Add PHP workspace stack

New stack (ghcr.io/sourecode/coder-workspace:php) layered on base:

- Sury repo (packages.sury.org/php) with PHP 8.5 default + dev extension
  set (cli common curl mbstring xml intl zip gd bcmath opcache mysql
  pgsql sqlite3 redis xdebug). Xdebug is baked in but its default mode
  is off — zero overhead until XDEBUG_MODE is flipped.
- pvm (PHP version manager) — user-level switcher that flips symlinks in
  \$HOME/.local/bin. No sudo for use/ls/current; install/remove touch
  apt. 'latest' and 'lts' resolve against php.net's supported-versions
  list (php.net has no official LTS — our convention is "oldest branch
  still in security support"). Falls back to Sury-local if php.net is
  unreachable.
- Composer via the official phar installer with signature check.
- symfony-cli from GitHub releases.
- FrankenPHP from GitHub releases.

Each installer gets its own narrow bind mount in src/php/Dockerfile so
per-tool bumps only invalidate one layer.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: chapterjason

.github/workflows/publish-workspaces.yml

@@ -71,7 +71,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        stack: [node, cpp]
+        stack: [node, cpp, php]
     steps:
       - uses: actions/checkout@v6
 

main.tf

@@ -25,6 +25,7 @@ locals {
     base = "ghcr.io/sourecode/coder-workspace:base"
     node = "ghcr.io/sourecode/coder-workspace:node"
     cpp  = "ghcr.io/sourecode/coder-workspace:cpp"
+    php  = "ghcr.io/sourecode/coder-workspace:php"
   }
 
   git_author_name            = coalesce(data.coder_workspace_owner.me.full_name, data.coder_workspace_owner.me.name)
@@ -51,6 +52,10 @@ data "coder_parameter" "workspace_image" {
     name  = "cpp — base + llvm + cmake + sccache"
     value = "cpp"
   }
+  option {
+    name  = "php — base + Sury PHP (default 8.5) + composer + symfony-cli + frankenphp + pvm"
+    value = "php"
+  }
 }
 
 data "coder_parameter" "repo_url" {

scripts/composer/install.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+# Composer installer. Runs as the workspace user — drops the phar into
+# $HOME/.local/bin (on PATH via pipx ensurepath in base). Verified against
+# the SHA-384 that the official Composer installer script publishes.
+# https://getcomposer.org/
+set -e
+
+COMPOSER_VERSION="${VERSION:-}"
+INSTALL_DIR="$HOME/.local/bin"
+mkdir -p "$INSTALL_DIR"
+
+if ! command -v php >/dev/null 2>&1; then
+  echo "composer: php not on PATH. scripts/php/install.sh must run before scripts/composer/install.sh." >&2
+  exit 1
+fi
+
+tmp=$(mktemp -d)
+trap 'rm -rf "$tmp"' EXIT
+
+curl -fsSL https://getcomposer.org/installer -o "$tmp/composer-setup.php"
+expected=$(curl -fsSL https://composer.github.io/installer.sig)
+actual=$(php -r "echo hash_file('sha384', '$tmp/composer-setup.php');")
+if [ "$expected" != "$actual" ]; then
+  echo "composer: installer signature mismatch (expected=$expected actual=$actual)." >&2
+  exit 1
+fi
+
+args=(--quiet --install-dir="$INSTALL_DIR" --filename=composer)
+[ -n "$COMPOSER_VERSION" ] && args+=(--version="$COMPOSER_VERSION")
+php "$tmp/composer-setup.php" "${args[@]}"
+
+if ! "$INSTALL_DIR/composer" --version >/dev/null 2>&1; then
+  echo "composer: binary not runnable after install." >&2
+  exit 1
+fi

