brixion · LegeBeker · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026 · Apr 7, 2026
diff --git a/.hadolint.yaml b/.hadolint.yaml
@@ -4,3 +4,4 @@ ignored:
   - DL3008 # Pin versions in apt get install
   - DL3013 # Pin versions in pip install
   - DL3016 # Pin versions in npm install
+  - SC2086 # Double quote to prevent globbing and word splitting
diff --git a/Dockerfile b/Dockerfile
@@ -1,10 +1,18 @@
 FROM ghcr.io/actions/actions-runner:2.333.1
+ARG PHP_VERSION=all
+ENV PHP_VERSION_ALL="8.1 8.2 8.3 8.4 8.5"
+ENV PHP_VERSION_DEFAULT="8.5"
 
 USER root
 
 # Set shell with pipefail for better error handling
 SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+RUN usermod -aG sudo runner \
+  && mkdir -p /home/runner \
+  && chmod 777 /home/runner \
+  && sed -i 's/%sudo\s.*/%sudo ALL=(ALL:ALL) NOPASSWD : ALL/g' /etc/sudoers
+
 # Update and install base dependencies
 RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
  && apt-get update \
@@ -44,111 +52,6 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
-# Add PHP repository and install PHP 8.1, 8.2, 8.3, 8.4, 8.5 and common extensions
-RUN add-apt-repository -y ppa:ondrej/php \
- && apt-get update \
- && apt-get install -y --no-install-recommends \
-
-    # PHP 8.1 with common extensions
-    php8.1 \
-    php8.1-cli \
-    php8.1-common \
-    php8.1-curl \
-    php8.1-gd \
-    php8.1-mbstring \
-    php8.1-mysqli \
-    php8.1-pdo-mysql \
-    php8.1-xml \
-    php8.1-zip \
-    php8.1-bcmath \
-    php8.1-opcache \
-    php8.1-intl \
-
-    # PHP 8.2 with common extensions
-    php8.2 \
-    php8.2-cli \
-    php8.2-common \
-    php8.2-curl \
-    php8.2-gd \
-    php8.2-mbstring \
-    php8.2-mysqli \
-    php8.2-pdo-mysql \
-    php8.2-xml \
-    php8.2-zip \
-    php8.2-bcmath \
-    php8.2-intl \
-    php8.2-opcache \
-
-    # PHP 8.3 with common extensions
-    php8.3 \
-    php8.3-cli \
-    php8.3-common \
-    php8.3-curl \
-    php8.3-gd \
-    php8.3-mbstring \
-    php8.3-mysqli \
-    php8.3-pdo-mysql \
-    php8.3-xml \
-    php8.3-zip \
-    php8.3-bcmath \
-    php8.3-intl \
-    php8.3-opcache \
-
-    # PHP 8.4 with common extensions
-    php8.4 \
-    php8.4-cli \
-    php8.4-common \
-    php8.4-curl \
-    php8.4-gd \
-    php8.4-mbstring \
-    php8.4-mysqli \
-    php8.4-pdo-mysql \
-    php8.4-xml \
-    php8.4-zip \
-    php8.4-bcmath \
-    php8.4-intl \
-    php8.4-opcache \
-
-    # PHP 8.5 with common extensions
-    php8.5 \
-    php8.5-cli \
-    php8.5-common \
-    php8.5-curl \
-    php8.5-gd \
-    php8.5-mbstring \
-    php8.5-mysqli \
-    php8.5-pdo-mysql \
-    php8.5-xml \
-    php8.5-zip \
-    php8.5-bcmath \
-    php8.5-intl \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
-
-# Configure PHP: Register all PHP versions and set php8.5 as default
-RUN update-alternatives --install /usr/bin/php php /usr/bin/php8.1 81 \
- && update-alternatives --install /usr/bin/php php /usr/bin/php8.2 82 \
- && update-alternatives --install /usr/bin/php php /usr/bin/php8.3 83 \
- && update-alternatives --install /usr/bin/php php /usr/bin/php8.4 84 \
- && update-alternatives --install /usr/bin/php php /usr/bin/php8.5 85 \
- && update-alternatives --set php /usr/bin/php8.5
-
-# Install Composer
-RUN curl -sS https://getcomposer.org/installer | php -- \
-    --install-dir=/usr/local/bin \
-    --filename=composer \
- && chmod +x /usr/local/bin/composer
-
-# Install global PHP QA tools needed by workflows that don't run composer install.
-# (php-cs-fixer and phpcs are invoked directly in lint workflows.)
-RUN curl -fsSL https://cs.symfony.com/download/php-cs-fixer-v3.phar -o /usr/local/bin/php-cs-fixer \
- && chmod +x /usr/local/bin/php-cs-fixer \
- && mkdir -p /opt/composer \
- && COMPOSER_HOME=/opt/composer composer global require --no-interaction --no-progress squizlabs/php_codesniffer:^3 phpstan/phpstan:^2 \
- && ln -sf /opt/composer/vendor/bin/phpcs /usr/local/bin/phpcs \
- && ln -sf /opt/composer/vendor/bin/phpcbf /usr/local/bin/phpcbf \
- && ln -sf /opt/composer/vendor/bin/phpstan /usr/local/bin/phpstan
-
 # Install AWS CLI
 RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
  && unzip awscliv2.zip \
@@ -174,3 +77,89 @@ RUN npm install -g yarn @redocly/cli typescript \
 RUN chown -R runner:runner /home/runner/.npm /home/runner/.npm-global
 
