roadiz · eliot488995568 · Aug 6, 2025 · Aug 6, 2025 · Aug 7, 2025 · Aug 11, 2025
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
@@ -21,10 +21,10 @@ test:
     image: roadiz/php-runner:8.4.13-bookworm
-    image: roadiz/php-runner:8.4.13-bookworm
+    image: roadiz/php-runner:8.5.1-bookworm
-    image: roadiz/php-runner:8.4.13-bookworm
+    image: roadiz/php-runner:8.5.1-bookworm
     stage: test
     interruptible: true
-    only:
-        - develop
-        - tags
-        - merge_requests
+    rules:
+        - if: '$CI_COMMIT_BRANCH == "develop"'
+        - if: '$CI_COMMIT_TAG'
+        - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
     cache:
         key: ${CI_COMMIT_REF_SLUG}
         paths:
@@ -59,8 +59,8 @@ build_develop:
     stage: build
     image: docker:git
     interruptible: true
-    only:
-        - develop
+    rules:
+        - if: '$CI_COMMIT_BRANCH == "develop"'
     services:
         - docker:dind
     variables:
@@ -79,8 +79,8 @@ build_develop:
 build_tag:
     stage: build
     image: docker:git
-    only:
-        - tags
+    rules:
+        - if: '$CI_COMMIT_TAG'
     services:
         - docker:dind
     variables:
@@ -107,8 +107,8 @@ build_tag:
 deploy_develop:
     stage: deploy
     image: alpine:3.21
-    only:
-        - develop
+    rules:
+        - if: '$CI_COMMIT_BRANCH == "develop"'
     needs:
         - build_develop
     interruptible: true
@@ -145,7 +145,7 @@ deploy_production:
 
 create_gitlab_release:
     stage: release
-    image: registry.gitlab.com/gitlab-org/release-cli:latest
+    image: registry.gitlab.com/gitlab-org/cli:latest
     rules:
         - if: $CI_COMMIT_TAG
     script:

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,18 @@
 
 All notable changes to project will be documented in this file.
 
+## [2.7.0](https://github.com/roadiz/skeleton/compare/v2.6.5...2.7.0) - 2026-01-23
+
+### Bug Fixes
+
+- update PHP version, adjust user/group handling in Dockerfiles, remove sudo on Docker images and remove cache-clear in production entrypoint - ([057e43f](https://github.com/roadiz/skeleton/commit/057e43f974ac36c3abab8bf1c4a6d9b36c0a8748)) - Ambroise Maupate
+- add cache warmup for production environment in entrypoint scripts - ([29601d4](https://github.com/roadiz/skeleton/commit/29601d447a75add0bd38444cb9207bce91da5db8)) - Ambroise Maupate
+
+### CI/CD
+
+- update CI rules for branch and tag handling - ([ea8b5a8](https://github.com/roadiz/skeleton/commit/ea8b5a85e3dc8912cee35691ee5766e87c037bde)) - Ambroise Maupate
+- update release-cli image in CI configuration - ([edc3962](https://github.com/roadiz/skeleton/commit/edc396209529309dce01f396561eea96e8f01f26)) - Ambroise Maupate
+
 ## [2.6.5](https://github.com/roadiz/skeleton/compare/v2.6.4...2.6.5) - 2025-10-23
 
 ### Bug Fixes

diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
-ARG PHP_VERSION=8.4.13
+ARG PHP_VERSION=8.5.1
 ARG MYSQL_VERSION=8.4.7
-ARG NGINX_VERSION=1.28.0
+ARG NGINX_VERSION=1.28.1
 ARG MARIADB_VERSION=11.8.3
 ARG VARNISH_VERSION=7.7.3
 
@@ -11,7 +11,7 @@ ARG GID=${UID}
 # PHP - FRANKENPHP #
 ####################
 
-FROM dunglas/frankenphp:php${PHP_VERSION}-bookworm AS php-franken
+FROM dunglas/frankenphp:php${PHP_VERSION}-trixie AS php-franken
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com, eliot@rezo-zero.com"
 
