feature(app): Implement FrankenPHP classic stack.

[terabytesoftw]

Q	A
Is bugfix	❌
New feature	✔️
Breaks BC	❌

Summary by CodeRabbit

• New Features

  • Added a Docker Compose–based FrankenPHP environment with HTTPS, healthchecks, and supervisor-managed services for local/containerized runs.

• Tests

  • CI now builds and runs tests inside the container via Docker Compose (replacing the previous Action). Acceptance tests target HTTPS on port 443; legacy built-in server env removed.

• Documentation

  • Updated badges to point to the active development branch and removed deprecated deployment options.

• Chores

  • Added container startup/init scripts, runtime tuning, supervisor programs, and a global PHP config.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Replaces the Codeception GitHub Action with a Docker Compose-based franken-php job that builds and runs a FrankenPHP/Caddy container, runs container init/supervisor, waits for HTTPS readiness, and executes Codeception inside the running container; adds Dockerfiles, Caddyfile, supervisord configs, entry/init scripts, updates tests to HTTPS:443, and updates README badges.

Changes

Cohort / File(s)	Summary of edits
CI workflow \.github/workflows/build.yml	Replaced external Codeception Action with a self-contained job using Docker Compose and docker exec to run Codeception inside the yii2-frankenphp container; removed secrets-based Action inputs.
Docker Compose docker-compose.yml	Added compose file defining yii2-frankenphp service, build args, env_file, healthcheck, ports, mounts, and named volumes.
FrankenPHP image & webserver docker/frankenphp/Dockerfile, docker/frankenphp/Caddyfile	Added Dockerfile (based on dunglas/frankenphp) with PHP extensions, tooling, init scripts; added Caddyfile with TLS, security headers, static handling and Yii2 rewrite.
Container init & entrypoint docker/entrypoint.sh, docker/init.sh	Added entrypoint that execs init; init script sets up Caddy directories, runtime/assets, permissions, composer/npm caches, runs composer install as www-data, copies supervisor config, and starts supervisord.
Supervisor docker/supervisor/supervisord.conf, docker/supervisor/conf.d/frankenphp.conf, docker/supervisor/conf.d/queue.conf	Added supervisord base config and program configs for FrankenPHP and an optional Yii queue worker (logs to stdout/stderr, autostart/autorestart settings).
PHP config docker/php/php.ini	Added container PHP configuration (timezone, error/log settings, memory/upload limits, OPcache tuning, realpath cache).
Codeception config codeception.yml	Removed paths.envs: tests/_envs entry so environment-specific test config loading is no longer declared there.
Tests tests/Acceptance.suite.yml, tests/_envs/dockerized.yml, tests/_envs/php-builtin.yml	Switched PhpBrowser URL to https://localhost:443/; removed dockerized env URL override and deleted php-builtin env that started PHP built-in server.
Docs / README README.md	Updated badges and links to reference franken-php-classic branch; removed the "Available deployment options" section and adjusted quality/status badges.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor GH as GitHub Actions
  participant DC as Docker Compose
  participant CT as yii2-frankenphp (container)
  participant SUP as Supervisor (in container)
  participant FRP as FrankenPHP/Caddy
  participant CC as Codeception

  GH->>DC: docker compose up -d --build --wait
  DC-->>GH: containers started
  GH->>CT: probe HTTPS (curl https://localhost) until healthy
  CT->>SUP: supervisord started (from init.sh)
  SUP->>FRP: start frankenphp (Caddy+PHP)
  FRP-->>GH: HTTPS ready (200/302)
  GH->>CT: docker exec vendor/bin/codecept build
  GH->>CT: docker exec vendor/bin/codecept run
  CT-->>GH: test results returned

Loading

sequenceDiagram
  autonumber
  actor ContainerStart as Container PID 1
  participant EP as /usr/local/bin/entrypoint.sh
  participant INIT as /usr/local/bin/init.sh
  participant FS as Filesystem
  participant COM as Composer
  participant SUP as supervisord

