feat(hyperf): add OTEL collector variants and unify hyperf-otel

[wilcorrea]

Summary

• Restructures hyperf/ to follow the {image}/{version} pattern used by aws-cli, node, quasar, vue.
• Merges the standalone hyperf-otel/ folder into hyperf/8.3/ as a multi-stage variant — same image, different --target.
• Adds a generic variants.yaml manifest per {image}/{version} that declares which tags to build (target + suffix + optional build-args). Replaces image-specific scanning conventions.
• hyperf/latest is a symlink to hyperf/8.3.
• New workflow build-images.yml: on push to main, reads variants.yaml of changed {image}/{version} folders (follows latest symlinks) and publishes one Docker Hub tag per entry.
• New workflow validate.yml: on pull_request, validates structure of every changed variants.yaml.

Why

The previous hyperf-otel image bundled a googlecloud-specific OTEL config that wouldn't fit AWS/Azure/on-prem consumers. Making the collector and dev-tools toggles configurable via build-args + publishing multiple variants lets consumers pick the right one at FROM time without rebuilding the base. Merging back into hyperf/ removes duplication; the OTEL layer becomes an opt-in second stage.

Variant manifest format

# hyperf/8.3/variants.yaml
- target: hyperf
  suffix:
- target: hyperf
  suffix: dev
  args:
    APP_TARGET: dev
- target: hyperf-otel
  suffix: otel
  args:
    COLLECTOR: debug
- target: hyperf-otel
  suffix: google
  args:
    COLLECTOR: google

Rules:

• Each entry must declare target (non-empty) and suffix (key required; empty value = plain :<version> tag).
• args (optional) is a mapping passed as --build-arg KEY=VALUE to docker build.
• Tag = <image>:<version> if suffix empty, else <image>:<version>-<suffix>.
• Images without variants.yaml get a single plain build (<image>:<version> from default Dockerfile target). Backwards-compatible with aws-cli, node, etc.

Tags produced from this PR

Target	Args	Tag	Approx size
hyperf	—	devitools/hyperf:8.3	97 MB
hyperf	APP_TARGET=dev	devitools/hyperf:8.3-dev	437 MB
hyperf-otel	COLLECTOR=debug	devitools/hyperf:8.3-otel	463 MB
hyperf-otel	COLLECTOR=google	devitools/hyperf:8.3-google	463 MB

Plus matching :latest, :latest-dev, :latest-otel, :latest-google via the symlink (workflow detects the symlink and includes it in the matrix when the canonical version changes).

Workflows

build-images.yml (on push to main)

• Triggers on changes to */*/Dockerfile, */*/variants.yaml, */*/rootfs/**, */*/.scripts/**, */*/otel/**, or */latest.
• For each changed {image}/{version} dir, follows latest symlinks pointing to it.
• For each (image, version): reads variants.yaml via yq → jq (both pre-installed on Ubuntu runners) and emits one matrix entry per variant.
• Each matrix entry → one docker/build-push-action@v6 call (linux/amd64) with target and build-args derived from the manifest. GHA cache scoped per tag.

validate.yml (on PRs)

• Triggers on PRs touching any */*/variants.yaml.
• For each changed manifest, checks:
  1. YAML parses (yq).
  2. Root is a list.
  3. Each entry has non-empty target and the suffix key (value may be empty).
  4. args is a mapping when present.
  5. Sibling Dockerfile declares FROM ... AS <target> for every referenced target.
  6. No two entries produce the same tag suffix.
• Errors surface as inline annotations on the offending file.

Adding new variants

Drop a row in <image>/<version>/variants.yaml. The build-images workflow picks it up on the next push to main. The validate workflow catches malformed entries during the PR.

Examples:

• New collector backend: { target: hyperf-otel, suffix: jaeger, args: { COLLECTOR: jaeger } } (with matching hyperf/8.3/otel/collectors/jaeger.yaml).
• ARM variant in the future: { target: hyperf, suffix: arm, args: { TARGETPLATFORM: linux/arm64 } }.

