From 723323d7462954a262368d621811a045710cd1ed Mon Sep 17 00:00:00 2001
From: Andrew Dolgov <noreply@fakecake.org>
Date: Sat, 25 Mar 2023 22:41:47 +0300
Subject: [PATCH] add gitea-CI docker builder

---
 .docker/app/Dockerfile        |  79 ++++++++++++++++++
 .docker/app/backup.sh         |  31 +++++++
 .docker/app/config.docker.php |   8 ++
 .docker/app/dcron.sh          |   5 ++
 .docker/app/index.php         |   3 +
 .docker/app/startup.sh        | 153 ++++++++++++++++++++++++++++++++++
 .docker/app/updater.sh        |  33 ++++++++
 .docker/web-nginx/Dockerfile  |  15 ++++
 .docker/web-nginx/nginx.conf  |  61 ++++++++++++++
 .gitea/workflows/build.yml    | 124 +++++++++++++++++++++++++++
 10 files changed, 512 insertions(+)
 create mode 100644 .docker/app/Dockerfile
 create mode 100644 .docker/app/backup.sh
 create mode 100644 .docker/app/config.docker.php
 create mode 100644 .docker/app/dcron.sh
 create mode 100644 .docker/app/index.php
 create mode 100644 .docker/app/startup.sh
 create mode 100644 .docker/app/updater.sh
 create mode 100644 .docker/web-nginx/Dockerfile
 create mode 100644 .docker/web-nginx/nginx.conf
 create mode 100644 .gitea/workflows/build.yml

diff --git a/.docker/app/Dockerfile b/.docker/app/Dockerfile
new file mode 100644
index 000000000..1ccc5f764
--- /dev/null
+++ b/.docker/app/Dockerfile
@@ -0,0 +1,79 @@
+FROM registry.fakecake.org/alpine:3.17
+EXPOSE 9000/tcp
+
+ENV SCRIPT_ROOT=/opt/tt-rss
+ENV SRC_DIR=/src/tt-rss/
+
+COPY --from=app-src . ${SRC_DIR}
+
+RUN apk add --no-cache dcron php81 php81-fpm php81-phar \
+	php81-pdo php81-gd php81-pgsql php81-pdo_pgsql php81-xmlwriter \
+	php81-mbstring php81-intl php81-xml php81-curl php81-simplexml \
+	php81-session php81-tokenizer php81-dom php81-fileinfo php81-ctype \
+	php81-json php81-iconv php81-pcntl php81-posix php81-zip php81-exif \
+	php81-openssl git postgresql-client sudo php81-pecl-xdebug rsync tzdata && \
+	sed -i 's/\(memory_limit =\) 128M/\1 256M/' /etc/php81/php.ini && \
+	sed -i -e 's/^listen = 127.0.0.1:9000/listen = 9000/' \
+		-e 's/;\(clear_env\) = .*/\1 = no/i' \
+		-e 's/^\(user\|group\) = .*/\1 = app/i' \
+		-e 's/;\(php_admin_value\[error_log\]\) = .*/\1 = \/tmp\/error.log/' \
+		-e 's/;\(php_admin_flag\[log_errors\]\) = .*/\1 = on/' \
+			/etc/php81/php-fpm.d/www.conf && \
+	mkdir -p /var/www ${SCRIPT_ROOT}/config.d
+
+ADD --chmod=0755 startup.sh ${SCRIPT_ROOT}
+ADD --chmod=0755 updater.sh ${SCRIPT_ROOT}
+ADD --chmod=0755 dcron.sh ${SCRIPT_ROOT}
+ADD --chmod=0755 backup.sh /etc/periodic/weekly/backup
+
+ADD index.php ${SCRIPT_ROOT}
+ADD config.docker.php ${SCRIPT_ROOT}
+
+ARG ORIGIN_REPO_MAIN=https://git.tt-rss.org/fox/tt-rss.git
+ARG ORIGIN_REPO_XACCEL=https://git.tt-rss.org/fox/ttrss-nginx-xaccel.git
+ARG ORIGIN_COMMIT=
+
+ENV ORIGIN_REPO_MAIN=${ORIGIN_REPO_MAIN}
+ENV ORIGIN_REPO_XACCEL=${ORIGIN_REPO_XACCEL}
+ENV ORIGIN_COMMIT=${ORIGIN_COMMIT}
+
+ENV OWNER_UID=1000
+ENV OWNER_GID=1000
+
+ENV PHP_WORKER_MAX_CHILDREN=5
+ENV PHP_WORKER_MEMORY_LIMIT=256M
+
+# these are applied on every startup, if set
+ENV ADMIN_USER_PASS=""
+# see classes/UserHelper.php ACCESS_LEVEL_*
+# setting this to -2 would effectively disable built-in admin user
+# unless single user mode is enabled
+ENV ADMIN_USER_ACCESS_LEVEL=""
+
+# these are applied unless user already exists
+ENV AUTO_CREATE_USER=""
+ENV AUTO_CREATE_USER_PASS=""
+ENV AUTO_CREATE_USER_ACCESS_LEVEL="0"
+
+# TODO: remove prefix from container variables not used by tt-rss itself:
+#
+# - TTRSS_NO_STARTUP_PLUGIN_UPDATES -> NO_STARTUP_PLUGIN_UPDATES
+# - TTRSS_XDEBUG_... -> XDEBUG_...
