Revamp CI; fix leak and build failure

cataphract · cataphract · commit 04a45bd2c7d4 · 2026-03-15T19:01:19.000Z
diff --git a/.github/docker-image-shas.yml b/.github/docker-image-shas.yml
@@ -2,16 +2,17 @@
 # Maps image tags to their multi-arch OCI index digests (amd64 + arm64).
 # Regenerate with: .github/scripts/update-docker-shas.sh
 
-datadog/dd-appsec-php-ci:
-  php-8.0-debug:       "sha256:900ceae7487db1e3652de2880c181e572fdf053673bcda8ff47abf664ff74d39"
-  php-8.0-release-zts: "sha256:b6243199f6aea0792a97583c9036f0b191ad9efb96ea337632fbaca76289a4da"
-  php-8.1-debug:       "sha256:1a1e5b44cf043e59768c65fd7c94aaefdacde5fa96d83102d35db11ad86f24c6"
-  php-8.1-release-zts: "sha256:5b8a269b4228d9191420059daef820b660110be0aca6776557924172fd1ff0c8"
-  php-8.2-debug:       "sha256:52ad14560672fc8c5130f5758bbee3fa401bc1d35b412f4a230c6258143291a5"
-  php-8.2-release-zts: "sha256:cb143d915b394f16a2d78018765705460f3d1b788fdd2a90ef50fad5f8f5918c"
-  php-8.3-debug:       "sha256:bb6df08160126374d3d9247428928aa19a9c2b2429c98356650199b85ae20212"
-  php-8.3-release-zts: "sha256:e58e25a017f75df82691d408b8cb70453875ff36718e295ee8c6653a0f117331"
-  php-8.4-debug:       "sha256:15045688f6986f4625b1507a7f4be6104e7bbb88caf877f1611463b929f2bca2"
-  php-8.4-release-zts: "sha256:8e0ac25a3306b4b9f692c593b8a509cc789c2e001ce52682928065a92c880136"
-  php-8.5-debug:       "sha256:bd0170331b34fb469e29d00b19b20fb88b726160f76df274a1bdc3a27ac18d30"
-  php-8.5-release-zts: "sha256:e071b2095da55bd24686209422f43a01c65acfc6021f04156d9fb43fd3d4d426"
+ghcr.io/cataphract/php-minimal:
+  8.0-debug:           "sha256:d46c15e648497cf55bb6b4806c726c58714f5b63fcb1096e4a8ec433ec17c835"
+  8.0-release-zts:     "sha256:bcbaab72e7c0e704d7bdef01e8f91e1bc0636e6e98c0ab68cc2fc417e7a98a66"
+  8.1-debug:           "sha256:dbdb437df0a4acbbd11e020461f7cef2f0e949f46f9ca841c5f058012ec7cc98"
+  8.1-release-zts:     "sha256:2b330ce54679f29e09ea77c984cd409618142cc20cab48b5a114cc1e5b09257c"
+  8.2-debug:           "sha256:efecf1cdbd09511aec12897a03682934243498c5bb2ba37874ae2100c1498011"
+  8.2-release-zts:     "sha256:d67d1c370abdc5e629a2bec1ff4d308f0ccb7d3cbc7ecc3c7eee851cd6c2efaa"
+  8.3-debug:           "sha256:1b8e6ba17c837a4035f6981dd38f9f447be57a3d558ca8f18071c8390a62ce6c"
+  8.3-release:         "sha256:23abac21af8c95ccd6cd6a8b5fbb2d1dd67e122fc7630bbbfcc7b75e6a6fcc96"
+  8.3-release-zts:     "sha256:158060357f81b495a5420b1f9d488abd61d59306946b352e4fbfc4011b7a2d89"
+  8.4-debug:           "sha256:c863e2a60f144856f56d50ed1080bbe0377ca99760195f170c762ad46f0466e5"
+  8.4-release-zts:     "sha256:6451c7104d874f8c4f7e0305e5baaecebbd74672a036c02de2cbb9d1a10c8906"
+  8.5-debug:           "sha256:014a16949dd0da0581cda6768bd7751f66b6ada3becdc949aeb5b8e1efb3c5cf"
+  8.5-release-zts:     "sha256:dadd96c4740bc9606f2985be51fb0b85d768132f93786c4ae52940552f3cbdc6"
diff --git a/.github/scripts/build-and-test.sh b/.github/scripts/build-and-test.sh
@@ -1,24 +1,79 @@
 #!/usr/bin/env bash
 # Build the extension and run the test suite.
-# Expected to run inside a datadog/dd-appsec-php-ci container from the repo root.
+# Expected to run inside a php-minimal (Alpine) container or Ubuntu from the repo root.
+# Env vars:
+#   LIBARCHIVE_VERSION  "system" (default) or a version tag like "v3.7.0".
+#                       "system" installs the distro package; a version tag
+#                       builds libarchive from source into .libarchive-cache/
+#                       inside the workspace (cached by the CI workflow).
 set -euo pipefail
 