@@ -33,15 +33,13 @@ apt-get --quiet --yes --purge --autoremove upgrade
 apt-get --quiet --yes --no-install-recommends --verbose-versions install \
     acl \
     less \
-    sudo \
     git \
     ffmpeg
 rm -rf /var/lib/apt/lists/*
 
 # User
-addgroup --gid ${UID} php
+addgroup --gid ${GID} php
 adduser --home /home/php --shell /bin/bash --uid ${UID} --gecos php --ingroup php --disabled-password php
-echo "php ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/php
 
 # App
 install --verbose --owner php --group php --mode 0755 --directory /app
@@ -105,6 +103,9 @@ VOLUME /app
 
 FROM php-franken AS php-prod-franken
 
+ARG UID
+ARG GID
+
 ENV XDEBUG_MODE=off
 ENV APP_ENV=prod
 ENV APP_RUNTIME_ENV=prod
@@ -124,15 +125,15 @@ CMD ["--config", "/etc/frankenphp/Caddyfile", "--adapter", "caddyfile"]
 USER php
 
 # Composer
-COPY --link --chown=php:php composer.* symfony.* ./
+COPY --link --chown=${UID}:${GID} composer.json composer.lock symfony.lock ./
 RUN <<EOF
 # If you depend on private Gitlab repositories, you must use a deploy token and username
 #composer config gitlab-token.gitlab.rezo-zero.com ${COMPOSER_DEPLOY_TOKEN_USER} ${COMPOSER_DEPLOY_TOKEN}
 composer install --no-cache --prefer-dist --no-dev --no-autoloader --no-scripts --no-progress
 EOF
 
-COPY --link --chown=php:php ./api .
-COPY --link --chown=php:php --from=encore-build /app/public/static ./public/static
+COPY --link --chown=${UID}:${GID} ./api .
+COPY --link --chown=${UID}:${GID} --from=encore-build /app/public/static ./public/static
 
 RUN <<EOF
 composer dump-autoload --classmap-authoritative --no-dev
@@ -152,11 +153,12 @@ VOLUME /app/config/jwt \
 # PHP #
 #######
 
-FROM php:${PHP_VERSION}-fpm-bookworm AS php
+FROM php:${PHP_VERSION}-fpm-trixie AS php
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com"
 
 ARG UID
+ARG GID
 
 ARG COMPOSER_VERSION=2.8.9
 ARG PHP_EXTENSION_REDIS_VERSION=6.1.0
@@ -176,15 +178,13 @@ apt-get --quiet --yes --purge --autoremove upgrade
 # Packages - System
 apt-get --quiet --yes --no-install-recommends --verbose-versions install \
     less \
-    sudo \
     git \
     ffmpeg
 rm -rf /var/lib/apt/lists/*
 
 # User
-addgroup --gid ${UID} php
+addgroup --gid ${GID} php
 adduser --home /home/php --shell /bin/bash --uid ${UID} --gecos php --ingroup php --disabled-password php
-echo "php ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/php
 
 # App
 install --verbose --owner php --group php --mode 0755 --directory /app
@@ -263,6 +263,9 @@ USER php
 
 FROM php AS php-prod
 
+ARG UID
+ARG GID
+
 # If you depend on private Gitlab repositories, you must use a deploy token and username
 #ARG COMPOSER_DEPLOY_TOKEN
 #ARG COMPOSER_DEPLOY_TOKEN_USER="gitlab+deploy-token-1"
@@ -282,14 +285,14 @@ COPY --link --chmod=755 docker/php/docker-migrate-entrypoint /usr/local/bin/dock
 USER php
 
 # Composer
-COPY --link --chown=php:php composer.* symfony.* ./
+COPY --link --chown=${UID}:${GID} composer.json composer.lock symfony.lock ./
 RUN <<EOF
 # If you depend on private Gitlab repositories, you must use a deploy token and username
 #composer config gitlab-token.gitlab.rezo-zero.com ${COMPOSER_DEPLOY_TOKEN_USER} ${COMPOSER_DEPLOY_TOKEN}
 composer install --no-cache --prefer-dist --no-dev --no-autoloader --no-scripts --no-progress
 EOF
 
-COPY --link --chown=php:php . .
+COPY --link --chown=${UID}:${GID} . .
 
