feat: use pre-built fpm container image

.github/workflows/build-packages.yml

@@ -1,5 +1,4 @@
 ---
-
 # Runs the build-packages based on the provided files in test.yml
 name: build-packages
 
@@ -9,6 +8,10 @@ on:
 jobs:
   build-packages:
     runs-on: ubuntu-latest
+    permissions:
+      packages: read
+    env:
+      REGISTRY: ghcr.io
     steps:
       - uses: actions/checkout@v4
       - uses: actions/download-artifact@v3
@@ -19,6 +22,14 @@ jobs:
         with:
           name: package-parts-linuxmusl-x86-64
           path: agent/native/_build/linuxmusl-x86-64-release/
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: package
         run: make -C packaging package
       - name: package info

.github/workflows/cache.yml

@@ -0,0 +1,46 @@
+---
+name: Build Cached Container Images
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * 1-5"
+
+env:
+  DOCKER_BUILDKIT: 1
+  IMAGE_NAME: ${{ github.repository }}
+  REGISTRY: ghcr.io
+
+permissions:
+  contents: read
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Log in to the Container registry
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=raw,value=latest
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0
+        with:
+          context: ./packaging/cache/
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}

.github/workflows/test-packages.yml

@@ -1,5 +1,4 @@
 ---
-
 # Runs the test packages based on the provided files in test.yml
 name: test-packages
 
@@ -10,12 +9,12 @@ on:
         required: true
         type: string
       max-parallel:
-        description: 'Set the maximum number of jobs that can run simultaneously in the matrix'
+        description: "Set the maximum number of jobs that can run simultaneously in the matrix"
         default: 20
         required: false
         type: number
       package-name:
-        description: 'The artifact name with the binaries to be tested'
+        description: "The artifact name with the binaries to be tested"
         default: "package"
         required: false
         type: string
@@ -35,6 +34,10 @@ jobs:
       TESTING_TYPE: ${{ matrix.item[2] }}
       ELASTIC_APM_PHP_TESTS_MATRIX_ROW: "${{ join(matrix.item, ',') }}"
       BUILD_PACKAGES: build/packages
+      REGISTRY: ghcr.io
+    permissions:
+      contents: read
+      packages: read
     steps:
       - uses: actions/checkout@v4
 
@@ -43,6 +46,13 @@ jobs:
           name: ${{ inputs.package-name }}
           path: ${{ env.BUILD_PACKAGES }}
 
+      - name: Log in to the Container registry
+        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       ## This will help with preparing the signed artifacts that were bundled in a zip file
       - if: ${{ inputs.package-name == 'signed-artifacts' }}
         name: Unzip signed packages

.github/workflows/test.yml

@@ -104,22 +104,30 @@ jobs:
           path: build/*junit.xml
           if-no-files-found: error
   build-packages:
+    permissions:
+      contents: read
+      packages: read
     needs:
       - build
       - static-checks-unit-tests
       - phpt-tests
     uses: ./.github/workflows/build-packages.yml
+    secrets: inherit
 
   generate-test-packages-matrix:
     uses: ./.github/workflows/generate-matrix.yml
 
   test-packages:
+    permissions:
+      contents: read
+      packages: read
     needs:
       - build-packages
       - generate-test-packages-matrix
     uses: ./.github/workflows/test-packages.yml
     with:
       include: ${{ needs.generate-test-packages-matrix.outputs.include }}
+    secrets: inherit
 
   # The very last job to report whether the Workflow passed.
   # This will act as the Branch Protection gatekeeper

packaging/Dockerfile

@@ -1,18 +1,4 @@
-FROM ruby:3.3.0-alpine3.18
-
-ENV FPM_VERSION 1.15.1
-RUN apk add --no-cache \
-    alpine-sdk make cpio curl libarchive-tools make php-pear \
-    python3 py3-virtualenv py3-setuptools py3-pip \
-    rpm unzip xz git tar dpkg \
-  && ln -sf python3 /usr/bin/python \
-  && gem install --no-document fpm -v ${FPM_VERSION}
-
-## Fix fpm issue, see https://github.com/jordansissel/fpm/issues/1227
-ADD fpm_apm.patch /tmp
-RUN (cd /usr/local/bundle/gems/fpm-${FPM_VERSION}/ ; patch -p 1 < /tmp/fpm_apm.patch ) \
-    && rm -f /tmp/fpm_apk.patch
-
+FROM ghcr.io/elastic/apm-agent-php:latest
 COPY create-package.sh /bin
 WORKDIR /app
 ENTRYPOINT ["/bin/create-package.sh"]

packaging/cache/Dockerfile

@@ -0,0 +1,14 @@
+FROM ruby:3.3.0-alpine3.18
+
+ENV FPM_VERSION 1.15.1
+RUN apk add --no-cache \
+    alpine-sdk make cpio curl libarchive-tools make php-pear \
+    python3 py3-virtualenv py3-setuptools py3-pip \
+    rpm unzip xz git tar dpkg \
+  && ln -sf python3 /usr/bin/python \
+  && gem install --no-document fpm -v ${FPM_VERSION}
+
+## Fix fpm issue, see https://github.com/jordansissel/fpm/issues/1227
+ADD fpm_apm.patch /tmp
+RUN (cd /usr/local/bundle/gems/fpm-${FPM_VERSION}/ ; patch -p 1 < /tmp/fpm_apm.patch ) \
+    && rm -f /tmp/fpm_apk.patch