-# Install libarchive development headers if not already present.
-if ! pkg-config --exists libarchive 2>/dev/null; then
-    apt-get update -qq
-    apt-get install -y -qq libarchive-dev
+LIBARCHIVE_VERSION="${LIBARCHIVE_VERSION:-system}"
+
+# ── Install / build libarchive ────────────────────────────────────────────────
+
+if [ "$LIBARCHIVE_VERSION" = "system" ]; then
+    if command -v apk >/dev/null 2>&1; then
+        apk add --no-cache libarchive-dev
+    else
+        # Non-root Ubuntu runner: use sudo.
+        _sudo=""
+        [ "$(id -u)" != "0" ] && _sudo="sudo"
+        $_sudo apt-get update -qq
+        $_sudo apt-get install -y -qq libarchive-dev
+    fi
+    CONFIGURE_LIBARCHIVE="--with-libarchive"
+else
+    # Build libarchive from source at the requested version.
+    # The workflow caches ${GITHUB_WORKSPACE}/.libarchive-cache so subsequent
+    # runs restore it and skip the build.
+    LA_VERSION_NUM="${LIBARCHIVE_VERSION#v}"
+    LA_PREFIX="${GITHUB_WORKSPACE}/.libarchive-cache"
+
+    if [ ! -f "${LA_PREFIX}/lib/libarchive.so" ] && [ ! -f "${LA_PREFIX}/lib/libarchive.a" ]; then
+        if command -v apk >/dev/null 2>&1; then
+            apk add --no-cache cmake build-base curl zlib-dev bzip2-dev xz-dev zstd-dev lz4-dev openssl-dev
+        else
+            _sudo=""
+            [ "$(id -u)" != "0" ] && _sudo="sudo"
+            $_sudo apt-get update -qq
+            $_sudo apt-get install -y -qq cmake build-essential curl zlib1g-dev libbz2-dev liblzma-dev libzstd-dev liblz4-dev libssl-dev
+        fi
+
+        BUILD_DIR="$(mktemp -d)"
+        curl -fsSL "https://github.com/libarchive/libarchive/releases/download/${LIBARCHIVE_VERSION}/libarchive-${LA_VERSION_NUM}.tar.gz" \
+            | tar xz -C "$BUILD_DIR"
+        cmake -S "${BUILD_DIR}/libarchive-${LA_VERSION_NUM}" \
+              -B "${BUILD_DIR}/build" \
+              -DCMAKE_INSTALL_PREFIX="${LA_PREFIX}" \
+              -DCMAKE_BUILD_TYPE=Release \
+              -DENABLE_TEST=OFF
+        cmake --build "${BUILD_DIR}/build" -j"$(nproc)"
+        cmake --install "${BUILD_DIR}/build"
+        rm -rf "$BUILD_DIR"
+    fi
+
+    export LD_LIBRARY_PATH="${LA_PREFIX}/lib${LD_LIBRARY_PATH:+:${LD_LIBRARY_PATH}}"
+    CONFIGURE_LIBARCHIVE="--with-libarchive=${LA_PREFIX}"
 fi
 
-# Clean up artifacts from any previous build so stale objects don't survive a
-# PHP-version switch (safe in CI where the workspace is always fresh).
+# ── Build ─────────────────────────────────────────────────────────────────────
+
+# Clean up all generated files so stale objects from a previous PHP version or
+# build variant don't silently survive into this build.
 if [ -f Makefile ]; then
     make -f Makefile distclean
 fi
+# Remove any leftover object files even if Makefile is gone.
+find . -name '*.lo' -o -name '*.o' | xargs rm -f 2>/dev/null || true
+find . -name '.libs' -type d | xargs rm -rf 2>/dev/null || true
 
 phpize
-./configure --with-php-config="$(which php-config)" --with-libarchive
+./configure --with-php-config="$(which php-config)" "$CONFIGURE_LIBARCHIVE"
 make -f Makefile -j"$(nproc)"
 