Local validation

• All 4 tags build successfully via local docker build with appropriate --target and --build-arg.
• Lean tag has no otelcol-contrib / supervisord — backwards compatible with current devitools/hyperf:8.3 consumers.
• validate.yml logic smoke-tested locally: catches missing target/suffix, invalid args type, missing Dockerfile stage, and duplicate suffix tags.
• yq → jq parser produces the expected 4 matrix entries from the manifest.

Required secrets

• DOCKERHUB_USERNAME ✅ configured
• DOCKERHUB_TOKEN ✅ configured

Test plan

• PR triggers validate.yml; passes on this branch (manifest is valid)
• Merge triggers build-images.yml
• Matrix expands to 8 builds (hyperf/8.3 × 4 variants + hyperf/latest × 4 variants)
• All 8 push to Docker Hub
• Digests match between :8.3 and :latest, :8.3-dev and :latest-dev, etc.
• docker pull devitools/hyperf:8.3 (lean) is ~97MB with php entrypoint
• docker pull devitools/hyperf:8.3-otel is ~463MB with /entrypoint.sh (supervisord)

[coderabbitai]

Warning

Review limit reached

@wilcorrea, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 18 minutes and 29 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: be8bdb71-1b14-461b-a571-5ee2dfe21421

📥 Commits

Reviewing files that changed from the base of the PR and between a215cbc and f24c797.

📒 Files selected for processing (16)

• .github/workflows/build-images.yml
• .github/workflows/validate.yml
• hyperf/8.3/.scripts/setup-dev.sh
• hyperf/8.3/.scripts/setup.sh
• hyperf/8.3/Dockerfile
• hyperf/8.3/README-pt-BR.md
• hyperf/8.3/README.md
• hyperf/8.3/otel/collectors/debug.yaml
• hyperf/8.3/otel/collectors/google.yaml
• hyperf/8.3/otel/entrypoint.sh
• hyperf/8.3/otel/supervisord.conf
• hyperf/8.3/rootfs/apk/repositories
• hyperf/8.3/rootfs/etc/php/php-fpm.conf
• hyperf/8.3/rootfs/etc/php/php.ini
• hyperf/8.3/variants.yaml
• hyperf/latest

📝 Walkthrough

Walkthrough

This PR introduces automated Docker image building infrastructure for Hyperf with OpenTelemetry Collector, including a GitHub Actions workflow that detects code changes and builds versioned container images (8.3 and latest) featuring optional pgbouncer database pooling, supervisor-managed processes, and distributed tracing via Google Cloud export.

Changes

Hyperf-OTEL Docker Images with CI/CD Automation

Layer / File(s)	Summary
GitHub Actions build workflow .github/workflows/build-images.yml	Workflow triggers on pushes to main affecting Dockerfile or rootfs directories, or on manual dispatch. The detect job uses tj-actions/changed-files to identify modified depth-2 directories containing a Dockerfile, outputs a JSON array of targets, and the build job runs a matrix over those targets, logs into Docker Hub, and pushes images built with docker/build-push-action@v6 for linux/amd64.
Dockerfile image setup (8.3 and latest) hyperf-otel/8.3/Dockerfile, hyperf-otel/latest/Dockerfile	Both Dockerfiles parameterize the Hyperf base image tag, install Alpine packages (supervisor, pgbouncer, curl, wget), download and unpack OpenTelemetry Collector Contrib binaries (version 0.121.0), create runtime directories for pgbouncer and supervisord, copy configuration files and the entrypoint script from rootfs/, mark the script executable, and set ENTRYPOINT to /entrypoint.sh.
Telemetry and supervisor configuration hyperf-otel/8.3/rootfs/etc/otel-collector-config.yaml, hyperf-otel/8.3/rootfs/etc/supervisord.conf, hyperf-otel/latest/rootfs/etc/otel-collector-config.yaml, hyperf-otel/latest/rootfs/etc/supervisord.conf	OpenTelemetry Collector configs define a zipkin trace receiver (port 9411), memory_limiter and batch processors, and a googlecloud exporter configured from ${GOOGLE_CLOUD_PROJECT}. Supervisord configs run hyperf and otel-collector-contrib as managed programs in foreground mode, log to stdout/stderr, and include dynamic program configs from /etc/supervisor.d/*.ini.
Container startup and pgbouncer management hyperf-otel/8.3/rootfs/entrypoint.sh, hyperf-otel/latest/rootfs/entrypoint.sh	The 8.3 entrypoint conditionally starts supervisord unless pgbouncer is enabled; when enabled, it parses PGBOUNCER_DATABASES aliases, writes /etc/pgbouncer/pgbouncer.ini with per-alias database entries, configures transaction pooling on 127.0.0.1:6432, creates supervisor program config, exports per-alias connection variables, and starts supervisord. The latest version implements the same flow with additional environment variable expansion via eval.
User documentation and examples hyperf-otel/8.3/README.md, hyperf-otel/latest/README.md	Both READMEs describe the image as a Hyperf + OpenTelemetry + optional pgbouncer platform managed by supervisord, document the PGBOUNCER_ENABLED entrypoint switch, explain how PGBOUNCER_DATABASES aliases map to POSTGRES_* environment variables, show how connection variables are re-exported to route through the local pooler (127.0.0.1:6432), provide consumer Dockerfile examples, explain configuration override patterns, include build and publish instructions with version pinning examples, and link to related resources.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

