Build static macOS PHP CLI binaries

[bcotrim]

Related issues

• Related to RSM-1650

How AI was used in this PR

AI helped compare the Buildkite and GitHub Actions approaches, simplify the static-php-cli build, and validate the generated artifacts. I reviewed the changes and tested the resulting binaries locally.

Proposed Changes

• Add a manual Build PHP CLI Binaries GitHub Actions workflow.
• Build PHP CLI binaries with upstream static-php-cli instead of custom Buildkite scripts.
• Default to PHP 8.4.20 and static-php-cli 2.8.5, with workflow inputs to override them.
• Build the currently working targets: macos-aarch64, macos-x86_64, and windows-x86_64.
• Upload packaged archives plus .sha256 sidecars as GitHub Actions artifacts.
• Leave Apps CDN upload and manifest updates for a follow-up PR.

Testing Instructions

• Confirm the macos-aarch64, macos-x86_64, and windows-x86_64 jobs pass.
• Download the artifacts and verify the inner archive against its .sha256 file.
• Extract the archive and confirm php -v reports PHP 8.4.20.
• Move the archive to .studio folder - ~/.studio/php-bin/8.4 for example
• npm run cli:build
• STUDIO_RUNTIME=native-php node apps/cli/dist/cli/main.mjs site create
• Confirm the WordPress site is running

Pre-merge Checklist

• Have you checked for TypeScript, React or other console errors?

[fredrikekelund]

I know this isn't ready yet, but I left a few comments with preliminary observations

[fredrikekelund]

The spc craft command, with its more declarative approach, seems like an appealing option. AFAICT, it wraps spc download, spc install-pkg, and spc build into a single command.

[fredrikekelund]

Two things:

1. Can we add some comments to explain what's going on here?
2. Why Python?

[fredrikekelund]

Not bad, but strikes me as somewhat redundant…

[fredrikekelund]

Suggested change

	EXTENSIONS="ctype,curl,dom,exif,fileinfo,filter,gd,iconv,imagick,intl,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pdo,pdo_sqlite,phar,session,simplexml,sodium,sqlite3,tokenizer,xml,xmlreader,xmlwriter,zip,zlib"
	EXTENSIONS="apcu,bcmath,calendar,ctype,curl,dba,dom,exif,fileinfo,filter,ftp,gd,gettext,iconv,igbinary,imagick,intl,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pcntl,pdo,pdo_mysql,pdo_sqlite,phar,posix,readline,redis,session,shmop,simplexml,sockets,sodium,sqlite3,ssh2,tokenizer,xml,xmlreader,xmlwriter,xsl,yaml,zip,zlib"

Adds the following extensions: apcu, bcmath, calendar, dba, ftp, gettext, igbinary, pcntl, pdo_mysql, posix, readline, redis, shmop, sockets, ssh2, xsl, yaml.

This is quite a generous list, but I don't think that hurts. It's based on the official WordPress recommendation and static-php's "common extensions" list.

Moreover, per my other comment, it'd be nice to use the declarative config file craft.yml for clarity. I assume it also helps with cross-platform portability.

[wpmobilebot]

📊 Performance Test Results

Comparing 637658f vs trunk

app-size

Metric	trunk	637658f	Diff	Change
App Size (Mac)	1404.87 MB	1454.05 MB	+49.18 MB	🔴 3.5%

site-editor

Metric	trunk	637658f	Diff	Change
load	1501 ms	1504 ms	+3 ms	⚪ 0.0%

site-startup

Metric	trunk	637658f	Diff	Change
siteCreation	8087 ms	8079 ms	8 ms	⚪ 0.0%
siteStartup	4936 ms	4949 ms	+13 ms	⚪ 0.0%

---

Results are median values from multiple test runs.

Legend: 🟢 Improvement (faster) | 🔴 Regression (slower) | ⚪ No change (<50ms diff)

[fredrikekelund]

The build config looks fine, but I get the following warning when I try running the macOS arm64 binary:

That smells like a code signing issue to me

[fredrikekelund]

No gettext, intl, sodium, or xsl on Windows?

[fredrikekelund]

Suggested change

	extensions: apcu,bcmath,calendar,ctype,curl,dba,dom,exif,fileinfo,filter,ftp,gd,gettext,iconv,igbinary,imagick,intl,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pcntl,pdo,pdo_mysql,pdo_sqlite,phar,posix,readline,redis,session,shmop,simplexml,sockets,sodium,sqlite3,ssh2,tokenizer,xml,xmlreader,xmlwriter,xsl,yaml,zip,zlib
	- target: macos-x86_64
	runner: macos-15-intel
	artifact_platform: macos
	artifact_arch: x86_64
	archive_extension: tar.gz
	binary_name: php
	extensions: apcu,bcmath,calendar,ctype,curl,dba,dom,exif,fileinfo,filter,ftp,gd,gettext,iconv,igbinary,imagick,intl,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pcntl,pdo,pdo_mysql,pdo_sqlite,phar,posix,readline,redis,session,shmop,simplexml,sockets,sodium,sqlite3,ssh2,tokenizer,xml,xmlreader,xmlwriter,xsl,yaml,zip,zlib
	extensions: &php_extensions
	apcu,bcmath,calendar,ctype,curl,dba,dom,exif,fileinfo,filter,ftp,gd,gettext,iconv,igbinary,imagick,intl,mbregex,mbstring,mysqli,mysqlnd,opcache,openssl,pcntl,pdo,pdo_mysql,pdo_sqlite,phar,posix,readline,redis,session,shmop,simplexml,sockets,sodium,sqlite3,ssh2,tokenizer,xml,xmlreader,xmlwriter,xsl,yaml,zip,zlib
	- target: macos-x86_64
	runner: macos-15-intel
	artifact_platform: macos
	artifact_arch: x86_64
	archive_extension: tar.gz
	binary_name: php
	extensions: *php_extensions

We could explicitly reuse the extensions definition for both macOS architectures like so.

[fredrikekelund]

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@v6

I'm not GitHub Actions wiz, but v6 is the latest version. Seems like we could use that.

[fredrikekelund]

Suggested change

	uses: actions/checkout@v4
	uses: actions/checkout@v6

[fredrikekelund]

If we build and distribute the binaries ourselves, what do we do with the checksums?

[bcotrim]

When we upload the binaries to the CDN and update the binary metadata, we can store the checksum alongside each CDN URL. It’s a good safety measure to verify the archive after download and before extraction.

[fredrikekelund]

I say we can drop this part and just focus on how it'll work once this PR lands.

[fredrikekelund]

This feel like it's written for AI. Why did we have to patch it before?

[bcotrim]

It was one of the attempts to build Mac Intel, but it no longer applies.

[fredrikekelund]

Looking good! We're still missing xattr -d com.apple.quarantine here, though, right?