🐳 Update Dockerfile to install PHP

[LegeBeker]

🔍 Samenvatting

Deze PR voegt PHP toe aan de dockerfile zodat Setup PHP sneller gaat

✅ Checklist

• Code is lokaal getest
• Tests zijn toegevoegd/aangepast
• Documentatie bijgewerkt (indien nodig)

[coderabbitai]

Walkthrough

Adds a new RUN block to the Dockerfile that installs the ondrej/php PPA, multiple PHP versions (8.1, 8.2, 8.3) with common extensions, Composer globally, and cleans up apt caches while preserving existing AWS CLI installation steps.

Changes

Cohort / File(s)	Change Summary
Docker Configuration Dockerfile	Adds PHP PPA repository and installs PHP 8.1, 8.2, 8.3 with extensions; installs Composer globally; includes apt cache cleanup

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title is specific and clearly related to the main change: updating the Dockerfile to install PHP, which aligns with the changeset's primary objective.
Description check	✅ Passed	The description is related to the changeset, explaining that PHP is being added to the Dockerfile for performance improvement, though it is written in Dutch.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch perf/add-php-to-container

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ef00aad and 7e77676.

📒 Files selected for processing (1)

• Dockerfile

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Build Check

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the Dockerfile to understand the base image and full context
fd Dockerfile -t f | head -5

Repository: brixion/github-runner

Length of output: 75

---

🏁 Script executed:

# Read the Dockerfile to see the base image and surrounding context
cat -n Dockerfile | head -100

Repository: brixion/github-runner

Length of output: 3108

---

🏁 Script executed:

# Let's search for information about the ondrej/php PPA and verify compatibility
# First, check if there are any other files that might reference PHP version or base image
git ls-files | grep -E "(README|documentation|\.md|\.yml|\.yaml)" | head -20

Repository: brixion/github-runner

Length of output: 225

---

🏁 Script executed:

# Let's check if there are any GitHub Actions files that might provide context
find . -name "*.yml" -o -name "*.yaml" | head -20

Repository: brixion/github-runner

Length of output: 225

---

🏁 Script executed:

# Search for any documentation about why multiple PHP versions are needed
rg "php|PHP" --type md --type txt 2>/dev/null | head -20

Repository: brixion/github-runner

Length of output: 47

---

🏁 Script executed:

# Read the README to understand the purpose
cat README.md

Repository: brixion/github-runner

Length of output: 2280

---

🏁 Script executed:

# Check the docker-publish workflow to understand how this image is built/used
cat .github/workflows/docker-publish.yml

Repository: brixion/github-runner

Length of output: 1021

---

🏁 Script executed:

# Check the build-check workflow
cat .github/workflows/build-check.yml

Repository: brixion/github-runner

Length of output: 780

---

🌐 Web query:

ondrej/php PPA Ubuntu 22.04 compatibility reliability

💡 Result:

Short answer: compatible and widely used, but unofficial — generally reliable if you follow the maintainer's instructions and understand the risks.

Details (summary)

• Support/compatibility: The ondrej/php PPA actively publishes packages for Ubuntu 22.04 (Jammy) and you can find recent Jammy builds for PHP versions and extensions on Launchpad. [1]
• Maintainer and provenance: packages are from Debian/Ubuntu packager Ondřej Surý (deb.sury.org); the site documents that he maintains the PPA and PHP packaging. [2]
• Practical reliability: many users and hosts recommend the PPA for installing newer or older PHP releases on 22.04; builds for Jammy are produced for multiple architectures and kept up to date. [1][3]
• Common caveats/risks:
  • It's an unofficial PPA (not Canonical/Ubuntu official); adding third‑party PPAs can introduce package conflicts or change system libraries. Use care on production systems. [2]
  • You may need to follow the maintainer's installation notes (signed repo key, locale workaround when adding the PPA, possible need for apt pinning or explicit package choices). Reports exist of common user errors when adding the PPA (missing Release file if misconfigured). [2][3]
  • Before large distro upgrades, remove or review PPA packages to avoid upgrade breakage. [2]
• Recommendation: For development and most production use-cases where you need newer PHP versions than Ubuntu provides, ondrej/php is a pragmatic, well-maintained choice — but:
  • Read deb.sury.org install instructions and add the repository/key correctly. [2]
  • Test upgrades in staging, consider apt pinning or explicit package selection, and be prepared to revert/remove the PPA before OS upgrades. (If you want, I can paste the exact add-apt-repository + key steps for Jammy.)

Sources
[1] Launchpad — Ondřej Surý: PPA for PHP (packages & Jammy builds).
[2] deb.sury.org (sury.org / DEB.SURY.ORG) — maintainer site and install guidance.
[3] Vultr / community docs & user reports (examples of instructions and common add-apt-repository caveats).

