Initial commit: PHP CLI dev image, Alpine-based, 8.2/8.3/8.4/8.5 matrix, GHCR release workflow

Author: ThomasLohner

.claude/settings.json

@@ -0,0 +1,8 @@
+{
+  "permissions": {
+    "allow": [
+      "Bash(./build-local.sh *)",
+      "Bash(./release.sh *)"
+    ]
+  }
+}

.github/workflows/release.yml

@@ -0,0 +1,121 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*.*.*'
+
+env:
+  IMAGE: ghcr.io/scalecommerce/docker-php-cli
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Derive versions from tag
+        id: v
+        run: |
+          FULL="${GITHUB_REF_NAME#v}"
+          if ! [[ "$FULL" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error::tag must be vX.Y.Z (got $GITHUB_REF_NAME)"
+            exit 1
+          fi
+          MAJOR="${FULL%.*}"
+          # PHP major -> Alpine branch. Keep in sync with build-local.sh.
+          case "$MAJOR" in
+            8.2)         ALPINE=3.22 ;;
+            8.3|8.4|8.5) ALPINE=3.23 ;;
+            *) echo "::error::unsupported PHP version $MAJOR"; exit 1 ;;
+          esac
+          {
+            echo "full=$FULL"
+            echo "major=$MAJOR"
+            echo "alpine=$ALPINE"
+          } >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-qemu-action@v3
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build and push (multi-arch)
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: true
+          build-args: |
+            ALPINE_VERSION=${{ steps.v.outputs.alpine }}
+            PHP_VERSION=${{ steps.v.outputs.major }}
+          tags: |
+            ${{ env.IMAGE }}:${{ steps.v.outputs.full }}
+            ${{ env.IMAGE }}:${{ steps.v.outputs.major }}
+          labels: |
+            org.opencontainers.image.version=${{ steps.v.outputs.full }}
+            org.opencontainers.image.source=https://github.com/${{ github.repository }}
+
+      - name: Verify published image contains the tagged PHP version
+        run: |
+          docker pull "$IMAGE:${{ steps.v.outputs.full }}"
+          ACTUAL=$(docker run --rm "$IMAGE:${{ steps.v.outputs.full }}" php -r 'echo PHP_VERSION;')
+          if [[ "$ACTUAL" != "${{ steps.v.outputs.full }}" ]]; then
+            echo "::error::tag is ${{ steps.v.outputs.full }} but image contains PHP $ACTUAL — Alpine bumped the patch between your local build and CI. Delete this tag and re-release with the new version."
+            exit 1
+          fi
+
+      - name: Extract versions.txt and extensions.txt
+        id: info
+        run: |
+          {
+            echo 'versions<<VERSIONS_EOF'
+            docker run --rm "$IMAGE:${{ steps.v.outputs.full }}" cat /opt/versions.txt
+            echo 'VERSIONS_EOF'
+          } >> "$GITHUB_OUTPUT"
+          {
+            echo 'extensions<<EXTENSIONS_EOF'
+            docker run --rm "$IMAGE:${{ steps.v.outputs.full }}" cat /opt/extensions.txt
+            echo 'EXTENSIONS_EOF'
+          } >> "$GITHUB_OUTPUT"
+
+      - name: Build release body
+        env:
+          VERSION: ${{ steps.v.outputs.full }}
+          MAJOR: ${{ steps.v.outputs.major }}
+          VERSIONS_TXT: ${{ steps.info.outputs.versions }}
+          EXTENSIONS_TXT: ${{ steps.info.outputs.extensions }}
+        run: |
+          {
+            echo '## Pull this version'
+            echo ''
+            echo '```'
+            echo "docker pull $IMAGE:$VERSION"
+            echo "docker pull $IMAGE:$MAJOR"
+            echo '```'
+            echo ''
+            echo '## Versions'
+            echo ''
+            echo '```'
+            echo "$VERSIONS_TXT"
+            echo '```'
+            echo ''
+            echo '## PHP extensions'
+            echo ''
+            echo '```'
+            echo "$EXTENSIONS_TXT"
+            echo '```'
+          } > release-body.md
+          cat release-body.md
+
+      - name: Create GitHub release
+        uses: softprops/action-gh-release@v2
+        with:
+          body_path: release-body.md