  ContainerStart->>EP: start
  EP->>INIT: exec init.sh
  INIT->>FS: ensure dirs & permissions (/app, runtime, web/assets, caddy)
  alt composer.json present & vendor missing
    INIT->>COM: run composer install as www-data (prod/dev by YII_ENV)
  end
  INIT->>SUP: exec supervisord -n

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• fix(app): Remove all stack configurations. #133 — Modifies or removes the same FrankenPHP Docker stack and CI workflow files; likely overlapping implementation or merge conflicts.
• feature(app): Implement Nginx stack. #181 — Makes the same CI and Codeception test configuration changes (Docker Compose-based test execution and codeception.yml edits); strongly related.
• feat: Add FrankenPHP support with docker configuration and Caddyserver setup. #105 — Adds FrankenPHP support and matching docker/frankenphp files and CI steps; overlaps on image, Caddyfile and test execution approach.

Poem

I stitched a Caddy hat and PHP shoes,
Supervisor hums and Composer chews.
Tests hop in over HTTPS tide,
Compose sets sail, containers glide.
Thump-thump—rabbit code, all snug inside. 🐇✨

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat-mini-7

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[terabytesoftw]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 4

🧹 Nitpick comments (23)

README.md (2)

18-23: Badges updated to franken-php-classic branch — looks good.

Minor nit: add rel="noopener noreferrer" to the target="_blank" anchors to avoid window.opener leakage in browsers.

-    <a href="https://github.com/yii2-extensions/app-basic/actions/workflows/build.yml?query=branch%3Afranken-php-classic" target="_blank">
+    <a href="https://github.com/yii2-extensions/app-basic/actions/workflows/build.yml?query=branch%3Afranken-php-classic" target="_blank" rel="noopener noreferrer">
-    <a href="https://github.com/yii2-extensions/app-basic/actions/workflows/static.yml?query=branch%3Afranken-php-classic" target="_blank">
+    <a href="https://github.com/yii2-extensions/app-basic/actions/workflows/static.yml?query=branch%3Afranken-php-classic" target="_blank" rel="noopener noreferrer">

---

145-146: Consistency with coverage badge.

Codecov badge (Line 143) still targets branch=main while these target franken-php-classic. If you want per-branch consistency, consider switching Codecov to franken-php-classic as well.

Example:

[![Codecov](https://img.shields.io/codecov/c/github/yii2-extensions/app-basic.svg?branch=franken-php-classic&style=for-the-badge&logo=codecov&logoColor=white&label=Coverage)](https://codecov.io/github/yii2-extensions/app-basic/branch/franken-php-classic)

tests/Acceptance.suite.yml (1)

10-10: HTTPS switch is fine; ensure TLS verification won’t flake CI.

If the cert is self-signed/internal CA, PhpBrowser (Guzzle) will fail by default. Either trust the CA in the container or disable verification for tests.

 modules:
   enabled:
     - PhpBrowser:
-        url: https://localhost:443/
+        url: https://localhost:443/
+        guzzle:
+            verify: false   # test-only: acceptable for demo/CI with self-signed certs

docker/entrypoint.sh (3)

13-14: Remove unreachable log.

After exec, the shell is replaced; this echo never runs.

-# If we get here, everything went well
-echo "=== Container ready ==="

---

10-11: Optionally forward arguments to init.

Forwarding "$@" makes the entrypoint transparent to CMD/args, improving reusability.

-exec /usr/local/bin/init.sh
+exec /usr/local/bin/init.sh "$@"

---

7-9: Set executable bit at build time instead of runtime.

Prefer fixing permissions in the Dockerfile; or gate the chmod to avoid work on every start.

-# Ensure init script is executable
-chmod +x /usr/local/bin/init.sh
+# Ensure init script is executable (optional if set in Dockerfile)
+test -x /usr/local/bin/init.sh || chmod +x /usr/local/bin/init.sh

docker/supervisor/conf.d/frankenphp.conf (1)

12-12: Verify correct stop signal for FrankenPHP/Caddy.

Caddy typically handles TERM/INT gracefully. SIGQUIT may not be ideal. Consider TERM unless you have a reason for QUIT.

-stopsignal=QUIT
+stopsignal=TERM
+startsecs=3

docker/supervisor/conf.d/queue.conf (1)

8-15: Harden supervisor behavior to avoid flapping and ensure graceful stops.

