Table of Contents
CI/CD & Infrastructure
GitHub Actions Workflows
1. PHP Analysis (php.yml
)
Runs onmaster
upon push or PR:
- PHP 8.3 syntax check of all
.phpfiles - PHPStan Level 6 analysis (512 MB memory limit)
- Composer Audit (AC-3 vulnerability scanning)
- Gitleaks secret scanning
2. Tests (tests.yml
)
Runs on push tomaster
/dev
and PRs onmaster
:
- MySQL 8.0 service container with health checks
- Test config is generated inline
- Schema import from
admin/create_sql.sql - Unit and integration tests with PHPUnit (5-minute timeout)
3. Docker Smoke Tests (docker-smoke.yml
)
Comprehensive integration tests:
- Build Docker image with cache
- HTTP smoke tests: 200 status codes on 12+ pages (/, /downloads, /events, /contact, /member, …)
- Content checks: OG tags, preload hints, CSRF meta tags on forms
- Social redirect validation: 8 platforms → 302 + Location header
- API structure checks: 13 JSON endpoints
- Admin asset check and 404 handling
Apache .htaccess Security Headers
Content-Security-Policy: default-src 'self'; script-src 'self' (Admin)
Strict-Transport-Security: max-age=31536000
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Session Hardening
- HttpOnly, SameSite=Lax, Secure
-
gc_maxlifetime: 3600s
Caching
- Static Assets: 30 days (images, fonts, WOFF2), 7 days (CSS/JS)
- GZIP Deflate enabled
Docker Setup
Three containers:
| Container | Base | Port |
|---|---|---|
| web | PHP 8.3 + Apache | 15080 |
| mcp | PHP 8.3 Built-in Server | 8888 |
| db | MySQL 8.0 | 13306 |
Database Schema
13 tables (InnoDB, utf8mb4):
| Table | Description |
|---|---|
admin |
|
Admin users (including brute-force fields:failed_attempts |
|
,locked_until |
|
| ) | |
permissions |
|
+admin_permissions |
|
| 11 granular permissions | |
events |
|
Events (including Pretix:pretix_event_slug |
|
,pretix_quota_id |
|
| ) | |
charaktere |
|
| Bilingual (title_de/en, text_de/en), position-based sorting | |
faq |
|
Consolidated with type column (allgemein |
|
,rhoen_dance |
|
,fursuits |
|
| ) | |
fursuits |
|
+fursuit_types |
|
+fursuit_parts |
|
+fursuit_part_map |
|
| Rental system with price tiers and size restrictions | |
downloads |
|
| Download counter + daily statistics | |
event_photo_links |
|
| Photographer attribution + source tracking | |
social_links |
|
| 8 platforms | |
rhoen_dance |
|
| Seats/capacity | |
mail_config |
|
| SMTP configuration | |
contact_form |
|
+contact_request_log |
|
| Contact requests with IP hashing for spam tracking |
Pretix Integration
-PretixAPI
-class with 5-minute cache (SHA256-hashed JSON files incache/pretix/
)
- Endpoints: Quota availability and event list
- API server:
https://pretix.eu/api/v1 - Token-based authentication