+
+# don't try to update local plugins on startup
+ENV TTRSS_NO_STARTUP_PLUGIN_UPDATES=""
+
+# TTRSS_XDEBUG_HOST defaults to host IP if unset
+ENV TTRSS_XDEBUG_ENABLED=""
+ENV TTRSS_XDEBUG_HOST=""
+ENV TTRSS_XDEBUG_PORT="9000"
+
+ENV TTRSS_DB_TYPE="pgsql"
+ENV TTRSS_DB_HOST="db"
+ENV TTRSS_DB_PORT="5432"
+
+ENV TTRSS_MYSQL_CHARSET="UTF8"
+ENV TTRSS_PHP_EXECUTABLE="/usr/bin/php81"
+ENV TTRSS_PLUGINS="auth_internal, note, nginx_xaccel"
+
+CMD ${SCRIPT_ROOT}/startup.sh
diff --git a/.docker/app/backup.sh b/.docker/app/backup.sh
new file mode 100644
index 000000000..a28c39544
--- /dev/null
+++ b/.docker/app/backup.sh
@@ -0,0 +1,31 @@
+#!/bin/sh -e
+
+DST_DIR=/backups
+KEEP_DAYS=28
+APP_ROOT=/var/www/html/tt-rss
+
+if pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER; then
+	DST_FILE=ttrss-backup-$(date +%Y%m%d).sql.gz
+
+	echo backing up tt-rss database to $DST_DIR/$DST_FILE...
+
+	export PGPASSWORD=$TTRSS_DB_PASS 
+
+	pg_dump --clean -h $TTRSS_DB_HOST -U $TTRSS_DB_USER $TTRSS_DB_NAME | gzip > $DST_DIR/$DST_FILE
+
+	DST_FILE=ttrss-backup-$(date +%Y%m%d).tar.gz
+
+	echo backing up tt-rss local directories to $DST_DIR/$DST_FILE...
+
+	tar -cz -f $DST_DIR/$DST_FILE $APP_ROOT/*.local \
+		$APP_ROOT/feed-icons/ \
+		$APP_ROOT/config.php
+
+	echo cleaning up...
+
+	find $DST_DIR -type f -name '*.gz' -mtime +$KEEP_DAYS -delete
+
+	echo done.
+else
+	echo backup failed: database is not ready.
+fi
diff --git a/.docker/app/config.docker.php b/.docker/app/config.docker.php
new file mode 100644
index 000000000..fbf42e43b
--- /dev/null
+++ b/.docker/app/config.docker.php
@@ -0,0 +1,8 @@
+<?php
+
+	$snippets = glob(getenv("SCRIPT_ROOT")."/config.d/*.php");
+
+	foreach ($snippets as $snippet) {
+		require_once $snippet;
+	}
+
diff --git a/.docker/app/dcron.sh b/.docker/app/dcron.sh
new file mode 100644
index 000000000..b16f15a9c
--- /dev/null
+++ b/.docker/app/dcron.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+# https://github.com/dubiousjim/dcron/issues/13
+set -e
+
+/usr/sbin/crond "$@"
diff --git a/.docker/app/index.php b/.docker/app/index.php
new file mode 100644
index 000000000..78e5c3f88
--- /dev/null
+++ b/.docker/app/index.php
@@ -0,0 +1,3 @@
+<?php 
+   header("Location: /tt-rss/");
+   return;
diff --git a/.docker/app/startup.sh b/.docker/app/startup.sh
new file mode 100644
index 000000000..134428276
--- /dev/null
+++ b/.docker/app/startup.sh
@@ -0,0 +1,153 @@
+#!/bin/sh -e
+
+while ! pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER; do
+	echo waiting until $TTRSS_DB_HOST is ready...
