Templated Dockerfile + slim runtime image

[loks0n]

Summary

• Collapse php-8.{3,4,5}/Dockerfile into a single root Dockerfile parameterized by versions/<X.Y>.env (PHP_VERSION, PHP_API, and per-extension pins).
• Strip extension .so files in each builder stage and swap dev packages (*-dev) for their runtime equivalents (*-libs) in the final stage.
• Compile sockets.so once in the compile stage and copy it into final (instead of recompiling, which dragged linux-headers into the runtime image).
• Unify extension pins across 8.3/8.4 where possible: redis 6.1.0 → 6.3.0, imagick 3.7.0 → 3.8.1 (8.3), yaml 2.2.4 → 2.3.0, xdebug 3.4.1 → 3.5.1.
• Root tests.yaml replaces the per-version copies (uses php -m, no ABI-specific paths).

Image size impact

Version	Before	After	Δ
8.3	237 MB	169 MB	-29%
8.4	246 MB	178 MB	-28%
8.5	262 MB	194 MB	-26%

Test plan

• CI builds all three versions × both arches green
• Structure tests pass against the root tests.yaml for each version
• Dive efficiency check passes
• Trivy scan shows no new HIGH/CRITICAL CVEs vs. main

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR collapses three per-version Dockerfiles into a single parameterized Dockerfile driven by versions/<X.Y>.env files, switches runtime packages from -dev to -libs variants, and strips debug symbols from compiled .so files to shrink the final image by ~26–29%.

• Templating: ARG PHP_VERSION / ARG PHP_API replace hardcoded 8.3/8.4/8.5 values; version pins move to versions/*.env files sourced by CI.
• Slim runtime: brotli-dev/lz4-dev/zstd-dev/yaml-dev replaced with *-libs/yaml; linux-headers and apk update removed from the final stage.
• Symbol stripping: binutils strip --strip-unneeded added after each extension make install; sockets.so is now compiled once in the compile stage and copied rather than recompiled in final.

Confidence Score: 3/5

The build will fail as-is for all three PHP versions due to missing ARG re-declarations in builder stages.

The strip commands in every builder stage reference ${PHP_API}, but Docker ARG values do not carry across FROM instructions unless explicitly re-declared. Only the compile and final stages declare ARG PHP_API; the 12 intermediate builder stages do not. The variable expands to an empty string in those stages, producing an invalid path that causes strip (and therefore the RUN layer) to fail, blocking every build variant.

The root Dockerfile needs ARG PHP_API added after each of the 12 FROM compile AS lines.

Important Files Changed

Filename	Overview
Dockerfile	New templated Dockerfile using ARG PHP_API/PHP_VERSION; ARG PHP_API is correctly re-declared in final but missing in all 12 builder stages, causing ${PHP_API} to expand to empty and every strip command to fail.
.github/workflows/ci.yml	Build step now sources the .env file and passes each key as --build-arg KEY (value picked up from environment); structure-test now uses root tests.yaml.
versions/8.3.env	New per-version env file with PHP_VERSION, PHP_API and bumped extension pins for 8.3.
versions/8.4.env	New per-version env file with PHP_VERSION, PHP_API and bumped extension pins for 8.4.
versions/8.5.env	New per-version env file with PHP_VERSION, PHP_API and commit-hash pins for extensions not yet tagged for 8.5.
tests.yaml	Replaces three per-version tests.yaml files; uses php -m and ini-file checks instead of ABI-specific .so path assertions — correctly version-agnostic.
README.md	Updated local-dev instructions to document the env-sourcing + --build-arg loop pattern.

_{Reviews (1): Last reviewed commit: "Collapse per-version Dockerfiles into on..." | Re-trigger Greptile}

[greptile-apps]

ARG PHP_API missing in all builder stages

Docker ARG values do not propagate across FROM instructions — each stage must re-declare every ARG it intends to use. The compile stage declares ARG PHP_API (line 5), but none of the 12 downstream stages (redis, swoole, imagick, yaml, maxmind, zstd, brotli, lz4, snappy, scrypt, xdebug, mongodb) do. As a result ${PHP_API} expands to an empty string in every one of them. The strip command becomes strip --strip-unneeded /usr/local/lib/php/extensions/no-debug-non-zts-/*.so, which references a non-existent directory; strip (binutils) exits non-zero, and the entire build fails for every PHP version.

The fix is to add ARG PHP_API immediately after each FROM compile AS <stage> line — the same pattern already correctly applied to the final stage at line 159.

[loks0n]

@greptile-apps the ARG-doesn't-cross-FROM claim is a false positive here.

That rule applies to fresh base images (e.g. FROM alpine). When a stage uses FROM <named-stage> (e.g. FROM compile AS swoole), it inherits the parent stage's build context, including ARGs already in scope. No re-declaration needed.

Empirical confirmation:

ARG MYVAR
FROM alpine AS base
ARG MYVAR
RUN echo "base: [$MYVAR]" > /tmp/out

FROM base AS child
RUN echo "child: [$MYVAR]" >> /tmp/out
RUN cat /tmp/out

Built with --build-arg MYVAR=hello:

base: [hello]
child: [hello]

And on the actual PR: locally-built images show swoole.so at 3 MB (vs. 47 MB unstripped). If ${PHP_API} had expanded to empty, strip /usr/local/lib/php/extensions/no-debug-non-zts-/*.so would have errored and no image would exist.

[greptile-apps]

You're right, and I was wrong to flag this. Looking at the Dockerfile structure:

• ARG PHP_API is declared and activated in the compile stage
• All extension stages (FROM compile AS redis, FROM compile AS swoole, etc.) inherit from compile — not from a fresh base image
• Your empirical test confirms the behavior: named-stage children do carry the parent's ARG scope into RUN commands

The "ARG doesn't cross FROM" rule strictly applies to FROM <external-image> (a new root stage), not to FROM <named-stage>. The 3 MB stripped .so files are proof enough that ${PHP_API} resolved correctly throughout.

Withdrawing the comment — the code is correct as written.

Tip: You can give me more context with [.greptile/rules.md](https://www.greptile.com/docs/code-review/custom-standards) so I get this right next time.