🐰 Docker images dance in the CI lane,
Hyperf meets OpenTelemetry in a telemetry plane,
Pgbouncer pools connections with grace,
Supervisord keeps them all in their place,
From main branch commits to registries they race! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Title check	✅ Passed	The title accurately describes the main changes: adding OpenTelemetry collector variants and unifying the hyperf-otel image setup across versions.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/hyperf-otel-image

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 13

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/build-images.yml:
- Around line 1-17: The workflow is missing an explicit permissions block which
causes it to inherit broad repository defaults; add a top-level permissions
entry requesting the minimum required for this job (e.g. set permissions:
contents: read) so the GITHUB_TOKEN used by actions only has read access to the
repo; place this permissions block at the top-level (alongside keys like name
and on) so the workflow explicitly limits the GITHUB_TOKEN scope.
- Around line 40-45: The workflow currently leaves candidates empty when
triggered by workflow_dispatch without inputs.target because the
tj-actions/changed-files step is skipped; update the dispatch path in the
build-images job to either require inputs.target or fall back to a real diff
source: when github.event_name == "workflow_dispatch" and inputs.target is
empty, call or reuse the changed-files logic
(steps.changed.outputs.all_changed_files) or compute a diff against the default
branch (e.g., fetch origin and diff HEAD...origin/main) and populate candidates
from that output; ensure the code paths that reference inputs.target,
steps.changed.outputs.all_changed_files and candidates are adjusted so
candidates is non-empty for manual runs without a target.
- Around line 23-24: Update every GitHub Action `uses:` in the workflow to pin
to an immutable commit SHA instead of a moving tag: replace actions/checkout@v4,
tj-actions/changed-files@v44, docker/setup-buildx-action@v3,
docker/login-action@v3, and docker/build-push-action@v6 with their corresponding
OWNER/REPO@<full_sha> values (you can look up each repo’s latest stable commit
SHA) and optionally retain the human-readable tag as a trailing comment; ensure
the changes are made where those `uses:` entries appear so the workflow
references specific commit SHAs.
- Around line 37-43: The workflow is vulnerable to command injection by
interpolating GitHub expressions directly into shell blocks (candidates+=("${{
inputs.target }}"), image="${{ matrix.target }}", and for dir in ${{
steps.changed.outputs.all_changed_files }}); fix by passing these values through
the environment (use env: or GITHUB_OUTPUT to set a safe variable) and then
reading the environment vars inside the run block, validate the target/matrix
value against a strict allowlist before using it (e.g., check in a switch/if
against allowed names in the run step), and iterate changed files from a
pre-sanitized newline-separated env variable (or read from a file) rather than
unquoted expansion; update the blocks that reference candidates, inputs.target,
matrix.target, steps.changed.outputs.all_changed_files and the image assignment
to use the sanitized env vars and allowlist checks.