+# ── Test ──────────────────────────────────────────────────────────────────────
+
 # The generated Makefile silences and ignores errors on the `if` commands;
 # undo that so test failures surface properly.
 sed -i 's/-@if/@if/' Makefile
diff --git a/.github/scripts/update-docker-shas.sh b/.github/scripts/update-docker-shas.sh
@@ -5,24 +5,33 @@
 # Justfile and tests.yml read from docker-image-shas.yml directly — no patching needed.
 set -euo pipefail
 
-IMAGE="datadog/dd-appsec-php-ci"
+IMAGE="ghcr.io/cataphract/php-minimal"
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 LOCK_FILE="$SCRIPT_DIR/../docker-image-shas.yml"
 
 TAGS=(
-    php-8.0-debug       php-8.0-release-zts
-    php-8.1-debug       php-8.1-release-zts
-    php-8.2-debug       php-8.2-release-zts
-    php-8.3-debug       php-8.3-release-zts
-    php-8.4-debug       php-8.4-release-zts
-    php-8.5-debug       php-8.5-release-zts
+    8.0-debug       8.0-release-zts
+    8.1-debug       8.1-release-zts
+    8.2-debug       8.2-release-zts
+    8.3-debug       8.3-release     8.3-release-zts
+    8.4-debug       8.4-release-zts
+    8.5-debug       8.5-release-zts
 )
 
 get_index_digest() {
-    # The top-level "digest" field in the Hub tags API is the manifest-list
-    # (OCI index) digest, not a per-platform image digest.
-    curl -fsSL "https://hub.docker.com/v2/repositories/${IMAGE}/tags/$1" \
-        | python3 -c "import sys,json; print(json.load(sys.stdin)['digest'])"
+    local tag="$1" digest attempt
+    for attempt in 1 2 3; do
+        digest=$(docker buildx imagetools inspect "${IMAGE}:${tag}" \
+            | awk '/^Digest:/ { print $2; exit }')
+        if [[ -n "$digest" ]]; then
+            echo "$digest"
+            return 0
+        fi
+        echo "Attempt $attempt failed for $tag, retrying..." >&2
+        sleep $((attempt * 5))
+    done
+    echo "ERROR: could not fetch digest for $tag after 3 attempts" >&2
+    return 1
 }
 
 # Collect all digests first so we fail fast before touching any file.
diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml
@@ -32,22 +32,30 @@ jobs:
           import yaml, json, os
           with open('.github/docker-image-shas.yml') as f:
               data = yaml.safe_load(f)
-          image = 'datadog/dd-appsec-php-ci'
+          image = 'ghcr.io/cataphract/php-minimal'
           includes = []
           for tag, sha in data[image].items():
-              # tag: "php-8.0-debug" or "php-8.0-release-zts"
-              ver, variant = tag[len('php-'):].split('-', 1)
-              includes.append({'php': ver, 'variant': variant, 'image_sha': sha})
+              # tag: "8.0-debug" or "8.0-release-zts"; skip non-test variants
+              ver, variant = tag.split('-', 1)
+              if variant not in ('debug', 'release-zts'):
+                  continue
+              includes.append({'php': ver, 'variant': variant, 'image_sha': sha,
+                                'libarchive_version': 'system'})
+          # Extra jobs testing specific libarchive versions (use PHP 8.4 debug)
+          sha_8_4_debug = data[image]['8.4-debug']
+          for la_ver in ['v3.5.0', 'v3.7.0', 'v3.8.6']:
+              includes.append({'php': '8.4', 'variant': 'debug', 'image_sha': sha_8_4_debug,
+                                'libarchive_version': la_ver})
           with open(os.environ['GITHUB_OUTPUT'], 'a') as f:
               f.write('matrix=' + json.dumps({'include': includes}) + '\n')
           EOF
 
   linux:
-    name: PHP ${{ matrix.php }} (${{ matrix.variant }})
+    name: PHP ${{ matrix.php }} (${{ matrix.variant }}, libarchive ${{ matrix.libarchive_version }})
     needs: generate-matrix
     runs-on: ubuntu-latest
     container:
-      image: datadog/dd-appsec-php-ci@${{ matrix.image_sha }}
+      image: ghcr.io/cataphract/php-minimal@${{ matrix.image_sha }}
       options: --user root
     strategy:
       fail-fast: false
@@ -57,12 +65,52 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
 