Add sensible start/stop timing to reduce crash loops and allow graceful shutdown.

 numprocs=1
 stopasgroup=true
 killasgroup=true
 stopsignal=TERM
+startsecs=5
+startretries=3
+stopwaitsecs=30
 stderr_logfile=/dev/stderr
 stderr_logfile_maxbytes=0
 stdout_logfile=/dev/stdout
 stdout_logfile_maxbytes=0

docker-compose.yml (2)

19-22: Add healthcheck to let CI wait on container health instead of curl loops.

This simplifies the workflow and gives local dev a quick status signal.

     ports:
       - '8080:80'
       - '8443:443'
       - '8443:443/udp'
+    healthcheck:
+      test: ["CMD-SHELL", "curl -ksf https://localhost >/dev/null || exit 1"]
+      interval: 5s
+      timeout: 2s
+      retries: 60
+      start_period: 10s

---

11-12: Consider avoiding fixed container_name; exec by service id instead.

Hard-coding container_name can collide across projects. Prefer docker compose exec $(docker compose ps -q yii2-frankenphp) ... in CI. If you keep the fixed name for DX, ignore this.

Also applies to: 20-22

docker/php/php.ini (2)

13-25: Disable Xdebug by default; enable via env when needed.

Xdebug is installed; keep it off by default to avoid perf overhead in prod/CI. Developers can set XDEBUG_MODE=debug,develop when needed.

 # OPcache optimizations
 opcache.enable = 1
@@
 realpath_cache_ttl = 120
+
+; ---- Developer tooling ----
+; Keep Xdebug disabled by default; enable with env XDEBUG_MODE when needed.
+; This is a no-op if the extension isn't loaded.
+xdebug.mode = off

---

2-11: Tighten session security defaults.

Safe-by-default for HTTPS stack; override in dev if necessary.

 date.timezone = UTC
 display_errors = Off
 expose_php = Off
 log_errors = On
 error_log = /proc/self/fd/2
 memory_limit = 512M
 post_max_size = 150M
 session.auto_start = Off
 short_open_tag = Off
 upload_max_filesize = 15M
+session.cookie_secure = 1
+session.cookie_httponly = 1
+session.use_strict_mode = 1

.github/workflows/build.yml (2)

36-44: Fix ShellCheck SC2034 and make readiness probe stricter and more informative.

Use the counter, tighten status matching, and fail fast on script errors.

-      - name: Wait for readiness.
-        run: |
-          for i in {1..60}; do
-            if docker exec yii2-frankenphp sh -lc "curl -ksS -o /dev/null -w '%{http_code}' https://localhost | grep -qE '200|302'"; then
-              echo "Service is ready"; exit 0; fi
-            sleep 2
-          done
-          echo "Service not ready"; docker logs yii2-frankenphp; exit 1
+      - name: Wait for readiness.
+        run: |
+          set -euo pipefail
+          for attempt in $(seq 1 60); do
+            if docker exec yii2-frankenphp sh -lc "curl -ksS -o /dev/null -w '%{http_code}' https://localhost | grep -qE '^(200|302)$'"; then
+              echo "Service is ready"; exit 0
+            fi
+            echo "Waiting... attempt ${attempt}/60"
+            sleep 2
+          done
+          echo "Service not ready"
+          docker logs yii2-frankenphp
+          exit 1

---

18-18: Harden workflow with minimal permissions and concurrency.

Reduces token scope and avoids overlapping runs on the same ref.

 name: build
+permissions:
+  contents: read
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

docker/frankenphp/Dockerfile (3)

31-36: Disable Xdebug by default to avoid perf hit in prod/CI.

Keep installation for DX but switch it off unless explicitly enabled.

 # Set composer environment
 ENV COMPOSER_ALLOW_SUPERUSER=1
+ENV XDEBUG_MODE=off

---

37-45: Pin or constrain Node.js install; avoid curl | bash where possible.

For reproducibility and supply-chain hygiene, prefer APT keyring + pinned version or skip Node when not needed at runtime (multi-stage or optional build arg).

