build pipeline is refactored to include separate validation and scanning jobs with per-version caching and tagging strategies.

Changes

Cohort / File(s)	Summary
Dependabot Setup .github/dependabot.yml, .github/workflows/dependabot.yml	Added Dependabot configuration for weekly Docker and GitHub Actions updates with auto-approval and auto-merge (squash) via new workflow.
CI/CD Workflow Updates .github/workflows/build-check.yml, .github/workflows/code-lint.yml, .github/workflows/docker-publish.yml	Removed build-check workflow; updated code-lint to use brixion-runners; restructured docker-publish with PHP version matrix (8.3, 8.5.1), separate build/scan/push jobs, per-version caching, and scheduled cron triggers.
Docker Base Image & Linting Dockerfile, .hadolint.yaml	Migrated from Debian to Alpine Linux base image with dynamic PHP version argument; replaced apt with apk and updated package names (libpq-dev → postgresql-dev, etc.). Changed hadolint suppression from DL3008 to DL3018.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description mentions improving security of the image, which relates to the changeset (Alpine migration, Dependabot, security scanning). However, it is incomplete with placeholder bullets and lacks meaningful detail about the actual changes.	Expand the description to clearly explain the key changes: PHP version matrix support, Alpine migration, Dependabot automation, and security improvements.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title references 'Add matrix for multiple versions' which aligns with the core change—introducing PHP version matrices in CI workflows and parameterizing the Dockerfile for multiple PHP versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

🤖 Fix all issues with AI agents

In @.github/workflows/dependabot.yml:
- Around line 1-6: The YAML top-level keys are incorrectly indented; remove the
leading spaces so the top-level keys like name, on, and its children
workflow_call and pull_request start at column zero; update the manifest so
"name:" is not indented and "on:", "workflow_call" and "pull_request" are
properly aligned as top-level YAML keys.
- Around line 22-31: The workflow currently approves and auto-merges every
Dependabot PR in the steps named "Approve a PR" and "Enable auto-merge for
Dependabot PRs" (which run `gh pr review --approve` and `gh pr merge --auto
--squash`), so add a guard that inspects Dependabot metadata and only runs those
steps for semver-minor or semver-patch updates; implement this by adding an
`if:` condition to both steps that checks the Dependabot update type (e.g., from
`github.event.pull_request.body` or Dependabot metadata output) and only allows
execution when the detected update type is "version-update:semver-minor" or
"version-update:semver-patch".

In `@Dockerfile`:
- Around line 20-30: Duplicate "intl" was added to the PHP extension install
list; edit the RUN command that invokes install-php-extensions (the multi-line
block containing `@composer`, apcu, gd, intl, opcache, zip, bcmath, intl) and
remove the second "intl" entry so each extension appears only once.
- Around line 1-2: The Dockerfile uses ARG PHP_VERSION and the FROM line with
dunglas/frankenphp:php${PHP_VERSION}-alpine; update the ARG default to a
published tag (e.g., set ARG PHP_VERSION=8.5.2) or switch to the rolling php8.5
tag so the FROM resolves to an existing image (ensure you only change the ARG
value or the variable usage in the FROM line referencing PHP_VERSION).

🧹 Nitpick comments (5)

.github/workflows/code-lint.yml (1)

14-14: Custom runner label should be documented in actionlint config.

The brixion-runners label is flagged by actionlint as unknown. Since this is a self-hosted runner, consider adding an actionlint.yaml config file to suppress these warnings across all workflow files:

self-hosted-runner:
  labels:
    - brixion-runners
    - arm64-runner

.github/dependabot.yml (1)

29-40: Inconsistent configuration between ecosystems.

The GitHub Actions configuration is missing rebase-strategy and groups that are present in the Docker configuration. Also, there's a double space in the prefix on line 38 ("⬆️ [ GitHub Actions ]") compared to the single space in Docker's prefix.

Consider aligning both configurations for consistency:

♻️ Suggested fix

   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
       interval: "weekly"
       day: "monday"
       time: "06:00"
       timezone: "Europe/Amsterdam"
     open-pull-requests-limit: 10
     commit-message:
-      prefix: "⬆️  [ GitHub Actions ] "
+      prefix: "⬆️ [ GitHub Actions ] "
     labels:
       - "dependencies"
+    rebase-strategy: "auto"
+    groups:
+      actions-minor-patch:
+        patterns:
+          - "*"
+        update-types:
+          - "minor"
+          - "patch"

.github/workflows/docker-publish.yml (3)

3-6: Push trigger without branch filter runs on all branches.

The push trigger has no branch filter, so build-check and scan-check will run on every push to any branch. Consider adding a branch filter or removing the push trigger if only scheduled builds are intended.

♻️ Suggested fix if you want builds on main only

 on:
-  push:
+  push:
+    branches: [main]
   schedule:
     - cron: '0 9 * * 1'

---

18-19: Inconsistent PHP version format in matrix.

The matrix uses 8.3 (minor version) alongside 8.5.1 (patch version). This inconsistency may cause confusion and could lead to unexpected behavior if the base image tags follow different conventions.

Consider using consistent version formats:

-        php_version: [8.3, 8.5.1]
+        php_version: ["8.3", "8.5.1"]

Or use full patch versions for both: ["8.3.0", "8.5.1"]

Also applies to: 58-59, 106-107

---

92-97: Artifact name includes file extension.

The artifact name on line 96 includes .txt which is redundant since the path already specifies the filename. This could cause confusion as the artifact will be named grype-scan-8.3.txt.txt conceptually.

🛠️ Suggested fix

       - name: Upload scan results
         if: failure()
         uses: actions/upload-artifact@v4
         with:
-          name: grype-scan-${{ matrix.php_version }}.txt
+          name: grype-scan-${{ matrix.php_version }}
           path: grype-scan-${{ matrix.php_version }}.txt