Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Third party PHP repository will be removed from the Ubuntu 22.04 image #6331

Closed
3 of 10 tasks
ddobranic opened this issue Sep 30, 2022 · 20 comments
Closed
3 of 10 tasks
Assignees
Labels
Announcement Area: PHP awaiting-deployment Code complete; awaiting deployment and/or deployment in progress OS: Ubuntu

Comments

@ddobranic
Copy link
Contributor

Breaking changes

The third party repository for PHP will be removed from the Ubuntu 22.04 image in favor of the official Ubuntu software repository.

Target date

October, 31. The propagation will take 2-3 days.

The motivation for the changes

GitHub is tightening security on our images and will only use official sources for packages we install on our runner images going forward.

Possible impact

GitHub will not be able to add / pre-cache more versions of PHP on images in the future than what the Ubuntu repository offers. If your build depends on a pre-installed PHP version that is not the most up-to-date, they may break in the future. (for example there are 3 PHP versions pre-cached on Ubuntu 20.04 but this will not be the case for Ubuntu 22.04)

Platforms affected

  • Azure DevOps
  • GitHub Actions

Runner images affected

  • Ubuntu 18.04
  • Ubuntu 20.04
  • Ubuntu 22.04
  • macOS 10.15
  • macOS 11
  • macOS 12
  • Windows Server 2019
  • Windows Server 2022

Mitigation ways

GitHub recommends using the setup-php action for any customers who want to use any other (non-installed) versions of PHP or want to get latest PHP faster.

@GrahamCampbell
Copy link

Oh, dear. This will be a big blow for people using the defaults. Really badly out dated versions only available by default.

@GrahamCampbell
Copy link

GrahamCampbell commented Oct 19, 2022

The effect will be massively more bandwidth and compute time for PHP users as they start turning on the force update flag in order to get a usable version of PHP. https://github.com/shivammathur/setup-php#force-update-setup. Please re-consider this change.

@deleugpn
Copy link

deleugpn commented Oct 19, 2022

I sympathise with the bad decision of phasing out PHP from the builds, but doing so by the end of this month seems like a massive impact. I would like to better understand what version is currently available by default and what version will become available in 2 weeks to better gauge how much busywork GitHub is generating me in such a short notice and very little regard for customer experience.

Has this been communicated by email by any chance for orgs that uses PHP on GH Actions or people that didn't see Graham's Tweet will just have a touch-luck in 2 weeks?

@erik-bershel
Copy link
Contributor

@deleugpn it is very good idea to ask about additional information for better understanding. I will answer with great pleasure all questions for which I have answers. @GrahamCampbell take a look here, please.

So! What we have now? We have Ubuntu 18, 20 and 22 images. Let's take a look under the hood! Here are the lists of preinstalled PHP versions for all these images: Ubuntu 18, Ubuntu 20, Ubuntu 22.

For now, the only change is that the Ubuntu 22 image will use the official repository as the PHP source. In some not too distant future, after migrating YAML label "latest" from Ubuntu 20 runner image to Ubuntu 22, this will mean that the "ubuntu-latest" image will have only the latest available version of PHP officially distributed in the Canonical repository. These changes practically do not affect the current state of the images, no one plans to remove the pre-installed versions of PHP from Ubuntu 20. In this way, we can be practically sure that nothing particularly breaking will happen after two weeks.

@ralflang
Copy link

This encourages projects to use containers in their actions and workflows. That has both pros and cons.

@hrst
Copy link

hrst commented Oct 20, 2022

@erik-bershel So just to understand this: when always using the most recent version is fine, nothing changes?

@GrahamCampbell
Copy link

this will mean that the "ubuntu-latest" image will have only the latest available version of PHP officially distributed in the Canonical repository. These changes practically do not affect the current state of the images, no one plans to remove the pre-installed versions

This is exactly the problem, however. The officially distributed PHP versions with Ubuntu are very, very old, and unusable to most people. This is why everyone uses the PPA that you have currently installed.