-RUN apt-get update && apt-get install -y --no-install-recommends \
+RUN set -eux; apt-get update && apt-get install -y --no-install-recommends \
     supervisor \
-    curl \
+    curl \
     gosu \
-    && curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - \
-    && apt-get install -y nodejs \
+    # TODO: pin Node.js source and version, or gate via build-arg to keep image lean
+    && curl -fsSL https://deb.nodesource.com/setup_lts.x | bash - \
+    && apt-get install -y nodejs \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

---

73-74: Add a container HEALTHCHECK for reuse by Compose/CI.

Lets CI wait on health instead of bespoke loops; also helps local DX.

-ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+HEALTHCHECK --interval=5s --timeout=2s --start-period=10s --retries=60 CMD curl -ksf https://localhost/ || exit 1
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]

docker/frankenphp/Caddyfile (3)

7-7: Bind to all hosts, not just localhost

Limiting the site address to localhost can cause 127.0.0.1 vs localhost mismatches and breaks access via container service DNS. Bind to all and rely on port exposure.

-https://localhost:443 {
+https://:443 {

---

17-24: Modernize security headers; avoid HSTS on localhost

• X-XSS-Protection is obsolete.
• HSTS on localhost (1 year, includeSubDomains) can be painful in dev and is unnecessary.
• Consider adding Referrer-Policy and Permissions-Policy.

     header {
         X-Frame-Options "SAMEORIGIN"
-        X-XSS-Protection "1; mode=block"
         X-Content-Type-Options "nosniff"
-        Strict-Transport-Security "max-age=31536000; includeSubDomains"
+        Referrer-Policy "strict-origin-when-cross-origin"
+        Permissions-Policy "geolocation=(), camera=(), microphone=()"
+        # For prod domains only, consider HSTS; avoid for localhost:
+        # Strict-Transport-Security "max-age=31536000; includeSubDomains"
         -Server
     }

---

32-40: Make static caching stronger for revved assets

Add immutable to enable instant revalidation skip for hashed assets.

-        header Cache-Control "public, max-age=31536000"
+        header Cache-Control "public, max-age=31536000, immutable"

docker/init.sh (3)

1-8: Harden the script: strict mode and sane umask

Enable fail-fast and a collaborative umask for group-writable mounts.

 #!/bin/bash
+set -Eeuo pipefail
+umask 002

---

26-37: Avoid 777 fallback; prefer group-writable ACL/permissions

World-writable is noisy and risky even in dev. Prefer group rwX with consistent UID/GID or ACLs; keep 777 only as last resort with an env guard.

-if chown -R www-data:www-data /app/runtime 2>/dev/null; then
-    chmod -R 775 /app/runtime
+if chown -R www-data:www-data /app/runtime 2>/dev/null; then
+    chmod -R 775 /app/runtime
     echo -e "${GREEN}✓ Runtime directory configured correctly${NC}"
 else
-    # If chown fails (mounted volume), try chmod only
-    if chmod -R 777 /app/runtime 2>/dev/null; then
-        echo -e "${YELLOW}⚠ Runtime directory permissions set to 777 (mounted volume)${NC}"
+    # Fallback: group writable without world access
+    if chmod -R 775 /app/runtime 2>/dev/null; then
+        echo -e "${YELLOW}⚠ Runtime directory set to 775 (mounted volume)${NC}"
     else
         echo -e "${RED}✗ Error: Could not configure runtime directory${NC}"
     fi
 fi
@@
-if chown -R www-data:www-data /app/web/assets 2>/dev/null; then
+if chown -R www-data:www-data /app/web/assets 2>/dev/null; then
     chmod -R 775 /app/web/assets
     echo -e "${GREEN}✓ Assets directory configured correctly${NC}"
 else
-    # If chown fails (mounted volume), try chmod only
-    if chmod -R 777 /app/web/assets 2>/dev/null; then
-        echo -e "${YELLOW}⚠ Assets directory permissions set to 777 (mounted volume)${NC}"
+    if chmod -R 775 /app/web/assets 2>/dev/null; then
+        echo -e "${YELLOW}⚠ Assets directory set to 775 (mounted volume)${NC}"
     else
         echo -e "${RED}✗ Error: Could not configure assets directory${NC}"
     fi
 fi

Also applies to: 39-49

---

51-55: “Setup completed” message appears before Composer block

Minor: This prints success before dependency install runs; move it after the Composer section to prevent confusion in logs.