In `@hyperf-otel/8.3/Dockerfile`:
- Around line 13-20: Create and use an unprivileged service user in the
Dockerfile: add a non-root user (e.g., "hyperf") and group, chown the runtime
directories created by the RUN mkdir -p line (/etc/pgbouncer,
/var/log/pgbouncer, /var/run/pgbouncer, /etc/supervisor.d, /var/run/supervisor)
plus copied config files (COPY rootfs/... entries) to that user, and set USER to
that account before the ENTRYPOINT so /entrypoint.sh, otelcol-contrib, Hyperf
and optional pgbouncer run unprivileged; ensure the entrypoint still has execute
permission and any startup steps that need root (if any) are performed before
switching to the non-root user.
- Around line 7-12: The Dockerfile currently downloads
otelcol-contrib_${OTEL_COLLECTOR_VERSION}_linux_amd64.tar.gz and extracts it
without verifying integrity; update the RUN step that references
OTEL_COLLECTOR_VERSION and otelcol-contrib to fetch the release checksum (and/or
signature) from the same GitHub release, install any needed tools (sha256sum or
gnupg), verify the tarball against the published SHA256 (or verify the GPG
signature with the collector project's public key), fail the build if
verification fails, and only then extract to /usr/local/bin and remove
artifacts; ensure verification commands are added before the tar -xzf invocation
so the build aborts on mismatch.

In `@hyperf-otel/8.3/rootfs/entrypoint.sh`:
- Around line 35-41: The script writes a pgbouncer stanza even when resolved
backend variables (host, name, user, pass) are empty; change entrypoint.sh to
validate the per-alias variables (host, name, user, pass — allow port default)
before appending the stanza: if any required variable is empty, print a clear
error mentioning the alias to stderr and exit 1 instead of writing "pgb_${alias}
= ..." ; only append the stanza when the check passes. Use the existing variable
names (host, port, name, user, pass, alias) to locate and modify the block.
- Around line 18-23: The code builds a prefix from each PGBOUNCER_DATABASES
alias and passes it into eval (see resolve_prefix, the eval uses around "printf
... \"\${${prefix}_...:-}\"" and "export ${prefix}_...=..."), which is a
command-injection risk; fix by first validating each alias against a strict
whitelist (e.g., /^[A-Za-z0-9_]+$/) and aborting on any mismatch, then eliminate
eval by using safe environment lookups: construct the variable name (e.g.,
var="${prefix}_HOST") and retrieve its value with a non-eval method (use
printenv/printenv "$var" or, in bash, indirect expansion ${!var}) and assign
exports with safe shell expansions instead of eval; update resolve_prefix to
only produce validated uppercase prefixes and ensure all places that previously
used eval now use the validated prefix + safe env lookup and explicit export
commands.

In `@hyperf-otel/latest/Dockerfile`:
- Around line 13-20: Create a non-root service user and switch to it before
ENTRYPOINT: add a user (e.g., "hyperf" or "service") in the Dockerfile, chown
the runtime dirs and config/entrypoint files copied from rootfs (referencing
/etc/pgbouncer, /var/log/pgbouncer, /var/run/pgbouncer, /etc/supervisor.d,
/var/run/supervisor, /etc/otel-collector-config.yaml and /entrypoint.sh) so the
unprivileged user can write them at runtime, then set USER to that account
before the existing ENTRYPOINT ["/entrypoint.sh"]; if any initialization in
/entrypoint.sh requires root, perform that chown/setup at build time or wrap
only that portion with a drop-to-root helper, otherwise ensure the container
runs the otelcol-contrib, Hyperf and optional pgbouncer processes as the new
user.
- Around line 7-12: The Dockerfile currently downloads /tmp/otelcol.tar.gz using
OTEL_COLLECTOR_VERSION and extracts it without verification; update the RUN
sequence to fetch the published checksum (or signature) for the same release
(e.g. the SHA256 or GPG signature from the GitHub Releases for
v${OTEL_COLLECTOR_VERSION}), verify /tmp/otelcol.tar.gz before running tar -xzf
(fail the build if verification fails), and only then chmod and install
otelcol-contrib; reference the OTEL_COLLECTOR_VERSION variable,
/tmp/otelcol.tar.gz, and the otelcol-contrib binary when implementing the
verification step.

