Third party PHP repository will be removed from the Ubuntu 22.04 image

[ddobranic]

Breaking changes

The third party repository for PHP will be removed from the Ubuntu 22.04 image in favor of the official Ubuntu software repository.

Target date

October, 31. The propagation will take 2-3 days.

The motivation for the changes

GitHub is tightening security on our images and will only use official sources for packages we install on our runner images going forward.

Possible impact

GitHub will not be able to add / pre-cache more versions of PHP on images in the future than what the Ubuntu repository offers. If your build depends on a pre-installed PHP version that is not the most up-to-date, they may break in the future. (for example there are 3 PHP versions pre-cached on Ubuntu 20.04 but this will not be the case for Ubuntu 22.04)

Platforms affected

• Azure DevOps
• GitHub Actions

Runner images affected

• Ubuntu 18.04
• Ubuntu 20.04
• Ubuntu 22.04
• macOS 10.15
• macOS 11
• macOS 12
• Windows Server 2019
• Windows Server 2022

Mitigation ways

GitHub recommends using the setup-php action for any customers who want to use any other (non-installed) versions of PHP or want to get latest PHP faster.

[GrahamCampbell]

Oh, dear. This will be a big blow for people using the defaults. Really badly out dated versions only available by default.

[GrahamCampbell]

The effect will be massively more bandwidth and compute time for PHP users as they start turning on the force update flag in order to get a usable version of PHP. https://github.com/shivammathur/setup-php#force-update-setup. Please re-consider this change.

[deleugpn]

I sympathise with the bad decision of phasing out PHP from the builds, but doing so by the end of this month seems like a massive impact. I would like to better understand what version is currently available by default and what version will become available in 2 weeks to better gauge how much busywork GitHub is generating me in such a short notice and very little regard for customer experience.

Has this been communicated by email by any chance for orgs that uses PHP on GH Actions or people that didn't see Graham's Tweet will just have a touch-luck in 2 weeks?

[erik-bershel]

@deleugpn it is very good idea to ask about additional information for better understanding. I will answer with great pleasure all questions for which I have answers. @GrahamCampbell take a look here, please.

So! What we have now? We have Ubuntu 18, 20 and 22 images. Let's take a look under the hood! Here are the lists of preinstalled PHP versions for all these images: Ubuntu 18, Ubuntu 20, Ubuntu 22.

For now, the only change is that the Ubuntu 22 image will use the official repository as the PHP source. In some not too distant future, after migrating YAML label "latest" from Ubuntu 20 runner image to Ubuntu 22, this will mean that the "ubuntu-latest" image will have only the latest available version of PHP officially distributed in the Canonical repository. These changes practically do not affect the current state of the images, no one plans to remove the pre-installed versions of PHP from Ubuntu 20. In this way, we can be practically sure that nothing particularly breaking will happen after two weeks.

[ralflang]

This encourages projects to use containers in their actions and workflows. That has both pros and cons.

[hrst]

@erik-bershel So just to understand this: when always using the most recent version is fine, nothing changes?

[GrahamCampbell]

this will mean that the "ubuntu-latest" image will have only the latest available version of PHP officially distributed in the Canonical repository. These changes practically do not affect the current state of the images, no one plans to remove the pre-installed versions

This is exactly the problem, however. The officially distributed PHP versions with Ubuntu are very, very old, and unusable to most people. This is why everyone uses the PPA that you have currently installed.

[erik-bershel]

@hrst I can't say that nothing will change at all in answer to your question. To be brief, for Ubuntu 20, nothing really will change according to that announcement.
The situation is somewhat different for the case of Ubuntu22. I would divide it into several segments.
The first segment continues from now and to the point of announced changes: Nothing changes for the community in this segment.
The second segment will come after the announced changes and will continue until the migration of the "ubuntu-latest" label: For users who used the Ubuntu 22 runner image, the source of PHP packages from third-party PPAs will change to the official Canonical repository. If these changes happened right now, they would change the minor version of the PHP package from 8.1.11 to 8.1.2 provided in the official APT repository. For two weeks the situation may change somewhat for both sources, both in the direction of the increase the gap between the sources and in the direction of its decrease, but with a small probability.
Further changes in the situation are quite difficult to predict, since they depend on updates to official and third-party repositories, as well as on the developers of the PHP language environment itself. I can say that now the situation in the official Canonical repository for Ubuntu 22 branch (jammy) is much better than for the Ubuntu 20 branch (focal).

[vintagesucks]

This effectively means that the PHP version included in the Ubuntu 22 image cannot be used if you want (or need) to test your application with a PHP version that includes the latest bugfixes and security patches.

For me personally, this would mean broken builds as soon as ubuntu-latest receives this change, as I require the latest security release, in this case PHP 8.1.11, for some of my projects.

This change is far from ideal and the proposed mitigation comes with its own set of drawbacks, as others in this issue have already pointed out.

[jpgnz]

GitHub is tightening security on our images.

This change has the opposite effect and at a minimum should be paused for the impact to be properly assessed. It reads as if there's a fundamental misunderstanding of what php packages are available, and how they're managed in the default Ubuntu repos.

[lionslair]

Does this mean best solution is to go back to maintaining a custom image to run on again?

[GrahamCampbell]

No, but if people did do that, it would definitely have the opposite effect of security hardening.

[erik-bershel]

Changes applied. The new image has been deployed.

[GrahamCampbell]

And the setup-php action has put in mitigations to precisely undo this change.

[GrahamCampbell]

Looks like this has added so much extra load, GitHub Actions is now having and outage. Well, I tried. 🤣

[mikhailkoliada]

Actually Large Runners are not updated it, lets preserve it open for a while

[sgloe]

What is the recommended migration way, when using Azure DevOps Pipelines?

[mikhailkoliada]

@sgloe you can still add the repo's addition step to your pipeline and then install a php version of your choice

[sgloe]

@mikhailkoliada Thanks, that's what we did now. Unfortunately, this increases build time by 90 seconds.

[CxDevLead]

What is the YAML settings to install PHP8.2 on Microsoft hosted action runners?

This is what I have in my YAML file, and it is failing on name: Setup PHP

variables:
  phpVersion: 8.2

steps:
  - name: Setup PHP
    id: setup-php
    uses: shivammathur/setup-php@v2
    displayName: 'Setup PHP version $(phpVersion)'
    with:
      php-version: '$(phpVersion)'
      coverage: none