+	sleep 3
+done
+
+# We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures)
+unset HTTP_PORT
+unset HTTP_HOST
+
+if ! id app >/dev/null 2>&1; then
+	addgroup -g $OWNER_GID app
+	adduser -D -h /var/www/html -G app -u $OWNER_UID app
+fi
+
+update-ca-certificates || true
+
+DST_DIR=/var/www/html/tt-rss
+
+[ -e $DST_DIR ] && rm -f $DST_DIR/.app_is_ready
+
+export PGPASSWORD=$TTRSS_DB_PASS
+
+[ ! -e /var/www/html/index.php ] && cp ${SCRIPT_ROOT}/index.php /var/www/html
+
+if [ ! -d $DST_DIR ]; then
+	mkdir -p $DST_DIR
+	chown $OWNER_UID:$OWNER_GID $DST_DIR
+
+	sudo -u app rsync -a \
+		$SRC_DIR/ $DST_DIR/
+else
+	chown -R $OWNER_UID:$OWNER_GID $DST_DIR
+
+	sudo -u app rsync -a --delete \
+		--exclude /cache \
+		--exclude /lock \
+		--exclude /feed-icons \
+		--exclude /plugins/af_comics/filters.local \
+		--exclude /plugins.local \
+		--exclude /templates.local \
+		--exclude /themes.local \
+		$SRC_DIR/ $DST_DIR/
+
+	sudo -u app rsync -a --delete \
+		$SRC_DIR/plugins.local/nginx_xaccel \
+		$DST_DIR/plugins.local/nginx_xaccel
+fi
+
+for d in cache lock feed-icons plugins.local themes.local; do
+	sudo -u app mkdir -p $DST_DIR/$d
+done
+
+for d in cache lock feed-icons; do
+	chmod 777 $DST_DIR/$d
+	find $DST_DIR/$d -type f -exec chmod 666 {} \;
+done
+
+sudo -u app cp ${SCRIPT_ROOT}/config.docker.php $DST_DIR/config.php
+chmod 644 $DST_DIR/config.php
+
+chown -R $OWNER_UID:$OWNER_GID $DST_DIR \
+	/var/log/php81
+
+if [ -z "$TTRSS_NO_STARTUP_PLUGIN_UPDATES" ]; then
+	echo updating all local plugins...
+
+	find $DST_DIR/plugins.local -mindepth 1 -maxdepth 1 -type d | while read PLUGIN; do
+		if [ -d $PLUGIN/.git ]; then
+			echo updating $PLUGIN...
+
+			cd $PLUGIN && \
+				sudo -u app git config core.filemode false && \
+				sudo -u app git config pull.rebase false && \
+				sudo -u app git pull origin master || echo warning: attempt to update plugin $PLUGIN failed.
+		fi
+	done
+else
+	echo skipping local plugin updates, disabled.