In `@hyperf-otel/latest/README.md`:
- Line 50: Replace the image tag used in the README examples: find every
occurrence of the string "devitools/hyperf-otel:8.3" (used in the Dockerfile
example lines like the FROM directive) and change it to
"devitools/hyperf-otel:latest" so the `latest` README shows the unversioned tag
in all examples.

In `@hyperf-otel/latest/rootfs/entrypoint.sh`:
- Around line 35-41: The code currently always writes a pgb_${alias} stanza even
if resolved vars (host, port, name, user, pass) are empty; update the block that
computes host/port/name/user/pass (using prefix and alias) to validate required
fields (at minimum host, name, user, pass) before appending to
/etc/pgbouncer/pgbouncer.ini: if any required variable is empty, print a clear
error naming the alias and missing fields and exit non‑zero instead of writing
the stanza; otherwise write the configured stanza as before. Ensure you
reference the same variables (host, port, name, user, pass, prefix, alias) and
fail fast when validation fails.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6d22868b-adfd-4d97-b3d2-8c645c7964d6

📥 Commits

Reviewing files that changed from the base of the PR and between 3697c8c and a215cbc.

📒 Files selected for processing (11)

• .github/workflows/build-images.yml
• hyperf-otel/8.3/Dockerfile
• hyperf-otel/8.3/README.md
• hyperf-otel/8.3/rootfs/entrypoint.sh
• hyperf-otel/8.3/rootfs/etc/otel-collector-config.yaml
• hyperf-otel/8.3/rootfs/etc/supervisord.conf
• hyperf-otel/latest/Dockerfile
• hyperf-otel/latest/README.md
• hyperf-otel/latest/rootfs/entrypoint.sh
• hyperf-otel/latest/rootfs/etc/otel-collector-config.yaml
• hyperf-otel/latest/rootfs/etc/supervisord.conf

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Pin every GitHub Action uses: to an immutable commit SHA (not a moving tag).

In .github/workflows/build-images.yml, these uses: entries reference mutable tags: actions/checkout@v4, tj-actions/changed-files@v44, docker/setup-buildx-action@v3, docker/login-action@v3, and docker/build-push-action@v6. Pin each to OWNER/REPO@<full_sha> (optionally keep the human-readable tag in a comment).

🧰 Tools

🪛 zizmor (1.25.2)

[warning] 23-24: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/build-images.yml around lines 23 - 24, Update every GitHub
Action `uses:` in the workflow to pin to an immutable commit SHA instead of a
moving tag: replace actions/checkout@v4, tj-actions/changed-files@v44,
docker/setup-buildx-action@v3, docker/login-action@v3, and
docker/build-push-action@v6 with their corresponding OWNER/REPO@<full_sha>
values (you can look up each repo’s latest stable commit SHA) and optionally
retain the human-readable tag as a trailing comment; ensure the changes are made
where those `uses:` entries appear so the workflow references specific commit
SHAs.

[wilcorrea]

Skipping this for now to stay consistent with the rest of the repo — .github/workflows/copilot-sandbox.yml uses tag pins for the same docker/* actions and actions/checkout. Pinning to commit SHAs is reasonable but is a repo-wide policy decision that should be paired with Dependabot for action SHAs; otherwise the workflows drift apart in conventions. Happy to revisit as a separate PR.

[coderabbitai]

@wilcorrea, that's a fair point — consistency across workflows matters, and introducing SHA pins in isolation without Dependabot or a repo-wide policy would just create two different conventions. Would you like me to open a follow-up issue to track the "pin all action refs to commit SHAs + enable Dependabot for Actions" work so it doesn't get lost?

(ᵔᴥᵔ) 🐰 noted