@erik-bershel
Copy link
Contributor

@hrst I can't say that nothing will change at all in answer to your question. To be brief, for Ubuntu 20, nothing really will change according to that announcement.
The situation is somewhat different for the case of Ubuntu22. I would divide it into several segments.
The first segment continues from now and to the point of announced changes: Nothing changes for the community in this segment.
The second segment will come after the announced changes and will continue until the migration of the "ubuntu-latest" label: For users who used the Ubuntu 22 runner image, the source of PHP packages from third-party PPAs will change to the official Canonical repository. If these changes happened right now, they would change the minor version of the PHP package from 8.1.11 to 8.1.2 provided in the official APT repository. For two weeks the situation may change somewhat for both sources, both in the direction of the increase the gap between the sources and in the direction of its decrease, but with a small probability.
Further changes in the situation are quite difficult to predict, since they depend on updates to official and third-party repositories, as well as on the developers of the PHP language environment itself. I can say that now the situation in the official Canonical repository for Ubuntu 22 branch (jammy) is much better than for the Ubuntu 20 branch (focal).

@vintagesucks
Copy link

vintagesucks commented Oct 20, 2022

This effectively means that the PHP version included in the Ubuntu 22 image cannot be used if you want (or need) to test your application with a PHP version that includes the latest bugfixes and security patches.

For me personally, this would mean broken builds as soon as ubuntu-latest receives this change, as I require the latest security release, in this case PHP 8.1.11, for some of my projects.

This change is far from ideal and the proposed mitigation comes with its own set of drawbacks, as others in this issue have already pointed out.

@jpgnz
Copy link

jpgnz commented Oct 20, 2022

GitHub is tightening security on our images.

This change has the opposite effect and at a minimum should be paused for the impact to be properly assessed. It reads as if there's a fundamental misunderstanding of what php packages are available, and how they're managed in the default Ubuntu repos.

@lionslair
Copy link

Does this mean best solution is to go back to maintaining a custom image to run on again?

@GrahamCampbell
Copy link

No, but if people did do that, it would definitely have the opposite effect of security hardening.

@mikhailkoliada mikhailkoliada pinned this issue Oct 26, 2022
@erik-bershel erik-bershel added awaiting-deployment Code complete; awaiting deployment and/or deployment in progress Area: PHP labels Oct 27, 2022
shivammathur added a commit to shivammathur/setup-php that referenced this issue Oct 28, 2022
@erik-bershel
Copy link
Contributor

Changes applied. The new image has been deployed.

@GrahamCampbell
Copy link

And the setup-php action has put in mitigations to precisely undo this change. :trollface:

@GrahamCampbell
Copy link

Looks like this has added so much extra load, GitHub Actions is now having and outage. Well, I tried. 🤣

image

@mikhailkoliada mikhailkoliada unpinned this issue Nov 3, 2022
@mikhailkoliada mikhailkoliada reopened this Nov 4, 2022
@mikhailkoliada
Copy link
Contributor

Actually Large Runners are not updated it, lets preserve it open for a while

@sgloe
Copy link

sgloe commented Nov 6, 2022

What is the recommended migration way, when using Azure DevOps Pipelines?

@mikhailkoliada
Copy link
Contributor

@sgloe you can still add the repo's addition step to your pipeline and then install a php version of your choice

@sgloe
Copy link

sgloe commented Nov 7, 2022

@mikhailkoliada Thanks, that's what we did now. Unfortunately, this increases build time by 90 seconds.

spaze added a commit to spaze/michalspacek.cz that referenced this issue Nov 27, 2022
… versions than what's installed on ubuntu-latest which is just 8.1 at the moment

- actions/runner-images#6399
- actions/runner-images#6331
spaze added a commit to spaze/canhas.report that referenced this issue Nov 27, 2022
… versions than what's installed on ubuntu-latest which is just 8.1 at the moment

- actions/runner-images#6399
- actions/runner-images#6331
spaze added a commit to spaze/michalspacek.cz that referenced this issue Nov 28, 2022
… versions than what's installed on ubuntu-latest which is just 8.1 at the moment

- actions/runner-images#6399
- actions/runner-images#6331
@shivammathur shivammathur mentioned this issue Dec 12, 2022
4 tasks
@CxDevLead
Copy link

What is the YAML settings to install PHP8.2 on Microsoft hosted action runners?

This is what I have in my YAML file, and it is failing on name: Setup PHP

variables:
  phpVersion: 8.2

steps:
  - name: Setup PHP
    id: setup-php
    uses: shivammathur/setup-php@v2
    displayName: 'Setup PHP version $(phpVersion)'
    with:
      php-version: '$(phpVersion)'
      coverage: none

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Announcement Area: PHP awaiting-deployment Code complete; awaiting deployment and/or deployment in progress OS: Ubuntu
Projects
None yet
Development

No branches or pull requests