+fi
+
+PSQL="psql -q -h $TTRSS_DB_HOST -U $TTRSS_DB_USER $TTRSS_DB_NAME"
+
+$PSQL -c "create extension if not exists pg_trgm"
+
+RESTORE_SCHEMA=${SCRIPT_ROOT}/restore-schema.sql.gz
+
+if [ -r $RESTORE_SCHEMA ]; then
+	$PSQL -c "drop schema public cascade; create schema public;"
+	zcat $RESTORE_SCHEMA | $PSQL
+fi
+
+# this was previously generated
+rm -f $DST_DIR/config.php.bak
+
+if [ ! -z "${TTRSS_XDEBUG_ENABLED}" ]; then
+	if [ -z "${TTRSS_XDEBUG_HOST}" ]; then
+		export TTRSS_XDEBUG_HOST=$(ip ro sh 0/0 | cut -d " " -f 3)
+	fi
+	echo enabling xdebug with the following parameters:
+	env | grep TTRSS_XDEBUG
+	cat > /etc/php81/conf.d/50_xdebug.ini <<EOF
+zend_extension=xdebug.so
+xdebug.mode=develop,trace,debug
+xdebug.start_with_request = yes
+xdebug.client_port = ${TTRSS_XDEBUG_PORT}
+xdebug.client_host = ${TTRSS_XDEBUG_HOST}
+EOF
+fi
+
+sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \
+	/etc/php81/php.ini
+
+sed -i.bak "s/^\(pm.max_children\) = \(.*\)/\1 = ${PHP_WORKER_MAX_CHILDREN}/" \
+	/etc/php81/php-fpm.d/www.conf
+
+sudo -Eu app php81 $DST_DIR/update.php --update-schema=force-yes
+
+if [ ! -z "$ADMIN_USER_PASS" ]; then
+	sudo -Eu app php81 $DST_DIR/update.php --user-set-password "admin:$ADMIN_USER_PASS"
+else
+	if sudo -Eu app php81 $DST_DIR/update.php --user-check-password "admin:password"; then
+		RANDOM_PASS=$(tr -dc A-Za-z0-9 </dev/urandom | head -c 16 ; echo '')
+
+		echo "*****************************************************************************"
+		echo "* Setting initial built-in admin user password to '$RANDOM_PASS'        *"
+		echo "* If you want to set it manually, use ADMIN_USER_PASS environment variable. *"
+		echo "*****************************************************************************"
+
+		sudo -Eu app php81 $DST_DIR/update.php --user-set-password "admin:$RANDOM_PASS"
+	fi
+fi
+
+if [ ! -z "$ADMIN_USER_ACCESS_LEVEL" ]; then
+	sudo -Eu app php81 $DST_DIR/update.php --user-set-access-level "admin:$ADMIN_USER_ACCESS_LEVEL"
+fi
+
+if [ ! -z "$AUTO_CREATE_USER" ]; then
+	sudo -Eu app /bin/sh -c "php81 $DST_DIR/update.php --user-exists $AUTO_CREATE_USER ||
+		php81 $DST_DIR/update.php --force-yes --user-add \"$AUTO_CREATE_USER:$AUTO_CREATE_USER_PASS:$AUTO_CREATE_USER_ACCESS_LEVEL\""
+fi
+
+rm -f /tmp/error.log && mkfifo /tmp/error.log && chown app:app /tmp/error.log
+
+(tail -q -f /tmp/error.log >> /proc/1/fd/2) &
+
+unset ADMIN_USER_PASS
+unset AUTO_CREATE_USER_PASS
+
+touch $DST_DIR/.app_is_ready
+
+exec /usr/sbin/php-fpm81 --nodaemonize --force-stderr
diff --git a/.docker/app/updater.sh b/.docker/app/updater.sh
new file mode 100644
index 000000000..219041a59
--- /dev/null
+++ b/.docker/app/updater.sh
@@ -0,0 +1,33 @@
+#!/bin/sh -e
+
+# We don't need those here (HTTP_HOST would cause false SELF_URL_PATH check failures)
+unset HTTP_PORT
+unset HTTP_HOST
+
+unset ADMIN_USER_PASS
+unset AUTO_CREATE_USER_PASS
+
+# wait for the app container to delete .app_is_ready and perform rsync, etc.
+sleep 30
+
+if ! id app; then
+	addgroup -g $OWNER_GID app
+	adduser -D -h /var/www/html -G app -u $OWNER_UID app
+fi
+
+while ! pg_isready -h $TTRSS_DB_HOST -U $TTRSS_DB_USER; do
+	echo waiting until $TTRSS_DB_HOST is ready...
+	sleep 3
+done
+
+sed -i.bak "s/^\(memory_limit\) = \(.*\)/\1 = ${PHP_WORKER_MEMORY_LIMIT}/" \
+	/etc/php81/php.ini
+
+DST_DIR=/var/www/html/tt-rss
+
+while [ ! -s $DST_DIR/config.php -a -e $DST_DIR/.app_is_ready ]; do
+	echo waiting for app container...
