Skip to content

🐳 Update Dockerfile to install PHP #8

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
LegeBeker merged 1 commit into from
Dec 24, 2025
Merged

🐳 Update Dockerfile to install PHP #8

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 44 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,50 @@ RUN curl -fsSL https://deb.nodesource.com/setup_22.x | bash - \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*

# Add PHP repository and install PHP 8.1, 8.2, and 8.3
RUN add-apt-repository -y ppa:ondrej/php \
&& apt-get update \
&& apt-get install -y --no-install-recommends \
# PHP 8.1 with common extensions
php8.1 \
php8.1-cli \
php8.1-common \
php8.1-curl \
php8.1-gd \
php8.1-mbstring \
php8.1-xml \
php8.1-zip \
php8.1-bcmath \
php8.1-intl \
# PHP 8.2 with common extensions
php8.2 \
php8.2-cli \
php8.2-common \
php8.2-curl \
php8.2-gd \
php8.2-mbstring \
php8.2-xml \
php8.2-zip \
php8.2-bcmath \
php8.2-intl \
# PHP 8.3 with common extensions
php8.3 \
php8.3-cli \
php8.3-common \
php8.3-curl \
php8.3-gd \
php8.3-mbstring \
php8.3-xml \
php8.3-zip \
php8.3-bcmath \
php8.3-intl \
&& apt-get clean \
&& rm -rf /var/lib/apt/lists/*
Comment on lines +47 to +85
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, let's look at the Dockerfile to understand the base image and full context
fd Dockerfile -t f | head -5

Repository: brixion/github-runner

Length of output: 75

🏁 Script executed:

# Read the Dockerfile to see the base image and surrounding context
cat -n Dockerfile | head -100

Repository: brixion/github-runner

Length of output: 3108

🏁 Script executed:

# Let's search for information about the ondrej/php PPA and verify compatibility
# First, check if there are any other files that might reference PHP version or base image
git ls-files | grep -E "(README|documentation|\.md|\.yml|\.yaml)" | head -20

Repository: brixion/github-runner

Length of output: 225

🏁 Script executed:

# Let's check if there are any GitHub Actions files that might provide context
find . -name "*.yml" -o -name "*.yaml" | head -20

Repository: brixion/github-runner

Length of output: 225

🏁 Script executed:

# Search for any documentation about why multiple PHP versions are needed
rg "php|PHP" --type md --type txt 2>/dev/null | head -20

Repository: brixion/github-runner

Length of output: 47

🏁 Script executed:

# Read the README to understand the purpose
cat README.md

Repository: brixion/github-runner

Length of output: 2280

🏁 Script executed:

# Check the docker-publish workflow to understand how this image is built/used
cat .github/workflows/docker-publish.yml

Repository: brixion/github-runner

Length of output: 1021

🏁 Script executed:

# Check the build-check workflow
cat .github/workflows/build-check.yml

Repository: brixion/github-runner

Length of output: 780

🌐 Web query:

ondrej/php PPA Ubuntu 22.04 compatibility reliability

💡 Result:

Short answer: compatible and widely used, but unofficial — generally reliable if you follow the maintainer's instructions and understand the risks.

Details (summary)

  • Support/compatibility: The ondrej/php PPA actively publishes packages for Ubuntu 22.04 (Jammy) and you can find recent Jammy builds for PHP versions and extensions on Launchpad. [1]
  • Maintainer and provenance: packages are from Debian/Ubuntu packager Ondřej Surý (deb.sury.org); the site documents that he maintains the PPA and PHP packaging. [2]
  • Practical reliability: many users and hosts recommend the PPA for installing newer or older PHP releases on 22.04; builds for Jammy are produced for multiple architectures and kept up to date. [1][3]
  • Common caveats/risks:
    • It's an unofficial PPA (not Canonical/Ubuntu official); adding third‑party PPAs can introduce package conflicts or change system libraries. Use care on production systems. [2]
    • You may need to follow the maintainer's installation notes (signed repo key, locale workaround when adding the PPA, possible need for apt pinning or explicit package choices). Reports exist of common user errors when adding the PPA (missing Release file if misconfigured). [2][3]
    • Before large distro upgrades, remove or review PPA packages to avoid upgrade breakage. [2]
  • Recommendation: For development and most production use-cases where you need newer PHP versions than Ubuntu provides, ondrej/php is a pragmatic, well-maintained choice — but:
    • Read deb.sury.org install instructions and add the repository/key correctly. [2]
    • Test upgrades in staging, consider apt pinning or explicit package selection, and be prepared to revert/remove the PPA before OS upgrades. (If you want, I can paste the exact add-apt-repository + key steps for Jammy.)

Sources
[1] Launchpad — Ondřej Surý: PPA for PHP (packages & Jammy builds).
[2] deb.sury.org (sury.org / DEB.SURY.ORG) — maintainer site and install guidance.
[3] Vultr / community docs & user reports (examples of instructions and common add-apt-repository caveats).