scripts/frankenphp/install.sh

@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+# FrankenPHP installer. Runs as the workspace user — single static binary
+# from GitHub releases into $HOME/.local/bin. FrankenPHP is a modern PHP
+# app server (Caddy + PHP embedded).
+# https://github.com/dunglas/frankenphp
+set -e
+
+FP_VERSION_OPT="${VERSION:-latest}"
+INSTALL_DIR="$HOME/.local/bin"
+mkdir -p "$INSTALL_DIR"
+
+arch=$(uname -m)
+case "$arch" in
+  x86_64)  asset_arch=x86_64 ;;
+  aarch64) asset_arch=aarch64 ;;
+  *) echo "frankenphp: unsupported arch '$arch'." >&2; exit 1 ;;
+esac
+
+if [ "$FP_VERSION_OPT" = "latest" ]; then
+  FP_VERSION="$(curl -fsSL https://api.github.com/repos/dunglas/frankenphp/releases/latest | jq -r .tag_name)"
+else
+  FP_VERSION="$FP_VERSION_OPT"
+fi
+FP_VERSION="${FP_VERSION#v}"
+if [ -z "$FP_VERSION" ] || [ "$FP_VERSION" = "null" ]; then
+  echo "frankenphp: failed to resolve release version (got '$FP_VERSION_OPT')." >&2
+  exit 1
+fi
+
+curl -fsSL "https://github.com/dunglas/frankenphp/releases/download/v${FP_VERSION}/frankenphp-linux-${asset_arch}" \
+  -o "$INSTALL_DIR/frankenphp"
+chmod 0755 "$INSTALL_DIR/frankenphp"
+
+if ! "$INSTALL_DIR/frankenphp" version >/dev/null 2>&1; then
+  echo "frankenphp: binary not runnable after install." >&2
+  exit 1
+fi

scripts/php/install.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+# PHP installer. Runs as root. Adds Sury's PHP repo (packages.sury.org/php),
+# installs the default version with a dev-friendly extension set, and drops
+# /usr/local/bin/pvm — a user-level switcher for swapping active PHP versions
+# via symlinks under $HOME/.local/bin (no sudo needed to switch).
+# `pvm install <ver>` adds more versions from Sury on demand.
+# https://deb.sury.org/
+set -e
+
+PHP_DEFAULT_VERSION="${VERSION:-8.5}"
+# Extensions installed for every version (Sury naming, prefixed at use-site).
+# `common` pulls pdo/phar; `mysql`/`pgsql`/`sqlite3` include their pdo drivers.
+PHP_EXT_SET="cli common curl mbstring xml intl zip gd bcmath opcache mysql pgsql sqlite3 redis xdebug"
+
+install -m 0755 -d /etc/apt/keyrings
+curl -fsSL https://packages.sury.org/php/apt.gpg \
+  | gpg --dearmor -o /etc/apt/keyrings/sury-php.gpg
+chmod a+r /etc/apt/keyrings/sury-php.gpg
+echo "deb [signed-by=/etc/apt/keyrings/sury-php.gpg] https://packages.sury.org/php/ $(. /etc/os-release && echo $VERSION_CODENAME) main" \
+  > /etc/apt/sources.list.d/sury-php.list
+
+pkgs=""
+for ext in $PHP_EXT_SET; do
+  pkgs="$pkgs php${PHP_DEFAULT_VERSION}-${ext}"
+done
+
+apt-get update
+# shellcheck disable=SC2086
+apt-get install -y --no-install-recommends --no-install-suggests $pkgs
+rm -rf /var/lib/apt/lists/*
+
+# pvm — user-level PHP version switcher. Lives next to this installer; see
+# scripts/php/pvm for the script body.
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+install -m 0755 "$script_dir/pvm" /usr/local/bin/pvm
+
+if ! command -v php >/dev/null 2>&1; then
+  echo "php: /usr/bin/php not on PATH after install." >&2
+  exit 1
+fi