.gitignore

@@ -0,0 +1,3 @@
+.build-verified-*
+.claude/settings.local.json
+.DS_Store

BUILD.md

@@ -0,0 +1,55 @@
+# Release a new version
+
+Two steps.
+
+### 1. Build locally
+
+```
+./build-local.sh 8.4
+```
+
+Builds the image for PHP 8.4 on host arch, pulling whatever patch Alpine currently ships as `php84`. Prints the full PHP version. If the version shown is what you want to publish, continue.
+
+### 2. Release
+
+```
+./release.sh 8.4.12            # tag v8.4.12 and push — triggers CI
+./release.sh 8.4.12 --no-push  # tag but don't push
+```
+
+`release.sh` checks that `build-local.sh` was run against this exact version (via the `.build-verified-8.4` marker), then tags `v8.4.12` and pushes. The tag push triggers `.github/workflows/release.yml`, which:
+
+1. Builds multi-arch (amd64/arm64) with matching Alpine + PHP build args.
+2. Pushes to `ghcr.io/scalecommerce/docker-php-cli:8.4.12` (immutable) and `ghcr.io/scalecommerce/docker-php-cli:8.4` (rolling).
+3. Pulls the published image and verifies it actually contains PHP 8.4.12 — guards against Alpine bumping the patch between your local build and the CI run.
+4. Creates a GitHub Release whose body contains `/opt/versions.txt` and `/opt/extensions.txt`.
+
+### Preconditions for `release.sh`
+
+* Working tree clean, on `main`, no unpushed commits.
+* `./build-local.sh <major>` was run first.
+* The version you're releasing matches what the local build produced. If Alpine bumped the patch while you were preparing the release, the check fires — re-run `build-local.sh` and release the new version instead.
+
+## Alpine → PHP version mapping
+
+| PHP | Alpine |
+| --- | ------ |
+| 8.2 | 3.22   |
+| 8.3 | 3.23   |
+| 8.4 | 3.23   |
+| 8.5 | 3.23   |
+
+Kept in two places that must stay in sync: `build-local.sh` and `.github/workflows/release.yml`. If Alpine's PHP packaging moves, update both.
+
+## Manual multi-arch build (fallback)
+
+Only use this if CI is broken. You'll need a GitHub PAT with `write:packages`:
+
+```
+echo $GH_PAT | docker login ghcr.io -u <github-user> --password-stdin
+docker buildx create --name multiplatform-builder --use   # first time only
+docker buildx build --push --platform linux/amd64,linux/arm64 \
+  --build-arg ALPINE_VERSION=3.23 --build-arg PHP_VERSION=8.4 \
+  -t ghcr.io/scalecommerce/docker-php-cli:8.4.12 \
+  -t ghcr.io/scalecommerce/docker-php-cli:8.4 .
+```

CLAUDE.md

@@ -0,0 +1,51 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## About this file
+
+Kept minimal on purpose. Don't add anything an agent would find by reading the Dockerfile, scripts, or README in 30 seconds — those are authoritative. Every line here biases every future response; when updating, ask "would removing this cause a mistake?"
+
+## Project
+
+Single parametric Dockerfile → minimal Alpine-based PHP CLI images for 8.2/8.3/8.4/8.5, published to `ghcr.io/scalecommerce/docker-php-cli`. No FPM, no nginx — that's a separate image.
+
+## Critical: PHP → Alpine mapping is duplicated
+
+```
+8.2              → alpine 3.22
+8.3, 8.4, 8.5    → alpine 3.23
+```
+
+Lives as a `case` statement in BOTH `build-local.sh` AND `.github/workflows/release.yml`. If you change one, change the other — local and CI builds diverge silently otherwise.
+
+## Release flow (non-obvious invariants)
+
+Two steps: `./build-local.sh <major>` then `./release.sh <full-version>`. `build-local.sh` writes `.build-verified-<major>` (image SHA + Dockerfile content hash + resolved full PHP version). `release.sh` refuses to tag unless the requested version exactly matches what the local build produced. This is deliberate: if Alpine bumped the PHP patch between the two steps, you must re-run `build-local.sh` and release the *new* version. CI re-verifies post-push against the tag for the same reason.
+
+Each release pushes `X.Y.Z` (immutable) + `X.Y` (rolling). **No `latest` tag — deliberate.** Don't add one without discussing it.
+
+## Dockerfile quirks
+
+- Extension list lives in the `EXTENSIONS` variable inside the RUN block. A per-package probe (`apk search -q -x`) silently filters missing packages and logs a `Note:` line. Alpine's PHP packaging isn't uniform across majors — e.g. `php85-opcache` isn't a separate package (opcache is compiled into the `php85` core). If you add an extension and it doesn't end up in the image, check the build log for the skip.
+- `/etc/php/conf.d/zz-defaults.ini` sets `memory_limit=-1`. The `zz-` prefix makes it load last; user-mounted overrides need a later prefix (e.g. `zzz-`) to win.
+
+## Maintenance: check for newer Alpine/PHP before each release
+
+Three drift patterns. Run these checks before cutting a release (or periodically — Alpine pushes PHP patches regularly).
+
+**1. Patch bump in our current Alpine+PHP combo.** Alpine's `phpXY` package moves from e.g. 8.4.20 → 8.4.21 without any change on our side. Just run `./build-local.sh <major>` and compare the printed full version to the latest published tag. If different, release the new version.
+
+**2. Older PHP major becoming available on newer Alpine.** 8.2 currently pins us to Alpine 3.22. When Alpine 3.23 (or newer) eventually packages `php82`, we can consolidate. Check:
+
+```
+docker run --rm alpine:3.23 sh -c 'apk update -q && apk list php82 2>/dev/null'
+```
+
+Non-empty output → update the `case` in both `build-local.sh` and `release.yml` to use the newer Alpine for 8.2, rebuild, release.
+
+**3. New Alpine stable (e.g. 3.24 ships).** Re-run the probe above for each phpXY we care about against the new Alpine. If every active major has a package, migrate all mappings to the new Alpine, rebuild, release each major.
+
+## When adding a new PHP major (e.g. 8.6)
+
+Update the `case` in both `build-local.sh` AND `release.yml`. Confirm `phpXY` packages exist on the Alpine you pick (`docker run --rm alpine:X.Y sh -c 'apk update -q && apk list phpXY 2>/dev/null'`). Run `./build-local.sh X.Y` and inspect the `Note:` skips — if a critical extension is missing, decide whether to wait for Alpine to package it or adjust the extension list.