 USER runner
+
+RUN set -ex \
+  && SUDO=sudo \
+  && PHP_VERSIONS="$PHP_VERSION_ALL" \
+  && DEFAULT_PHP_VERSION="$PHP_VERSION_DEFAULT" \
+  && if [ "${PHP_VERSION:-all}" != "all" ]; then \
+       PHP_VERSIONS="$PHP_VERSION"; \
+       DEFAULT_PHP_VERSION="$PHP_VERSION"; \
+     fi \
+      && savedAptMark="$($SUDO apt-mark showmanual)" \
+      && $SUDO apt-mark auto '.*' > /dev/null \
+      && $SUDO apt-get update && $SUDO apt-get install -y --no-install-recommends curl file gnupg jq lsb-release mysql-server postgresql unzip \
+      && $SUDO usermod -d /var/lib/mysql/ mysql \
+      && $SUDO add-apt-repository -y ppa:git-core/ppa \
+      && $SUDO add-apt-repository -y ppa:ondrej/php \
+      && $SUDO add-apt-repository -y ppa:ondrej/apache2 \
+      && $SUDO install -m 0755 -d /etc/apt/keyrings \
+      && curl -fsSL https://download.docker.com/linux/ubuntu/gpg | $SUDO gpg --dearmor -o /etc/apt/keyrings/docker.gpg \
+      && $SUDO chmod a+r /etc/apt/keyrings/docker.gpg \
+      && echo "deb [arch="$(dpkg --print-architecture)" signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu noble stable" | $SUDO tee /etc/apt/sources.list.d/docker.list > /dev/null \
+      && $SUDO apt-get update \
+      && $SUDO cp -r /etc/apt/sources.list.d /etc/apt/sources.list.d.save \
+      && for v in $PHP_VERSIONS; do \
+           $SUDO apt-get install -y --no-install-recommends php"$v" \
+           php"$v"-dev \
+           php"$v"-curl \
+           php"$v"-mbstring \
+           php"$v"-xml \
+           php"$v"-intl \
+           php"$v"-mysql \
+           php"$v"-pgsql \
+           php"$v"-zip; \
+         done \
+      && $SUDO curl -o /usr/bin/systemctl -sL https://raw.githubusercontent.com/shivammathur/node-docker/main/systemctl-shim \
+      && $SUDO chmod a+x /usr/bin/systemctl \
+      && $SUDO curl -o /usr/lib/ssl/cert.pem -sL https://curl.se/ca/cacert.pem \
+      && curl -o /tmp/pear.phar -sL https://raw.githubusercontent.com/pear/pearweb_phars/master/install-pear-nozlib.phar \
+      && php /tmp/pear.phar && rm -f /tmp/pear.phar \
+    && $SUDO apt-get install -y --no-install-recommends autoconf automake gcc g++ git \
+    && $SUDO apt-get install -y --no-install-recommends docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin \
+    && for v in $PHP_VERSIONS; do \
+        $SUDO apt-get install -y --no-install-recommends php"$v"-xdebug 2>/dev/null || ($SUDO spc -p "$v" -e xdebug-xdebug/xdebug@master -r verbose) \
+      && $SUDO apt-get install -y --no-install-recommends php"$v"-imagick 2>/dev/null || (IMAGICK_LIBS=libmagickwand-dev $SUDO spc -p "$v" -e imagick-imagick/imagick@master -r verbose); \
+      done \
+    && for tool in php phar phar.phar php-cgi php-config phpize phpdbg; do \
+        { [ -e /usr/bin/"$tool""$DEFAULT_PHP_VERSION" ] && $SUDO update-alternatives --set $tool /usr/bin/"$tool""$DEFAULT_PHP_VERSION" || true; } \
+      done \
+      && $SUDO rm -rf /var/lib/apt/lists/* /tmp/* /var/cache/* /usr/share/doc/* /usr/share/man/* \
+      && { [ -z "$savedAptMark" ] || $SUDO apt-mark manual $savedAptMark > /dev/null; } \
+      && $SUDO find /usr/local -type f -executable -exec ldd '{}' ';' \
+        | awk '/=>/ { print $(NF-1) }' \
+        | sort -u \
+        | xargs -r -n 1 /bin/bash -c 'dpkg-query --search "$1" 2>/dev/null || true' _ \
+        | cut -d: -f1 \
+        | sort -u \
+        | xargs -r $SUDO apt-mark manual \
+      && $SUDO apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false \
+      # smoke test
+      && gcc --version \
+      && g++ --version \
+      && git --version \
+      && docker --version \
+      && for v in $PHP_VERSIONS; do \
+           php"$v" -v; \
+         done \
+      && php -v
+
+USER root
+
+# Install Composer
+RUN curl -sS https://getcomposer.org/installer | php -- \
+    --install-dir=/usr/local/bin \
+    --filename=composer \
+ && chmod +x /usr/local/bin/composer
+
+# Install global PHP QA tools needed by workflows that don't run composer install.
+# (php-cs-fixer and phpcs are invoked directly in lint workflows.)
+RUN curl -fsSL https://cs.symfony.com/download/php-cs-fixer-v3.phar -o /usr/local/bin/php-cs-fixer \
+ && chmod +x /usr/local/bin/php-cs-fixer \
+ && mkdir -p /opt/composer \
+ && COMPOSER_HOME=/opt/composer composer global require --no-interaction --no-progress squizlabs/php_codesniffer:^3 phpstan/phpstan:^2 \
+ && ln -sf /opt/composer/vendor/bin/phpcs /usr/local/bin/phpcs \
+ && ln -sf /opt/composer/vendor/bin/phpcbf /usr/local/bin/phpcbf \
+ && ln -sf /opt/composer/vendor/bin/phpstan /usr/local/bin/phpstan
+
+USER runner