scripts/php/pvm

@@ -0,0 +1,145 @@
+#!/usr/bin/env bash
+# pvm — PHP version manager. Switches which PHP the user invokes as `php`
+# by flipping symlinks in $HOME/.local/bin (already on PATH via base's
+# pipx ensurepath). No sudo for `use` / `ls` / `current`; only `install` /
+# `remove` touch apt.
+#
+# Aliases 'latest' / 'lts' resolve against php.net's supported-versions
+# list; falls back to locally-packaged Sury versions if php.net is
+# unreachable. PHP has no official LTS — 'lts' is our convention for
+# "oldest branch still in security support" (longest-lived pin).
+set -e
+
+EXT_SET="cli common curl mbstring xml intl zip gd bcmath opcache mysql pgsql sqlite3 redis xdebug"
+USER_BIN="$HOME/.local/bin"
+TOOLS=(php phpize php-config)
+
+usage() {
+  cat <<EOF
+pvm — PHP version manager (Sury-backed).
+
+Usage:
+  pvm                  Show active PHP version.
+  pvm ls               List installed versions (* = active).
+  pvm ls-remote        List versions packaged by Sury.
+  pvm use <ver>        Link \$HOME/.local/bin/{php,phpize,php-config} → phpX.Y.
+  pvm install <ver>    apt-install phpX.Y-* from Sury (uses sudo).
+  pvm remove <ver>     apt-purge phpX.Y-* (uses sudo).
+
+Aliases: 'latest' = newest supported branch (php.net); 'lts' = oldest branch
+still in security support (php.net). Falls back to locally-packaged Sury
+versions if php.net is unreachable.
+EOF
+}
+
+sury_versions() {
+  apt-cache search --names-only '^php[0-9]+\.[0-9]+-cli$' 2>/dev/null \
+    | awk '{print $1}' | sed -n 's/^php\([0-9.]*\)-cli$/\1/p' | sort -V
+}
+
+# php.net's ?json endpoint returns supported_versions ordered oldest → newest.
+# Only major=8 today; update when PHP 9 ships.
+supported_versions() {
+  curl -fsSL --max-time 5 'https://www.php.net/releases/index.php?json&version=8' 2>/dev/null \
+    | jq -r '.supported_versions[]?' 2>/dev/null
+}
+
+resolve_alias() {
+  local list
+  case "$1" in
+    latest)
+      list=$(supported_versions); [ -z "$list" ] && list=$(sury_versions)
+      echo "$list" | tail -n 1
+      ;;
+    lts)
+      list=$(supported_versions)
+      if [ -n "$list" ]; then
+        echo "$list" | head -n 1
+      else
+        list=$(sury_versions)
+        if [ "$(echo "$list" | wc -l)" -lt 2 ]; then
+          echo "$list" | tail -n 1
+        else
+          echo "$list" | tail -n 2 | head -n 1
+        fi
+      fi
+      ;;
+    *) echo "$1" ;;
+  esac
+}
+
+installed_versions() {
+  compgen -G '/usr/bin/php[0-9].[0-9]' 2>/dev/null \
+    | sed -n 's|/usr/bin/php||p' | sort -V
+}
+
+active_version() {
+  local link
+  link=$(readlink "$USER_BIN/php" 2>/dev/null || true)
+  if [ -n "$link" ]; then
+    basename "$link" | sed 's/^php//'
+  elif command -v php >/dev/null 2>&1; then
+    php -r 'echo PHP_MAJOR_VERSION . "." . PHP_MINOR_VERSION;' 2>/dev/null || true
+  fi
+}
+
+cmd_ls() {
+  local current
+  current=$(active_version)
+  for v in $(installed_versions); do
+    if [ "$v" = "$current" ]; then echo "* $v"; else echo "  $v"; fi
+  done
+}
+
+cmd_ls_remote() { sury_versions; }
+
+cmd_use() {
+  local raw="${1:-}" ver
+  [ -n "$raw" ] || { usage; exit 1; }
+  ver=$(resolve_alias "$raw")
+  [ -x "/usr/bin/php$ver" ] || { echo "pvm: PHP $ver not installed. Try: pvm install $raw" >&2; exit 1; }
+  mkdir -p "$USER_BIN"
+  for t in "${TOOLS[@]}"; do
+    if [ -x "/usr/bin/${t}${ver}" ]; then
+      ln -sfn "/usr/bin/${t}${ver}" "$USER_BIN/$t"
+    fi
+  done
+  echo "PHP $ver active ($USER_BIN/php → /usr/bin/php$ver)."
+}
+
+cmd_install() {
+  local raw="${1:-}" ver
+  [ -n "$raw" ] || { usage; exit 1; }
+  ver=$(resolve_alias "$raw")
+  local pkgs=""
+  for ext in $EXT_SET; do pkgs="$pkgs php${ver}-${ext}"; done
+  sudo apt-get update
+  # shellcheck disable=SC2086
+  sudo apt-get install -y --no-install-recommends --no-install-suggests $pkgs
+  echo "PHP $ver installed. Activate with: pvm use $ver"
+}
+
+cmd_remove() {
+  local raw="${1:-}" ver
+  [ -n "$raw" ] || { usage; exit 1; }
+  ver=$(resolve_alias "$raw")
+  sudo apt-get purge -y "php${ver}*"
+  sudo apt-get autoremove -y
+}
+
+cmd_current() {
+  local v
+  v=$(active_version)
+  [ -n "$v" ] && echo "$v" || { echo "pvm: no PHP active" >&2; exit 1; }
+}
+
+case "${1:-current}" in
+  ls|list)          cmd_ls ;;
+  ls-remote)        cmd_ls_remote ;;
+  use)              shift; cmd_use "$@" ;;
+  install)          shift; cmd_install "$@" ;;
+  remove|uninstall) shift; cmd_remove "$@" ;;
+  current|'')       cmd_current ;;
+  -h|--help|help)   usage ;;
+  *)                usage; exit 1 ;;
+esac