---

🌐 Web query:

PHP multiple versions Ubuntu update-alternatives default

💡 Result:

Short how-to

1. Ensure alternatives are registered (if error “no alternatives for php”): register each binary once, for example:
   sudo update-alternatives --install /usr/bin/php php /usr/bin/php8.2 82
   sudo update-alternatives --install /usr/bin/php php /usr/bin/php8.1 81
   Repeat for phar, phar.phar, phpize, php-config as needed. [1][2]

2. Switch interactively:
   sudo update-alternatives --config php
   (and repeat for phar, phar.phar, phpize, php-config). Choose the number for the version you want. [1][2]

3. Or set non-interactively:
   sudo update-alternatives --set php /usr/bin/php8.2
   sudo update-alternatives --set phar /usr/bin/phar8.2
   sudo update-alternatives --set phar.phar /usr/bin/phar.phar8.2
   sudo update-alternatives --set phpize /usr/bin/phpize8.2
   sudo update-alternatives --set php-config /usr/bin/php-config8.2. [1][3]

4. If using Apache, also switch the Apache PHP module and restart:
   sudo a2dismod php8.1
   sudo a2enmod php8.2
   sudo systemctl restart apache2. [2][3]

5. Verify:
   php -v
   which php

Sources: Baeldung (update-alternatives for PHP) [1], StackOverflow examples (a2enmod/a2dismod + update-alternatives) [2], how-to guides (example commands for phar/phpize/php-config) [3].

---

🌐 Web query:

Composer installer security verification checksum

💡 Result:

Short answer — verify the installer’s SHA‑384 against Composer’s published value before running it.

Commands (copy/paste):

1. Download installer:
   php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

2. Fetch expected checksum:
   HASH="$(curl -sS https://composer.github.io/installer.sig)"

3. Verify:
   php -r "if (hash_file('SHA384','composer-setup.php') === '$HASH') { echo 'Installer verified' . PHP_EOL; } else { echo 'Installer corrupt' . PHP_EOL; unlink('composer-setup.php'); exit(1); }"

4. If verified, run:
   php composer-setup.php --quiet

Notes:

• Composer publishes the current installer SHA‑384 and related keys on its public keys/signatures page. [1]
• The Composer docs include the exact programmatic verification script above. [2]

Sources:
[1] Composer Public Keys / Checksums (installer SHA‑384).
[2] How do I install Composer programmatically? — Composer docs.

---

Add PHP default version configuration and secure Composer installation.

Several issues require attention:

1. Missing Default PHP Version: With three PHP versions installed, commands expecting php will fail. Add:

   && update-alternatives --install /usr/bin/php php /usr/bin/php8.3 83 \
   && update-alternatives --install /usr/bin/phar phar /usr/bin/phar8.3 83 \
   && update-alternatives --install /usr/bin/phpize phpize /usr/bin/phpize8.3 83 \
   && update-alternatives --install /usr/bin/php-config php-config /usr/bin/php-config8.3 83

2. Insecure Composer Installation: Line 88 pipes the installer without verification. Replace with:

   && curl -sS https://getcomposer.org/installer -o composer-setup.php \
   && HASH="$(curl -sS https://composer.github.io/installer.sig)" \
   && php -r "if (hash_file('SHA384', 'composer-setup.php') === '$HASH') { echo 'Installer verified'; } else { echo 'Installer corrupt'; exit(1); }" \
   && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
   && rm composer-setup.php

3. Documentation Gap: PHP and Composer are not mentioned in README.md despite being installed. Update documentation to reflect these additions.

4. Image Size Trade-off: Installing three complete PHP versions with extensions adds significant size. Consider whether all three are necessary or if a single version plus an installer (e.g., setup-php action) would be more efficient.

🤖 Prompt for AI Agents

Dockerfile lines 47-85: you install PHP 8.1/8.2/8.3 but don’t set a system
default php/phar/phpize/php-config, and you install Composer insecurely while
also not documenting these additions; update the Dockerfile to (1) register
php8.3 as the default with update-alternatives for /usr/bin/php, phar, phpize
and php-config pointing to the php8.3 binaries, (2) replace the piped Composer
installer with the two-step verification flow (download installer, fetch
official SHA384 signature, verify hash in PHP, run installer and remove the
installer file), and (3) add a note to README.md documenting PHP and Composer
availability; additionally re-evaluate whether all three PHP versions are needed
to avoid unnecessary image bloat and remove extra versions if not required.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Composer official secure installation signature verification documentation

💡 Result:

Use Composer's official instructions: download the installer, fetch the published SHA‑384 checksum (installer.sig) and compare it before running the installer.

Commands (from Composer docs):

• Download installer:
  php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
• Fetch official checksum:
  EXPECTED="$(php -r 'copy("https://composer.github.io/installer.sig\",\"php://stdout\");')"
  (the same checksum is published on the Composer Public Keys / Signatures page.)
• Verify:
  php -r "if (hash_file('SHA384','composer-setup.php')==='$EXPECTED') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL; }"
• Run installer only if verified.