 RUN <<EOF
 composer dump-autoload --classmap-authoritative --no-dev
@@ -311,27 +314,25 @@ VOLUME /app/config/jwt \
 # Nginx #
 #########
 
-FROM nginx:${NGINX_VERSION}-bookworm AS nginx
+FROM nginx:${NGINX_VERSION}-trixie AS nginx
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com"
 
 ARG UID
+ARG GID
 
 SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 
 RUN <<EOF
 # Packages
 apt-get --quiet update
 apt-get --quiet --yes --purge --autoremove upgrade
-apt-get --quiet --yes --no-install-recommends --verbose-versions install \
-    less \
-    sudo
+apt-get --quiet --yes --no-install-recommends --verbose-versions install less
 rm -rf /var/lib/apt/lists/*
 
 # User
-groupmod --gid ${UID} nginx
+groupmod --gid ${GID} nginx
 usermod --uid ${UID} nginx
-echo "nginx ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nginx
 
 # App
 install --verbose --owner nginx --group nginx --mode 0755 --directory /app
@@ -362,14 +363,16 @@ FROM nginx AS nginx-dev
 VOLUME /app
 
 
-
 ##############
 # Nginx PROD #
 ##############
 
+ARG UID
+ARG GID
+
 FROM nginx AS nginx-prod
 # Copy public files from API
-COPY --link --from=php-prod --chown=${USER_UID}:${USER_UID} /app/public /app/public
+COPY --link --from=php-prod --chown=${UID}:${GID} /app/public /app/public
 
 # Only enable healthcheck in production when the app is ready to serve requests on root path
 # This could prevent Traefik or an ingress controller to route traffic to the app

diff --git a/compose.prod.yml b/compose.prod.yml
@@ -36,6 +36,8 @@ services:
         # https://github.com/api-platform/core/issues/3168
         # https://www.varnish-software.com/developers/tutorials/troubleshooting-varnish/
         command: "-p http_resp_hdr_len=16384 -p http_resp_size=65536"
+        ulimits:
+            memlock: -1
         tmpfs: /var/lib/varnish/varnishd:exec
         depends_on:
             - nginx

diff --git a/compose.yml b/compose.yml
@@ -101,6 +101,8 @@ services:
         # https://github.com/api-platform/core/issues/3168
         # https://www.varnish-software.com/developers/tutorials/troubleshooting-varnish/
         command: "-p http_resp_hdr_len=16384 -p http_resp_size=65536"
+        ulimits:
+            memlock: -1
         tmpfs: /var/lib/varnish/varnishd:exec
         depends_on:
             - nginx

diff --git a/composer.json b/composer.json
@@ -11,7 +11,7 @@
         "nelmio/cors-bundle": "^2.5",
         "roadiz/cms-pack": "^3.0",
         "sentry/sentry-symfony": "^5.3",
-        "symfony/redis-messenger": "7.3.*",
+        "symfony/redis-messenger": "7.4.*",
         "symfony/flex": "*",
         "symfony/requirements-checker": "^2.0"
     },
@@ -23,14 +23,14 @@
         "phpstan/phpstan-symfony": "*",
         "phpunit/phpunit": "^9.5",
         "rector/rector": "^2.1",
-        "symfony/browser-kit": "7.3.*",
-        "symfony/css-selector": "7.3.*",
-        "symfony/debug-bundle": "7.3.*",
+        "symfony/browser-kit": "7.4.*",
+        "symfony/css-selector": "7.4.*",
+        "symfony/debug-bundle": "7.4.*",
         "symfony/filesystem": ">=7.1",
         "symfony/maker-bundle": "^1.64",
-        "symfony/phpunit-bridge": "7.3.*",
-        "symfony/stopwatch": "7.3.*",
-        "symfony/web-profiler-bundle": "7.3.*"
+        "symfony/phpunit-bridge": "7.4.*",
+        "symfony/stopwatch": "7.4.*",
+        "symfony/web-profiler-bundle": "7.4.*"
     },
     "config": {
         "optimize-autoloader": true,
@@ -96,7 +96,7 @@
     "extra": {
         "symfony": {
             "allow-contrib": false,
-            "require": "7.3.*",
+            "require": "7.4.*",
             "docker": false
         }
     }