scripts/symfony-cli/install.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+# symfony-cli installer. Runs as the workspace user — prebuilt tarball from
+# GitHub releases into $HOME/.local/bin.
+# https://github.com/symfony-cli/symfony-cli
+set -e
+
+SF_VERSION_OPT="${VERSION:-latest}"
+INSTALL_DIR="$HOME/.local/bin"
+mkdir -p "$INSTALL_DIR"
+
+arch=$(dpkg --print-architecture)
+case "$arch" in
+  amd64) asset_arch=amd64 ;;
+  arm64) asset_arch=arm64 ;;
+  *) echo "symfony-cli: unsupported arch '$arch'." >&2; exit 1 ;;
+esac
+
+if [ "$SF_VERSION_OPT" = "latest" ]; then
+  SF_VERSION="$(curl -fsSL https://api.github.com/repos/symfony-cli/symfony-cli/releases/latest | jq -r .tag_name)"
+else
+  SF_VERSION="$SF_VERSION_OPT"
+fi
+SF_VERSION="${SF_VERSION#v}"
+if [ -z "$SF_VERSION" ] || [ "$SF_VERSION" = "null" ]; then
+  echo "symfony-cli: failed to resolve release version (got '$SF_VERSION_OPT')." >&2
+  exit 1
+fi
+
+tmp=$(mktemp -d)
+trap 'rm -rf "$tmp"' EXIT
+
+curl -fsSL "https://github.com/symfony-cli/symfony-cli/releases/download/v${SF_VERSION}/symfony-cli_linux_${asset_arch}.tar.gz" \
+  | tar -xz -C "$tmp"
+install -m 0755 "$tmp/symfony" "$INSTALL_DIR/symfony"
+
+if ! "$INSTALL_DIR/symfony" version >/dev/null 2>&1; then
+  echo "symfony-cli: binary not runnable after install." >&2
+  exit 1
+fi

src/php/Dockerfile

@@ -0,0 +1,22 @@
+# syntax=docker/dockerfile:1
+
+ARG BASE_IMAGE=ghcr.io/sourecode/coder-workspace:base
+FROM ${BASE_IMAGE}
+
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+ENV DEBIAN_FRONTEND=noninteractive
+
+# System-wide: Sury repo + default PHP + extension set + pvm switcher.
+RUN --mount=type=bind,source=scripts/php,target=/scripts/php \
+    bash /scripts/php/install.sh
+
+# Per-user tooling: composer phar, symfony-cli, frankenphp — all land in
+# $HOME/.local/bin, on PATH via base's pipx ensurepath.
+USER ${_REMOTE_USER}
+RUN --mount=type=bind,source=scripts/composer,target=/scripts/composer \
+    bash /scripts/composer/install.sh
+RUN --mount=type=bind,source=scripts/symfony-cli,target=/scripts/symfony-cli \
+    bash /scripts/symfony-cli/install.sh
+RUN --mount=type=bind,source=scripts/frankenphp,target=/scripts/frankenphp \
+    bash /scripts/frankenphp/install.sh
+USER root