-echo -e "${GREEN}Setup completed.${NC}"
+echo -e "${GREEN}Base filesystem setup completed.${NC}"

(Or relocate the final “completed” message to the end.)

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 478e4c8 and 8409ff7.

⛔ Files ignored due to path filters (2)

• docker/ssl/localhost-key.pem is excluded by !**/*.pem
• docker/ssl/localhost.pem is excluded by !**/*.pem

📒 Files selected for processing (15)

• .github/workflows/build.yml (1 hunks)
• README.md (2 hunks)
• codeception.yml (0 hunks)
• docker-compose.yml (1 hunks)
• docker/entrypoint.sh (1 hunks)
• docker/frankenphp/Caddyfile (1 hunks)
• docker/frankenphp/Dockerfile (1 hunks)
• docker/init.sh (1 hunks)
• docker/php/php.ini (1 hunks)
• docker/supervisor/conf.d/frankenphp.conf (1 hunks)
• docker/supervisor/conf.d/queue.conf (1 hunks)
• docker/supervisor/supervisord.conf (1 hunks)
• tests/Acceptance.suite.yml (1 hunks)
• tests/_envs/dockerized.yml (0 hunks)
• tests/_envs/php-builtin.yml (0 hunks)

💤 Files with no reviewable changes (3)

• tests/_envs/dockerized.yml
• codeception.yml
• tests/_envs/php-builtin.yml

🧰 Additional context used

🧠 Learnings (8)

📚 Learning: 2025-07-10T13:59:10.839Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#102
File: docker/apache/Dockerfile:0-0
Timestamp: 2025-07-10T13:59:10.839Z
Learning: In docker/apache/Dockerfile, the queue.conf copy command is intentionally commented out because yii2-queue is optional. Users should uncomment the line `COPY docker/apache/supervisord/conf.d/queue.conf /etc/supervisor/conf.d/queue.conf` only if they install yii2-queue.

Applied to files:

• docker/supervisor/conf.d/queue.conf

📚 Learning: 2025-08-31T15:34:39.060Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#142
File: README.md:0-0
Timestamp: 2025-08-31T15:34:39.060Z
Learning: In yii2-extensions/app-basic project, the dev-road-runner branch is treated as the main configuration branch with no stable releases available. Static badges pointing to dev branches are intentionally used to direct users to the development version.

Applied to files:

• README.md

📚 Learning: 2025-09-02T15:23:37.606Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#170
File: docker/init.sh:26-49
Timestamp: 2025-09-02T15:23:37.606Z
Learning: The yii2-extensions/app-basic repository is a demo template where practical functionality and ease of setup take priority over security hardening measures.

Applied to files:

• README.md

📚 Learning: 2025-09-02T15:21:03.184Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#170
File: docker/apache/Dockerfile:27-35
Timestamp: 2025-09-02T15:21:03.184Z
Learning: In yii2-extensions/app-basic, this is a demo template where simplicity and ease of use are prioritized over production-grade security hardening. Security trade-offs like using curl | bash for Node.js installation are acceptable for demonstration purposes.

Applied to files:

• README.md

📚 Learning: 2025-09-02T09:36:57.071Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#166
File: .github/workflows/build.yml:31-33
Timestamp: 2025-09-02T09:36:57.071Z
Learning: The yii2-extensions/app-basic repository is a demo template that includes pre-generated SSL certificates using mkcert, designed to provide a "one-click" transparent demo experience for users.

Applied to files:

• README.md

📚 Learning: 2025-09-02T15:20:17.088Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#170
File: config/web/modules.php:14-15
Timestamp: 2025-09-02T15:20:17.088Z
Learning: In the yii2-extensions/app-basic repository, this is a demo template where permissive development settings like allowedIPs => ['*'] for debug and gii modules are acceptable for ease of setup and demonstration purposes.

