feat: add php extensions

[ma-04]

Resolves #25

Notes

Installing sqlsrv and pdo_sqlsrv requires Microsoft ODBC driver. Microsoft download repository also has issues with curl in regards to ca-certificates.

Summary by CodeRabbit

• New Features
  • Full Microsoft SQL Server support now available with integrated ODBC drivers for seamless database connectivity
  • Significantly expanded PHP extension library including MongoDB, PostgreSQL, calendar functions, internationalization support, and multiple utility extensions
  • Enhanced security infrastructure with improved SSL certificate validation and management capabilities

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

The Dockerfile extends build dependencies by adding ca-certificates and installs the Microsoft ODBC driver for SQL Server with architecture detection and GPG verification. PHP extensions installation is expanded to include 15 additional extensions: pspell, pcntl, mongodb, ldap, imap, grpc, gmp, gettext, excimer, ev, calendar, xsl, sqlsrv, pdo_sqlsrv, and pdo_pgsql.

Changes

Cohort / File(s)

Summary

PHP Dockerfile Updates php/Dockerfile

Build stage APK dependencies extended with ca-certificates. Microsoft ODBC driver installation added with architecture detection, key import, package downloads, GPG signature verification, and untrusted package installation. PHP extensions expanded from existing set to include 15 new extensions (pspell, pcntl, mongodb, ldap, imap, grpc, gmp, gettext, excimer, ev, calendar, xsl, sqlsrv, pdo_sqlsrv, pdo_pgsql).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 More extensions blooming, what a sight!
Microsoft ODBC drivers shining bright,
Laravel Cloud support now fully grown,
Our PHP garden seeds are sown! 🌱
From MongoDB to GRPC we climb,
Extensions multiplied, one by one in time! 🚀

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'feat: add php extensions' directly summarizes the main change in the changeset, which adds multiple PHP extensions to the Docker configuration.
Linked Issues check	✅ Passed	The PR successfully implements all 13 required PHP extensions from issue #25: calendar, ev, excimer, gettext, gmp, grpc, imap, ldap, mongodb, pcntl, pdo_pgsql, pspell, and xsl. Additionally, the PR addresses the special handling note for sqlsrv and pdo_sqlsrv by installing the Microsoft ODBC driver.
Out of Scope Changes check	✅ Passed	All changes are directly related to adding PHP extensions as specified in issue #25. The additions of ca-certificates and Microsoft ODBC driver are necessary dependencies for the requested extensions, representing scope-appropriate implementation details.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ma-04]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@php/Dockerfile`:
- Around line 37-40: The Dockerfile uses curl with the -k flag for the
msodbcsql18 and mssql-tools18 APKs (the download commands that fetch
msodbcsql18_18.6.1.1-1_${ARCH}.apk/.sig and
mssql-tools18_18.6.1.1-1_${ARCH}.apk/.sig); remove the -k option to re-enable
TLS certificate validation and replace with safer flags like --fail --show-error
--remote-name to fail on HTTP errors and surface issues, keeping the existing
GPG signature verification and ensuring ca-certificates is installed before
these curl commands.
- Around line 32-44: The Dockerfile currently installs msodbcsql18 and
mssql-tools only in the builder stage (the lines that download
msodbcsql18_18.6.1.1-1_${ARCH}.apk and mssql-tools18_18.6.1.1-1_${ARCH}.apk and
run apk add --allow-untrusted), so the final runtime image lacks the ODBC driver
and odbcinst.ini; update the Dockerfile to either move the entire driver install
block into the final stage or copy the installed artifacts
(msodbcsql18_18.6.1.1-1_${ARCH}.apk contents, mssql-tools files, and
odbcinst.ini) plus install the unixODBC runtime dependency into the final image
so sqlsrv / pdo_sqlsrv can find the driver at runtime.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Install the Microsoft ODBC driver in the runtime image.

This block installs the driver only in the builder stage; the final image doesn’t include the ODBC driver artifacts (nor odbcinst.ini), so sqlsrv / pdo_sqlsrv will fail at runtime. Move the driver install to the final stage or copy the artifacts + runtime deps into the final image. Line 32-44.

🔧 Example fix (copy artifacts + add unixODBC runtime dep)

@@
-RUN apk add --no-cache \
-    bash sed ghostscript mysql-client imagemagick shadow msmtp unzip linux-headers \
-    freetype icu openssl imagemagick libjpeg-turbo libwebp libpng libzip libssh2 git libgomp \
-    libssh2-dev lz4 libavif libxpm lz4-libs && \
+RUN apk add --no-cache \
+    bash sed ghostscript mysql-client imagemagick shadow msmtp unzip linux-headers \
+    freetype icu openssl imagemagick libjpeg-turbo libwebp libpng libzip libssh2 git libgomp \
+    libssh2-dev lz4 libavif libxpm lz4-libs unixodbc && \
     rm -rf /var/cache/apk/*
@@
 COPY --from=builder /usr/local/lib/php/extensions /usr/local/lib/php/extensions
 COPY --from=builder /usr/local/bin /usr/local/bin
 COPY --from=builder /home/www-data/.wp-cli /home/www-data/.wp-cli
+COPY --from=builder /opt/microsoft /opt/microsoft
+COPY --from=builder /etc/odbcinst.ini /etc/odbcinst.ini

🧰 Tools

🪛 Checkov (3.2.334)

[medium] 33-44: Ensure that packages with untrusted or missing signatures are not used by apk via the '--allow-untrusted' option

(CKV2_DOCKER_7)

---

[high] 33-44: Ensure that certificate validation isn't disabled with curl

(CKV2_DOCKER_2)

🤖 Prompt for AI Agents

In `@php/Dockerfile` around lines 32 - 44, The Dockerfile currently installs
msodbcsql18 and mssql-tools only in the builder stage (the lines that download
msodbcsql18_18.6.1.1-1_${ARCH}.apk and mssql-tools18_18.6.1.1-1_${ARCH}.apk and
run apk add --allow-untrusted), so the final runtime image lacks the ODBC driver
and odbcinst.ini; update the Dockerfile to either move the entire driver install
block into the final stage or copy the installed artifacts
(msodbcsql18_18.6.1.1-1_${ARCH}.apk contents, mssql-tools files, and
odbcinst.ini) plus install the unixODBC runtime dependency into the final image
so sqlsrv / pdo_sqlsrv can find the driver at runtime.

[ma-04]

todo

[coderabbitai]

@ma-04, understood! I've noted this for follow-up. Feel free to mention me if you have any questions while addressing it.

---

🧠 Learnings used

Learnt from: ma-04
Repo: flywp/dockerfiles PR: 29
File: php/Dockerfile:37-40
Timestamp: 2026-01-22T13:24:19.919Z
Learning: In the flywp/dockerfiles repository, when installing Microsoft ODBC driver packages from download.microsoft.com in Alpine Linux containers, curl experiences SSL certificate validation issues even with ca-certificates installed, so the `-k` flag is used with GPG signature verification as a compensating security control.