DataDog · realFlowControl · Jun 22, 2026 · Jun 22, 2026 · Jun 22, 2026 · Jun 22, 2026
@@ -21,7 +21,7 @@ jobs:
       CARGO_TARGET_DIR: /tmp/build-cargo
       RUST_TOOLCHAIN: nightly-2025-06-13
     container:
-      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-8
+      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-9
       # https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user
       options: --user root
 
@@ -86,7 +86,7 @@ jobs:
       CARGO_TARGET_DIR: /tmp/build-cargo
       UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
     container:
-      image: datadog/dd-trace-ci:php-8.5_bookworm-8
+      image: datadog/dd-trace-ci:php-8.5_bookworm-9
       options: --user root
 
     steps:
@@ -127,25 +127,6 @@ jobs:
           cargo build --profile profiler-release
           cp -v "$CARGO_TARGET_DIR/profiler-release/libdatadog_php_profiling.so" "$(php-config --extension-dir)/datadog-profiling.so"
 
-      # TODO(parallel): the php-8.5_bookworm-8 image ships parallel 1.2.13, which
-      # has a bug that intermittently trips UBSAN. Install the fixed 1.2.14 over
-      # it (ZTS-only; parallel requires ZTS). Remove this step once the CI images
-      # are rebuilt with parallel >= 1.2.14.
-      - name: Install fixed parallel 1.2.14 (ZTS only, temporary until images rebuilt)
-        if: matrix.php-build == 'zts'
-        run: |
-          set -eux
-          switch-php zts
-          scan_dir="$(php -r 'echo PHP_CONFIG_FILE_SCAN_DIR;')"
-          # pecl refuses to reinstall while the extension is loaded, so move its
-          # ini aside during the build, then restore it so the test run loads the
-          # freshly installed parallel.so. Use the direct package URL because the
-          # channel REST cache in the image can lag behind new releases.
-          mv "$scan_dir/parallel.ini" /tmp/parallel.ini.disabled
-          yes '' | pecl install -f https://pecl.php.net/get/parallel-1.2.14.tgz
-          mv /tmp/parallel.ini.disabled "$scan_dir/parallel.ini"
-          php --ri parallel | grep -i version
-
       - name: Run phpt tests
         run: |
           set -eux

@@ -3,6 +3,7 @@ stages:
   - tests
   - deploy
   - ci-build
+  - ci-publish
 
 variables:
   GIT_SUBMODULE_STRATEGY: recursive
@@ -17,7 +18,6 @@ include:
   - project: DataDog/apm-reliability/libdatadog-build
     ref: 5826819695d93286569e70ed087ae6bf906ce2c3
     file: templates/ci_authenticated_job.yml
-  - local: .gitlab/ci-images.yml
 
 generate-templates:
   stage: build
@@ -56,6 +56,7 @@ generate-templates:
     - php ./.gitlab/generate-appsec.php   | tee .gitlab/appsec-gen.yml
     - php ./.gitlab/generate-profiler.php | tee .gitlab/profiler-gen.yml
     - php ./.gitlab/generate-shared.php   | tee .gitlab/shared-gen.yml
+    - php ./.gitlab/generate-ci-images.php | tee .gitlab/ci-images-gen.yml
   variables:
     GIT_SUBMODULE_STRATEGY: none
   artifacts:
@@ -89,6 +90,22 @@ appsec-trigger:
     PARENT_PIPELINE_ID: $CI_PIPELINE_ID
     GIT_SUBMODULE_PATHS: libdatadog appsec/third_party/cpp-base64 appsec/third_party/libddwaf appsec/third_party/libddwaf-rust appsec/third_party/msgpack-c
 
+# Manual maintenance pipeline that (re)builds the CI Docker images. Generated
+# from dockerfiles/ci/*/docker-compose.yml + .env so versions live in one place.
+# No strategy: depend — the parent must not wait on these manual jobs.
+ci-images:
+  stage: ci-build
+  rules:
+    - when: manual
+      allow_failure: true
+  needs:
+    - job: generate-templates
+      artifacts: true
+  trigger:
+    include:
+      - artifact: .gitlab/ci-images-gen.yml
+        job: generate-templates
+
 profiler-trigger:
   stage: tests
   needs: [ "generate-templates" ]

@@ -71,7 +71,7 @@
 "test appsec extension":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_CPU_LIMIT: 3
@@ -393,7 +393,7 @@
 "appsec code coverage":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -515,7 +515,7 @@
 "appsec lint":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 9Gi
@@ -537,7 +537,7 @@
 "test appsec helper asan":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -563,7 +563,7 @@
 #"fuzz appsec helper":
 #  stage: test
 #  extends: .appsec_test
-#  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8
+#  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9
 #  variables:
 #    KUBERNETES_CPU_REQUEST: 3
 #    KUBERNETES_MEMORY_REQUEST: 5Gi