Applied to files:

• README.md

📚 Learning: 2025-09-02T15:23:30.902Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#170
File: docker/init.sh:1-1
Timestamp: 2025-09-02T15:23:30.902Z
Learning: In yii2-extensions/app-basic repository, the maintainer terabytesoftw prefers to keep demo template scripts simple without additional bash safety measures like strict mode (set -Eeuo pipefail), as they consider different quality standards appropriate for demo/template code versus production code.

Applied to files:

• README.md

📚 Learning: 2025-08-31T15:29:19.131Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#142
File: docs/installation.md:21-23
Timestamp: 2025-08-31T15:29:19.131Z
Learning: In yii2-extensions/app-basic project, the composer.json file has "minimum-stability": "dev" configured, which allows Composer to install dev versions automatically without requiring --stability=dev flag in create-project commands.

Applied to files:

• README.md

🪛 actionlint (1.7.7)

.github/workflows/build.yml

37-37: shellcheck reported issue in this script: SC2034:warning:1:1: i appears unused. Verify use (or export if used externally)

(shellcheck)

🔇 Additional comments (9)

README.md (1)

139-139: Dev status badge aligns with branch strategy.

No issues.

docker/supervisor/conf.d/queue.conf (1)

5-6: Opt-in worker aligns with prior decision.

Per your earlier learning (PR #102), keeping yii2-queue optional is correct. autostart=false + commented COPY in the Dockerfile preserves that behavior.

docker/frankenphp/Dockerfile (2)

47-53: Confirm runtime user; avoid running the app as root.

You install gosu and adjust www-data IDs, but final user isn’t set. If entrypoint doesn’t drop privileges, set a non-root user or call gosu there.

Would you like me to scan docker/entrypoint.sh and docker/supervisor/conf.d/frankenphp.conf to confirm UID/GID switching and propose an exact diff?

---

57-59: Keeping queue.conf COPY commented-out is correct.

Matches the optional-queue approach; good to leave as opt-in.

docker/frankenphp/Caddyfile (1)

14-16: LGTM: FrankenPHP integration and Yii2 routing

php_server + try_files to index.php looks correct for Yii2 front controller.

Also applies to: 54-56

docker/init.sh (4)

65-65: Verify gosu availability before use

If gosu isn’t in the image, composer install will fail at runtime.

     # Install dependencies with proper environment variables
+    if ! command -v gosu >/dev/null 2>&1; then
+        echo -e "${RED}✗ Error: 'gosu' not found in image${NC}"
+        exit 1
+    fi

---

11-16: Caddy data/config perms

755 on /data and /config is fine if Caddy runs as www-data (owner). If it runs as a different user, writes may fail. Confirm the supervisor program runs FrankenPHP/Caddy as www-data or relax to 775 and chgrp appropriately.

---

90-96: Supervisor config existence check is good

Guard + clear error/exit path is solid.

---

100-101: LGTM: exec supervisord

Using exec to hand off PID 1 is correct for signal handling.

[terabytesoftw]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

docker/init.sh (1)

53-60: Blanket chown/chmod of /app acknowledged

This was discussed earlier and accepted for the demo template. Leaving as-is.

🧹 Nitpick comments (4)

docker/init.sh (1)

11-16: Clarify use of /config vs /etc/caddy

You create /config/caddy but FrankenPHP runs with --config /etc/caddy/Caddyfile. If /config isn’t used at runtime, consider dropping it or documenting its purpose to avoid confusion.

Would you like a quick grep script to confirm no references to /config exist?

.github/workflows/build.yml (2)

28-35: Add diagnostics on failure (compose logs, ps) to speed triage

Printing service state/logs when tests fail makes CI debugs much faster.

Apply:

       - name: Codeception tests.
         run: docker exec yii2-frankenphp vendor/bin/codecept run
+      - name: Dump service logs on failure
+        if: failure()
+        run: |
+          docker ps -a
+          docker compose ps
+          docker compose logs --no-color --tail=200

---

20-23: Optional: add job-wide concurrency to auto-cancel superseded runs

Saves CI minutes on push bursts.