+	sleep 3
+done
+
+sudo -E -u app /usr/bin/php81 /var/www/html/tt-rss/update_daemon2.php
diff --git a/.docker/web-nginx/Dockerfile b/.docker/web-nginx/Dockerfile
new file mode 100644
index 000000000..49b1232b4
--- /dev/null
+++ b/.docker/web-nginx/Dockerfile
@@ -0,0 +1,15 @@
+FROM registry.fakecake.org/nginx:alpine
+
+HEALTHCHECK CMD curl --fail http://localhost/tt-rss/index.php || exit 1
+
+COPY nginx.conf /etc/nginx/templates/nginx.conf.template
+
+# By default, nginx will send the php requests to "app" server, but this server
+# name can be overridden at runtime by passing an APP_UPSTREAM env var
+ENV APP_UPSTREAM=${APP_UPSTREAM:-app}
+
+# It's necessary to set the following NGINX_ENVSUBST_OUTPUT_DIR env var to tell
+# nginx to replace the env vars of /etc/nginx/templates/nginx.conf.template
+# and put the result in /etc/nginx/nginx.conf (instead of /etc/nginx/conf.d/nginx.conf)
+# See https://github.com/docker-library/docs/tree/master/nginx#using-environment-variables-in-nginx-configuration-new-in-119
+ENV NGINX_ENVSUBST_OUTPUT_DIR=/etc/nginx
diff --git a/.docker/web-nginx/nginx.conf b/.docker/web-nginx/nginx.conf
new file mode 100644
index 000000000..f7d47c453
--- /dev/null
+++ b/.docker/web-nginx/nginx.conf
@@ -0,0 +1,61 @@
+worker_processes auto;
+pid /var/run/nginx.pid;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+	include /etc/nginx/mime.types;
+	default_type  application/octet-stream;
+
+	access_log /dev/stdout;
+	error_log /dev/stderr warn;
+
+	sendfile on;
+
+	index index.php;
+
+	upstream app {
+		server ${APP_UPSTREAM}:9000;
+	}
+
+	server {
+		listen 80;
+		listen [::]:80;
+
+		root /var/www/html;
+
+		location /tt-rss/cache {
+			aio threads;
+			internal;
+		}
+
+		location /tt-rss/backups {
+			internal;
+		}
+
+		location ~ \.php$ {
+			# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+			fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+
+			# Check that the PHP script exists before passing it
+			try_files $fastcgi_script_name =404;
+
+			# Bypass the fact that try_files resets $fastcgi_path_info
+			# see: http://trac.nginx.org/nginx/ticket/321
+			set $path_info $fastcgi_path_info;
+			fastcgi_param PATH_INFO $path_info;
+
+			fastcgi_index index.php;
+			include fastcgi.conf;
+
+			fastcgi_pass app;
+		}
+
+		location / {
+			try_files $uri $uri/ =404;
+		}
+
+	}
+}
diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
new file mode 100644
index 000000000..da72774a8
--- /dev/null
+++ b/.gitea/workflows/build.yml
@@ -0,0 +1,124 @@
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+
+name: build
+
+on:
+  push:
+    branches:
+      - "master"
+  workflow_dispatch: {}
+
+defaults:
+  run:
+    shell: sh
+
+jobs:
+  build:
+    runs-on: alpine-3.16
+    steps:
+    - uses: https://gitea.com/actions/checkout@v3
+
+    - name: npm install
+      run: npm install
+
+    - name: eslint
+      run: npx eslint js plugins
+
+    - name: phpunit
+      run: php81 ./vendor/bin/phpunit
+
+    - name: calculate cache key hash
+      uses: actions/go-hashfiles@v0.0.1
+      id: cache-hash
+      with:
+        patterns: |
+          classes/*.php
+          include/*.php
+          plugins/**/*.php
+
+    - uses: https://github.com/actions/cache/restore@v3
+      id: cache-phpstan
+      with:
+        path: /tmp/phpstan
+        key: ${{ runner.os }}-phpstan-${{ steps.cache-hash.outputs.hash }}