Dockerfile

@@ -0,0 +1,72 @@
+ARG ALPINE_VERSION=3.23
+ARG PHP_VERSION=8.4
+FROM alpine:${ALPINE_VERSION}
+
+ARG ALPINE_VERSION
+ARG PHP_VERSION
+
+LABEL org.opencontainers.image.source="https://github.com/ScaleCommerce/docker-php-cli" \
+      org.opencontainers.image.description="Minimal Alpine-based PHP CLI image for PHP project development" \
+      org.opencontainers.image.licenses="MIT"
+
+ENV PATH=/opt/:$PATH \
+    COMPOSER_ALLOW_SUPERUSER=1
+
+RUN set -eux; \
+    PHP=$(echo "$PHP_VERSION" | tr -d '.'); \
+    EXTENSIONS=" \
+        bcmath bz2 calendar ctype curl dom exif ffi fileinfo ftp \
+        gd gettext iconv intl mbstring mysqli mysqlnd opcache openssl \
+        pcntl pdo pdo_mysql pdo_pgsql pdo_sqlite phar posix session \
+        shmop simplexml soap sockets sodium sqlite3 sysvmsg sysvsem \
+        sysvshm tokenizer xml xmlreader xmlwriter xsl zip \
+        pecl-amqp pecl-apcu pecl-igbinary pecl-memcached pecl-msgpack \
+        pecl-redis pecl-yaml pecl-zstd"; \
+    apk update; \
+    AVAIL=""; SKIPPED=""; \
+    for ext in $EXTENSIONS; do \
+        pkg="php${PHP}-${ext}"; \
+        if apk search -q -x "$pkg" | grep -q .; then \
+            AVAIL="$AVAIL $pkg"; \
+        else \
+            SKIPPED="$SKIPPED $pkg"; \
+        fi; \
+    done; \
+    if [ -n "$SKIPPED" ]; then \
+        echo "Note: the following packages are unavailable on alpine:${ALPINE_VERSION:-?} and will be skipped:$SKIPPED" >&2; \
+    fi; \
+    apk add --no-cache \
+        bash git unzip curl make \
+        nodejs npm \
+        composer \
+        php${PHP} \
+        $AVAIL; \
+    rm -rf /var/cache/apk/*; \
+    ln -sf /usr/bin/php${PHP} /usr/bin/php; \
+    ln -sfn /etc/php${PHP} /etc/php; \
+    printf 'memory_limit=-1\n' > /etc/php/conf.d/zz-defaults.ini; \
+    npm install -g pnpm; \
+    npm cache clean --force; \
+    mkdir -p /opt; \
+    . /etc/os-release; \
+    PHP_FULL_VER=$(php -r 'echo PHP_VERSION;'); \
+    NODE_VER=$(node -v); \
+    NPM_VER=$(npm -v); \
+    PNPM_VER=$(pnpm -v); \
+    COMPOSER_VER=$(composer --version --no-ansi 2>&1 | head -1); \
+    { \
+      echo "$PRETTY_NAME ($(cat /etc/alpine-release))"; \
+      echo "PHP version is $PHP_FULL_VER"; \
+      echo "Node.js version is $NODE_VER"; \
+      echo "npm version is $NPM_VER"; \
+      echo "pnpm version is $PNPM_VER"; \
+      echo "$COMPOSER_VER"; \
+      echo ""; \
+    } > /opt/versions.txt; \
+    php -m > /opt/extensions.txt; \
+    echo "PATH=/opt/:\$PATH" >> /root/.profile; \
+    echo "cat /opt/versions.txt" >> /root/.profile
+
+WORKDIR /app
+
+CMD ["/bin/bash", "-l"]