Example:

 name: build
 
 jobs:
-  franken-php:
+  franken-php:
+    concurrency:
+      group: ${{ github.workflow }}-${{ github.ref }}
+      cancel-in-progress: true
     runs-on: ubuntu-latest

docker/frankenphp/Caddyfile (1)

28-33: Enable compression for better throughput

Consider enabling gzip/zstd encoding for static and dynamic responses.

     log {
         output stdout
         format console
     }
+    encode zstd gzip

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 8409ff7 and 13f5ef6.

📒 Files selected for processing (6)

• .github/workflows/build.yml (1 hunks)
• docker-compose.yml (1 hunks)
• docker/entrypoint.sh (1 hunks)
• docker/frankenphp/Caddyfile (1 hunks)
• docker/init.sh (1 hunks)
• docker/supervisor/conf.d/frankenphp.conf (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• docker/entrypoint.sh
• docker-compose.yml

🧰 Additional context used

🧠 Learnings (12)

📓 Common learnings

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#187
File: docker/frankenphp/Caddyfile:58-62
Timestamp: 2025-09-03T12:39:01.229Z
Learning: In yii2-extensions/app-basic repository with FrankenPHP setup, both health checks and Codeception tests run inside the Docker container via `docker exec`, so they correctly use https://localhost:443 (internal port). The docker-compose maps host 8443→container 443 for external browser access, making the port configuration consistent throughout.

📚 Learning: 2025-09-03T09:50:09.039Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#181
File: docker/init.sh:26-37
Timestamp: 2025-09-03T09:50:09.039Z
Learning: For demo templates in the yii2-extensions organization, broader file permissions like 777 are acceptable for ease of use, as confirmed by terabytesoftw.

Applied to files:

• docker/init.sh

📚 Learning: 2025-09-02T15:23:30.902Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#170
File: docker/init.sh:1-1
Timestamp: 2025-09-02T15:23:30.902Z
Learning: In yii2-extensions/app-basic repository, the maintainer terabytesoftw prefers to keep demo template scripts simple without additional bash safety measures like strict mode (set -Eeuo pipefail), as they consider different quality standards appropriate for demo/template code versus production code.

Applied to files:

• docker/init.sh
• docker/frankenphp/Caddyfile

📚 Learning: 2025-09-03T09:48:15.746Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#181
File: docker/nginx/Dockerfile:22-30
Timestamp: 2025-09-03T09:48:15.746Z
Learning: For demo templates in yii2-extensions repositories, terabytesoftw is comfortable with using the NodeSource setup script without strict version pinning, prioritizing ease of use over strict reproducibility.

Applied to files:

• docker/init.sh

📚 Learning: 2025-09-02T15:21:03.184Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#170
File: docker/apache/Dockerfile:27-35
Timestamp: 2025-09-02T15:21:03.184Z
Learning: In yii2-extensions/app-basic, this is a demo template where simplicity and ease of use are prioritized over production-grade security hardening. Security trade-offs like using curl | bash for Node.js installation are acceptable for demonstration purposes.

Applied to files:

• docker/init.sh
• docker/frankenphp/Caddyfile

📚 Learning: 2025-09-02T15:20:17.088Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#170
File: config/web/modules.php:14-15
Timestamp: 2025-09-02T15:20:17.088Z
Learning: In the yii2-extensions/app-basic repository, this is a demo template where permissive development settings like allowedIPs => ['*'] for debug and gii modules are acceptable for ease of setup and demonstration purposes.

Applied to files:

• docker/init.sh
• docker/frankenphp/Caddyfile

📚 Learning: 2025-09-02T15:23:37.606Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#170
File: docker/init.sh:26-49
Timestamp: 2025-09-02T15:23:37.606Z
Learning: The yii2-extensions/app-basic repository is a demo template where practical functionality and ease of setup take priority over security hardening measures.

Applied to files:

• docker/init.sh
• docker/frankenphp/Caddyfile

📚 Learning: 2025-09-03T12:39:01.229Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#187
File: docker/frankenphp/Caddyfile:58-62
Timestamp: 2025-09-03T12:39:01.229Z
Learning: In yii2-extensions/app-basic repository with FrankenPHP setup, both health checks and Codeception tests run inside the Docker container via `docker exec`, so they correctly use https://localhost:443 (internal port). The docker-compose maps host 8443→container 443 for external browser access, making the port configuration consistent throughout.