Official references:

• Composer — How do I install Composer programmatically? [1].
• Composer Public Keys / Checksums (installer.sha384 / installer.sig) [2].

[1] https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
[2] https://composer.github.io/pubkeys.html

---

🌐 Web query:

Composer installer security best practices 2024 2025

💡 Result:

Here are concise, practical Composer installer & dependency security best practices (2024–2025):

• Install/upgrade Composer only from official sources and verify the downloaded phar/signature (Composer self-update verifies cryptographic signatures / build attestations). (php.watch)
• Don’t run Composer as root (avoid sudo composer ...)—prior CVEs show executing Composer as root can escalate compromise if vendor files are tampered. (securinglaravel.com)
• Keep Composer itself up to date (security fixes and new protections are regularly released). (getcomposer.org)
• Commit and use composer.lock in CI/production; run composer install (not composer update) to ensure reproducible, pinned installs. (phpmagazine.net)
• Enable and act on automated advisories: use composer audit / SCA tooling and enable Composer’s automatic security blocking features (Composer 2.9+). Integrate SCA into CI to fail builds on known vulnerabilities. (blog.packagist.com)
• Verify package provenance where possible (lockfile URL integrity, build attestations / GitHub release attestations) and prefer installations from VCS-hosted releases you can inspect. (getcomposer.org)
• Use least-privilege CI runners and ephemeral build environments; run composer with safe flags in CI (e.g., --no-dev, --no-scripts when appropriate) to reduce attack surface. (php.watch)
• Protect registries and accounts: enable 2FA on Packagist/GitHub, use repository allowlists (private registries or Private Packagist / restricted mirrors) for critical projects. (php.watch)
• Monitor transitive dependencies (SBOMs / SCA / vulnerability feeds) and treat deep transitive upgrades as part of regular maintenance; automate reminders to update stale pins. (arxiv.org)
• Harden vendor directory handling: CI/builds should produce vendor artifacts from trusted sources and avoid executing code from unreviewed vendor files during ops or global composer commands. (securinglaravel.com)

If you want, I can produce a short CI checklist (GitHub Actions / GitLab CI) that implements these practices.

Citations:

• 1: https://php.watch/articles/composer-security-hardening?utm_source=openai
• 2: https://securinglaravel.com/security-tip-keep-your-tools-updated/?utm_source=openai
• 3: https://getcomposer.org/changelog/2.8.5?utm_source=openai
• 4: https://phpmagazine.net/2021/02/composer-and-dependency-confusion.html?utm_source=openai
• 5: https://blog.packagist.com/packagist-org-shutdown-of-composer-1-x-support-postponed-to-september-1st-2025/?utm_source=openai
• 6: https://getcomposer.org/changelog/2.8.5?utm_source=openai
• 7: https://php.watch/articles/composer-security-hardening?utm_source=openai
• 8: https://php.watch/articles/composer-security-hardening?utm_source=openai
• 9: https://arxiv.org/abs/2507.20502?utm_source=openai
• 10: https://securinglaravel.com/security-tip-keep-your-tools-updated/?utm_source=openai

---

Critical: Verify Composer installer integrity before execution.

Piping the Composer installer directly from curl to php without verification creates a supply chain security risk. If the download is intercepted or compromised, arbitrary code could execute with root privileges.

Follow Composer's official secure installation procedure:

-# Install Composer globally
-RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer \
- && chmod +x /usr/local/bin/composer
+# Install Composer globally with integrity verification
+RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
+ && php -r "if (hash_file('sha384', 'composer-setup.php') === file_get_contents('https://composer.github.io/installer.sig')) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); exit(1); }" \
+ && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
+ && php -r "unlink('composer-setup.php');" \
+ && chmod +x /usr/local/bin/composer

See: https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md and https://composer.github.io/pubkeys.html for the published SHA-384 checksum.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Install Composer globally
	RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer \
	&& chmod +x /usr/local/bin/composer
	# Install Composer globally with integrity verification
	RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
	&& php -r "if (hash_file('sha384', 'composer-setup.php') === file_get_contents('https://composer.github.io/installer.sig')) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); exit(1); }" \
	&& php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
	&& php -r "unlink('composer-setup.php');" \
	&& chmod +x /usr/local/bin/composer

🤖 Prompt for AI Agents

In Dockerfile around lines 87 to 89, the Composer installer is piped directly
from curl to php which is unsafe; instead download the composer-setup.php to a
temporary file, fetch the official SHA-384 signature (or the published checksum)
from Composer's site, verify the downloaded installer's checksum matches the
official value, only then run php on the verified composer-setup.php, remove the
temporary installer, move the composer PHAR to /usr/local/bin/composer and chmod
+x; update the Dockerfile to implement those steps (download, verify checksum,
conditional install, cleanup) following Composer's programmatic installation
guidance.