+      - name: Restore libarchive cache
+        if: matrix.libarchive_version != 'system'
+        uses: actions/cache@v4
+        with:
+          path: .libarchive-cache
+          key: libarchive-${{ matrix.libarchive_version }}-${{ runner.arch }}
+
+      - name: Build and test
+        env:
+          LIBARCHIVE_VERSION: ${{ matrix.libarchive_version }}
+        run: bash .github/scripts/build-and-test.sh
+
+      - name: Upload test results
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: test-results-php${{ matrix.php }}-${{ matrix.variant }}-libarchive${{ matrix.libarchive_version }}
+          path: report.xml
+
+  ubuntu:
+    name: ubuntu (PHP 8.3 release, ${{ matrix.arch }})
+    runs-on: ${{ matrix.runner }}
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - arch: x86_64
+            runner: ubuntu-latest
+          - arch: aarch64
+            runner: ubuntu-24.04-arm
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install PHP 8.3 and libarchive
+        run: |
+          sudo apt-get update -q
+          sudo apt-get install -y php8.3 php8.3-dev libarchive-dev
+
       - name: Build and test
         run: bash .github/scripts/build-and-test.sh
 
       - name: Upload test results
         uses: actions/upload-artifact@v4
         if: always()
         with:
-          name: test-results-php${{ matrix.php }}-${{ matrix.variant }}
+          name: test-results-ubuntu-php8.3-release-${{ matrix.arch }}
           path: report.xml
diff --git a/Justfile b/Justfile
@@ -4,20 +4,20 @@
 
 # ── Images ────────────────────────────────────────────────────────────────────
 
-_base := "datadog/dd-appsec-php-ci@"
-
-image_8_0_debug       := _base + `grep 'php-8.0-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_0_release_zts := _base + `grep 'php-8.0-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_1_debug       := _base + `grep 'php-8.1-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_1_release_zts := _base + `grep 'php-8.1-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_2_debug       := _base + `grep 'php-8.2-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_2_release_zts := _base + `grep 'php-8.2-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_3_debug       := _base + `grep 'php-8.3-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_3_release_zts := _base + `grep 'php-8.3-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_4_debug       := _base + `grep 'php-8.4-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_4_release_zts := _base + `grep 'php-8.4-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_5_debug       := _base + `grep 'php-8.5-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
-image_8_5_release_zts := _base + `grep 'php-8.5-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
+_base := "ghcr.io/cataphract/php-minimal@"
+
+image_8_0_debug       := _base + `grep '8.0-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_0_release_zts := _base + `grep '8.0-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_1_debug       := _base + `grep '8.1-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_1_release_zts := _base + `grep '8.1-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_2_debug       := _base + `grep '8.2-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_2_release_zts := _base + `grep '8.2-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_3_debug       := _base + `grep '8.3-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_3_release_zts := _base + `grep '8.3-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_4_debug       := _base + `grep '8.4-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_4_release_zts := _base + `grep '8.4-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_5_debug       := _base + `grep '8.5-debug:'       .github/docker-image-shas.yml | cut -d'"' -f2`
+image_8_5_release_zts := _base + `grep '8.5-release-zts:' .github/docker-image-shas.yml | cut -d'"' -f2`
 
 _run := "docker run --rm --entrypoint bash -v \"$PWD:/src:ro\" --tmpfs /overlay:exec,size=1g --cap-add SYS_ADMIN -w /workspace --user root"
 _cmd := "-c 'mkdir -p /overlay/upper /overlay/work /workspace && mount -t overlay overlay -o lowerdir=/src,upperdir=/overlay/upper,workdir=/overlay/work /workspace && cd /workspace && .github/scripts/build-and-test.sh'"
diff --git a/libarchive.c b/libarchive.c
@@ -214,7 +214,7 @@ static void arch_oh_free_obj(zend_object *zobj)
         obj->filters_count = 0;
     }
     if (obj->archive) {
-        archive_read_close(obj->archive);
+        archive_read_free(obj->archive);
         obj->archive = NULL;
     }
     if (obj->arch_disk) {
diff --git a/php_compat.h b/php_compat.h
@@ -1,6 +1,6 @@
 #pragma once
 
-#if PHP_VERSION_ID < 80400
+#ifndef RETURN_THIS
 #define RETURN_THIS() ZVAL_COPY(return_value, getThis()); return
 #endif
 

Original file line number	Diff line number	Diff line change
`@@ -214,7 +214,7 @@ static void arch_oh_free_obj(zend_object *zobj)`
`214`	`214`	`obj->filters_count = 0;`
`215`	`215`	`}`
`216`	`216`	`if (obj->archive) {`
`217`		`- archive_read_close(obj->archive);`
	`217`	`+ archive_read_free(obj->archive);`
`218`	`218`	`obj->archive = NULL;`
`219`	`219`	`}`
`220`	`220`	`if (obj->arch_disk) {`