Applied to files:

• docker/frankenphp/Caddyfile

📚 Learning: 2025-09-02T09:36:57.071Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#166
File: .github/workflows/build.yml:31-33
Timestamp: 2025-09-02T09:36:57.071Z
Learning: The yii2-extensions/app-basic repository is a demo template that includes pre-generated SSL certificates using mkcert, designed to provide a "one-click" transparent demo experience for users.

Applied to files:

• docker/frankenphp/Caddyfile

📚 Learning: 2025-08-31T15:29:19.131Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#142
File: docs/installation.md:21-23
Timestamp: 2025-08-31T15:29:19.131Z
Learning: In yii2-extensions/app-basic project, the composer.json file has "minimum-stability": "dev" configured, which allows Composer to install dev versions automatically without requiring --stability=dev flag in create-project commands.

Applied to files:

• docker/frankenphp/Caddyfile

📚 Learning: 2025-08-31T15:34:39.060Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#142
File: README.md:0-0
Timestamp: 2025-08-31T15:34:39.060Z
Learning: In yii2-extensions/app-basic project, the dev-road-runner branch is treated as the main configuration branch with no stable releases available. Static badges pointing to dev branches are intentionally used to direct users to the development version.

Applied to files:

• docker/frankenphp/Caddyfile

📚 Learning: 2025-08-25T21:03:02.960Z

Learnt from: terabytesoftw
PR: yii2-extensions/app-basic#128
File: docs/installation.md:7-7
Timestamp: 2025-08-25T21:03:02.960Z
Learning: In yii2-extensions/app-basic project, npm is listed as a system requirement in docs/installation.md because the composer.json file contains scripts that depend on npm commands for frontend asset management and build processes.

Applied to files:

• docker/frankenphp/Caddyfile

🔇 Additional comments (10)

docker/init.sh (6)

26-37: Perms fallback logic is pragmatic for demos

Graceful fallback to 777 on bind mounts is consistent with prior decisions for this template. No action needed.

---

39-49: Assets perms handling looks good

Mirrors runtime handling with clear messaging. LGTM.

---

65-68: Good fix: Composer home/cache prepared for www-data

Creation and ownership of /var/www/.composer(/cache) resolves prior Composer write issues.

---

94-100: Ensure supervisord includes conf.d

Copying supervisord.conf is fine; just confirm it includes /etc/supervisor/conf.d/*.conf so frankenphp.conf is loaded.

If needed, I can propose a minimal supervisord.conf include stanza.

---

104-105: Exec replaces PID 1 correctly

Using exec for supervisord is correct for signal handling. 👍

---

70-86: No action required: gosu and Composer are installed

Dockerfile installs gosu via apt-get and Composer via install-php-extensions @composer, so both binaries are available in PATH.

docker/supervisor/conf.d/frankenphp.conf (2)

2-13: Binding to 80/443 as www-data requires CAP_NET_BIND_SERVICE

With user=www-data and listeners on :80/:443, the binary needs cap_net_bind_service or the process must start as root and drop privileges. Please verify the image sets this capability on /usr/local/bin/frankenphp.

Suggested Dockerfile snippet if missing (Debian/Ubuntu base):

RUN apt-get update && apt-get install -y --no-install-recommends libcap2-bin && \
    setcap cap_net_bind_service=+ep /usr/local/bin/frankenphp && \
    rm -rf /var/lib/apt/lists/*

Alternatively, run as root in Supervisor and let FrankenPHP drop privileges internally (if supported).

---

7-10: Log to stdout/stderr with no rotation is appropriate in containers

This aligns with Docker log drivers. LGTM.

docker/frankenphp/Caddyfile (2)

6-16: HTTPS + php_server config looks correct

TLS with mkcert and FrankenPHP php_server are wired as expected. 👍

---

60-64: HTTP→HTTPS redirect matches the dockerized port strategy

Redirecting to https://localhost:8443 is consistent with host 8443→container 443 mapping while tests run inside the container on 443. No changes needed.