🌐 Web query:

PHP multiple versions Ubuntu update-alternatives default

💡 Result:

Short how-to

  1. Ensure alternatives are registered (if error “no alternatives for php”): register each binary once, for example:
    sudo update-alternatives --install /usr/bin/php php /usr/bin/php8.2 82
    sudo update-alternatives --install /usr/bin/php php /usr/bin/php8.1 81
    Repeat for phar, phar.phar, phpize, php-config as needed. [1][2]

  2. Switch interactively:
    sudo update-alternatives --config php
    (and repeat for phar, phar.phar, phpize, php-config). Choose the number for the version you want. [1][2]

  3. Or set non-interactively:
    sudo update-alternatives --set php /usr/bin/php8.2
    sudo update-alternatives --set phar /usr/bin/phar8.2
    sudo update-alternatives --set phar.phar /usr/bin/phar.phar8.2
    sudo update-alternatives --set phpize /usr/bin/phpize8.2
    sudo update-alternatives --set php-config /usr/bin/php-config8.2. [1][3]

  4. If using Apache, also switch the Apache PHP module and restart:
    sudo a2dismod php8.1
    sudo a2enmod php8.2
    sudo systemctl restart apache2. [2][3]

  5. Verify:
    php -v
    which php

Sources: Baeldung (update-alternatives for PHP) [1], StackOverflow examples (a2enmod/a2dismod + update-alternatives) [2], how-to guides (example commands for phar/phpize/php-config) [3].

🌐 Web query:

Composer installer security verification checksum

💡 Result:

Short answer — verify the installer’s SHA‑384 against Composer’s published value before running it.

Commands (copy/paste):

  1. Download installer:
    php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"

  2. Fetch expected checksum:
    HASH="$(curl -sS https://composer.github.io/installer.sig)"

  3. Verify:
    php -r "if (hash_file('SHA384','composer-setup.php') === '$HASH') { echo 'Installer verified' . PHP_EOL; } else { echo 'Installer corrupt' . PHP_EOL; unlink('composer-setup.php'); exit(1); }"

  4. If verified, run:
    php composer-setup.php --quiet

Notes:

  • Composer publishes the current installer SHA‑384 and related keys on its public keys/signatures page. [1]
  • The Composer docs include the exact programmatic verification script above. [2]

Sources:
[1] Composer Public Keys / Checksums (installer SHA‑384).
[2] How do I install Composer programmatically? — Composer docs.

Add PHP default version configuration and secure Composer installation.

Several issues require attention:

  1. Missing Default PHP Version: With three PHP versions installed, commands expecting php will fail. Add:

    && update-alternatives --install /usr/bin/php php /usr/bin/php8.3 83 \
&& update-alternatives --install /usr/bin/phar phar /usr/bin/phar8.3 83 \
&& update-alternatives --install /usr/bin/phpize phpize /usr/bin/phpize8.3 83 \
&& update-alternatives --install /usr/bin/php-config php-config /usr/bin/php-config8.3 83

  2. Insecure Composer Installation: Line 88 pipes the installer without verification. Replace with:

    && curl -sS https://getcomposer.org/installer -o composer-setup.php \
&& HASH="$(curl -sS https://composer.github.io/installer.sig)" \
&& php -r "if (hash_file('SHA384', 'composer-setup.php') === '$HASH') { echo 'Installer verified'; } else { echo 'Installer corrupt'; exit(1); }" \
&& php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
&& rm composer-setup.php

  3. Documentation Gap: PHP and Composer are not mentioned in README.md despite being installed. Update documentation to reflect these additions.

  4. Image Size Trade-off: Installing three complete PHP versions with extensions adds significant size. Consider whether all three are necessary or if a single version plus an installer (e.g., setup-php action) would be more efficient.

🤖 Prompt for AI Agents 
Dockerfile lines 47-85: you install PHP 8.1/8.2/8.3 but don’t set a system
default php/phar/phpize/php-config, and you install Composer insecurely while
also not documenting these additions; update the Dockerfile to (1) register
php8.3 as the default with update-alternatives for /usr/bin/php, phar, phpize
and php-config pointing to the php8.3 binaries, (2) replace the piped Composer
installer with the two-step verification flow (download installer, fetch
official SHA384 signature, verify hash in PHP, run installer and remove the
installer file), and (3) add a note to README.md documenting PHP and Composer
availability; additionally re-evaluate whether all three PHP versions are needed
to avoid unnecessary image bloat and remove extra versions if not required.


# Install Composer globally
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer \
&& chmod +x /usr/local/bin/composer
Comment on lines +87 to +89
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

Composer official secure installation signature verification documentation

💡 Result:

Use Composer's official instructions: download the installer, fetch the published SHA‑384 checksum (installer.sig) and compare it before running the installer.