+
+    - name: phpstan
+      run: php81 -d memory_limit=-1 ./vendor/bin/phpstan --memory-limit=2G
+
+    - uses: https://github.com/actions/cache/save@v3
+      with:
+        path: /tmp/phpstan
+        key: ${{ steps.cache-phpstan.outputs.cache-primary-key }}
+
+    - run: echo REPO_TIMESTAMP=$(git --git-dir '.git' --no-pager log --pretty='%ct' -n1 HEAD) >> $GITHUB_ENV
+    - run: echo REPO_COMMIT=$(git --git-dir '.git' --no-pager log --pretty='%h' -n1 HEAD) >> $GITHUB_ENV
+    - run: echo REPO_COMMIT_FULL=$(git --git-dir '.git' --no-pager log --pretty='%H' -n1 HEAD) >> $GITHUB_ENV
+    - run: echo BUILD_TAG=$(date -d @${REPO_TIMESTAMP} +%y.%m)-${REPO_COMMIT} >> $GITHUB_ENV
+
+    - name: setup buildx
+      uses: https://github.com/docker/setup-buildx-action@v2
+
+    - name: login into registry
+      run: |
+        BASE64_AUTH=`echo -n "$REGISTRY_USER:$REGISTRY_PASSWORD" | base64`
+        mkdir -p ~/.docker
+        echo "{\"auths\": {\"registry-rw.fakecake.org\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
+      env:
+          REGISTRY_USER: ${{ secrets.REGISTRY_USER }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_PASSWORD }}
+      if: ${{ !!secrets.REGISTRY_PUSH_ENABLED }}
+
+    - name: build web-nginx image
+      uses: https://github.com/docker/build-push-action@v4
+      with:
+        push: ${{ !!secrets.REGISTRY_PUSH_ENABLED }}
+        context: .docker/web-nginx
+        tags: |
+          registry-rw.fakecake.org/cthulhoo/ttrss-web-nginx:latest
+          registry-rw.fakecake.org/cthulhoo/ttrss-web-nginx:${{ env.BUILD_TAG }}
+        provenance: false
+
+    - name: build app image
+      uses: https://github.com/docker/build-push-action@v4
+      with:
+        push: ${{ !!secrets.REGISTRY_PUSH_ENABLED }}
+        context: .docker/app
+        build-contexts:
+          app-src=.
+        tags: |
+          registry-rw.fakecake.org/cthulhoo/ttrss-fpm-pgsql-static:latest
+          registry-rw.fakecake.org/cthulhoo/ttrss-fpm-pgsql-static:${{ env.BUILD_TAG }}
+        provenance: false
+
+    - name: login into docker hub
+      run: |
+        BASE64_AUTH=`echo -n "$REGISTRY_USER:$REGISTRY_PASSWORD" | base64`
+        mkdir -p ~/.docker
+        echo "{\"auths\": {\"$REGISTRY_HOST\": {\"auth\": \"$BASE64_AUTH\"}}}" > ~/.docker/config.json
+      env:
+          REGISTRY_USER: ${{ secrets.REGISTRY_GITHUB_USER }}
+          REGISTRY_PASSWORD: ${{ secrets.REGISTRY_GITHUB_ACCESS_TOKEN }}
+          REGISTRY_HOST: https://index.docker.io/v1/
+      if: ${{ !!secrets.REGISTRY_GITHUB_PUSH_ENABLED }}
+
+    - name: build web-nginx image
+      uses: https://github.com/docker/build-push-action@v4
+      with:
+        push: ${{ !!secrets.REGISTRY_GITHUB_PUSH_ENABLED }}
+        context: .docker/web-nginx
+        tags: |
+          cthulhoo/ttrss-web-nginx:latest
+          cthulhoo/ttrss-web-nginx:${{ env.BUILD_TAG }}
+        provenance: false
+
+    - name: build app image
+      uses: https://github.com/docker/build-push-action@v4
+      with:
+        push: ${{ !!secrets.REGISTRY_GITHUB_PUSH_ENABLED }}
+        context: .docker/app
+        build-contexts:
+          app-src=.
+        tags: |
+          cthulhoo/ttrss-fpm-pgsql-static:latest
+          cthulhoo/ttrss-fpm-pgsql-static:${{ env.BUILD_TAG }}
+        provenance: false