diff --git a/composer.json.dist b/composer.json.dist
@@ -11,7 +11,7 @@
         "nelmio/cors-bundle": "^2.5",
         "roadiz/cms-pack": "^3.0",
         "sentry/sentry-symfony": "^5.3",
-        "symfony/redis-messenger": "7.3.*",
+        "symfony/redis-messenger": "7.4.*",
         "symfony/flex": "*",
         "symfony/requirements-checker": "^2.0"
     },
@@ -23,14 +23,14 @@
         "phpstan/phpstan-symfony": "*",
         "phpunit/phpunit": "^9.5",
         "rector/rector": "^2.1",
-        "symfony/browser-kit": "7.3.*",
-        "symfony/css-selector": "7.3.*",
-        "symfony/debug-bundle": "7.3.*",
+        "symfony/browser-kit": "7.4.*",
+        "symfony/css-selector": "7.4.*",
+        "symfony/debug-bundle": "7.4.*",
         "symfony/filesystem": ">=7.1",
         "symfony/maker-bundle": "^1.64",
-        "symfony/phpunit-bridge": "7.3.*",
-        "symfony/stopwatch": "7.3.*",
-        "symfony/web-profiler-bundle": "7.3.*"
+        "symfony/phpunit-bridge": "7.4.*",
+        "symfony/stopwatch": "7.4.*",
+        "symfony/web-profiler-bundle": "7.4.*"
     },
     "config": {
         "optimize-autoloader": true,
@@ -96,7 +96,7 @@
     "extra": {
         "symfony": {
             "allow-contrib": false,
-            "require": "7.3.*",
+            "require": "7.4.*",
             "docker": false
         }
     }

diff --git a/composer_dev.json.dist b/composer_dev.json.dist
@@ -13,7 +13,7 @@
         "nelmio/cors-bundle": "^2.5",
         "roadiz/cms-pack": "dev-develop",
         "sentry/sentry-symfony": "^5.3",
-        "symfony/redis-messenger": "7.3.*",
+        "symfony/redis-messenger": "7.4.*",
         "symfony/flex": "*",
         "symfony/requirements-checker": "^2.0"
     },
@@ -25,14 +25,14 @@
         "phpstan/phpstan-symfony": "*",
         "phpunit/phpunit": "^9.5",
         "rector/rector": "^2.1",
-        "symfony/browser-kit": "7.3.*",
-        "symfony/css-selector": "7.3.*",
-        "symfony/debug-bundle": "7.3.*",
+        "symfony/browser-kit": "7.4.*",
+        "symfony/css-selector": "7.4.*",
+        "symfony/debug-bundle": "7.4.*",
         "symfony/filesystem": ">=7.1",
         "symfony/maker-bundle": "^1.64",
-        "symfony/phpunit-bridge": "7.3.*",
-        "symfony/stopwatch": "7.3.*",
-        "symfony/web-profiler-bundle": "7.3.*"
+        "symfony/phpunit-bridge": "7.4.*",
+        "symfony/stopwatch": "7.4.*",
+        "symfony/web-profiler-bundle": "7.4.*"
     },
     "config": {
         "optimize-autoloader": true,
@@ -98,7 +98,7 @@
     "extra": {
         "symfony": {
             "allow-contrib": false,
-            "require": "7.3.*",
+            "require": "7.4.*",
             "docker": false
         }
     }

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
@@ -122,6 +122,7 @@ security:
             - ROLE_ACCESS_CUSTOMFORMS
             - ROLE_ACCESS_CUSTOMFORMS_DELETE
             - ROLE_ACCESS_CUSTOMFORMS_RETENTION
+            - ROLE_ACCESS_CUSTOMFORMS_WEBHOOKS
             - ROLE_ACCESS_DOCTRINE_CACHE_DELETE
             - ROLE_ACCESS_DOCUMENTS
             - ROLE_ACCESS_DOCUMENTS_CREATION_DATE
@@ -149,3 +150,4 @@ security:
             - ROLE_ACCESS_WEBHOOKS
             - ROLE_ALLOWED_TO_SWITCH
             - ROLE_BACKEND_USER
+            - ROLE_PUBLIC_USER