Commands (from Composer docs):

  • Download installer:
    php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');"
  • Fetch official checksum:
    EXPECTED="$(php -r 'copy("https://composer.github.io/installer.sig\",\"php://stdout\");')"
    (the same checksum is published on the Composer Public Keys / Signatures page.)
  • Verify:
    php -r "if (hash_file('SHA384','composer-setup.php')==='$EXPECTED') { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); } echo PHP_EOL; }"
  • Run installer only if verified.

Official references:

  • Composer — How do I install Composer programmatically? [1].
  • Composer Public Keys / Checksums (installer.sha384 / installer.sig) [2].

[1] https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md
[2] https://composer.github.io/pubkeys.html

🌐 Web query:

Composer installer security best practices 2024 2025

💡 Result:

Here are concise, practical Composer installer & dependency security best practices (2024–2025):

  • Install/upgrade Composer only from official sources and verify the downloaded phar/signature (Composer self-update verifies cryptographic signatures / build attestations). (php.watch)
  • Don’t run Composer as root (avoid sudo composer ...)—prior CVEs show executing Composer as root can escalate compromise if vendor files are tampered. (securinglaravel.com)
  • Keep Composer itself up to date (security fixes and new protections are regularly released). (getcomposer.org)
  • Commit and use composer.lock in CI/production; run composer install (not composer update) to ensure reproducible, pinned installs. (phpmagazine.net)
  • Enable and act on automated advisories: use composer audit / SCA tooling and enable Composer’s automatic security blocking features (Composer 2.9+). Integrate SCA into CI to fail builds on known vulnerabilities. (blog.packagist.com)
  • Verify package provenance where possible (lockfile URL integrity, build attestations / GitHub release attestations) and prefer installations from VCS-hosted releases you can inspect. (getcomposer.org)
  • Use least-privilege CI runners and ephemeral build environments; run composer with safe flags in CI (e.g., --no-dev, --no-scripts when appropriate) to reduce attack surface. (php.watch)
  • Protect registries and accounts: enable 2FA on Packagist/GitHub, use repository allowlists (private registries or Private Packagist / restricted mirrors) for critical projects. (php.watch)
  • Monitor transitive dependencies (SBOMs / SCA / vulnerability feeds) and treat deep transitive upgrades as part of regular maintenance; automate reminders to update stale pins. (arxiv.org)
  • Harden vendor directory handling: CI/builds should produce vendor artifacts from trusted sources and avoid executing code from unreviewed vendor files during ops or global composer commands. (securinglaravel.com)

If you want, I can produce a short CI checklist (GitHub Actions / GitLab CI) that implements these practices.

Citations:

Critical: Verify Composer installer integrity before execution.

Piping the Composer installer directly from curl to php without verification creates a supply chain security risk. If the download is intercepted or compromised, arbitrary code could execute with root privileges.

Follow Composer's official secure installation procedure:

-# Install Composer globally
-RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer \
- && chmod +x /usr/local/bin/composer
+# Install Composer globally with integrity verification
+RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
+ && php -r "if (hash_file('sha384', 'composer-setup.php') === file_get_contents('https://composer.github.io/installer.sig')) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); exit(1); }" \
+ && php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
+ && php -r "unlink('composer-setup.php');" \
+ && chmod +x /usr/local/bin/composer

See: https://getcomposer.org/doc/faqs/how-to-install-composer-programmatically.md and https://composer.github.io/pubkeys.html for the published SHA-384 checksum.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
# Install Composer globally
RUN curl -sS https://getcomposer.org/installer | php -- --install-dir=/usr/local/bin --filename=composer \
&& chmod +x /usr/local/bin/composer
# Install Composer globally with integrity verification
RUN php -r "copy('https://getcomposer.org/installer', 'composer-setup.php');" \
&& php -r "if (hash_file('sha384', 'composer-setup.php') === file_get_contents('https://composer.github.io/installer.sig')) { echo 'Installer verified'; } else { echo 'Installer corrupt'; unlink('composer-setup.php'); exit(1); }" \
&& php composer-setup.php --install-dir=/usr/local/bin --filename=composer \
&& php -r "unlink('composer-setup.php');" \
&& chmod +x /usr/local/bin/composer
🤖 Prompt for AI Agents 
In Dockerfile around lines 87 to 89, the Composer installer is piped directly
from curl to php which is unsafe; instead download the composer-setup.php to a
temporary file, fetch the official SHA-384 signature (or the published checksum)
from Composer's site, verify the downloaded installer's checksum matches the
official value, only then run php on the verified composer-setup.php, remove the
temporary installer, move the composer PHAR to /usr/local/bin/composer and chmod
+x; update the Dockerfile to implement those steps (download, verify checksum,
conditional install, cleanup) following Composer's programmatic installation
guidance.


# Install AWS CLI
RUN curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip" \
&& unzip awscliv2.zip \
Expand Down