vimeo · danog · Feb 17, 2025 · Feb 17, 2025 · Feb 20, 2025 · Feb 20, 2025
diff --git a/.github/workflows/build-phar.yml b/.github/workflows/build-phar.yml
@@ -31,6 +31,7 @@ jobs:
   build-phar:
     permissions:
       contents: write # for release
+      packages: write
     needs: pre_job
     if: ${{ needs.pre_job.outputs.should_skip != 'true' }}
     runs-on: ubuntu-latest
@@ -80,6 +81,15 @@ jobs:
           GPG_SECRET_KEY: ${{ secrets.GPG_SECRET_KEY }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
 
+      - name: Upload docker image
+        run: |
+          docker build . -t ghcr.io/vimeo/psalm:${{ github.ref_name }} --build-arg PSALM_REV=${{ github.ref_name }} -f bin/docker/Dockerfile
+
+          echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
+
+          docker tag ghcr.io/vimeo/psalm:${{ github.ref_name }} ghcr.io/vimeo/psalm:latest
+          docker push ghcr.io/vimeo/psalm:${{ github.ref_name }} ghcr.io/vimeo/psalm:latest
+
       - name: Upload release assets
         if: ${{ github.event_name == 'release' }}
         uses: svenstaro/upload-release-action@v2

diff --git a/bin/docker/Dockerfile b/bin/docker/Dockerfile
@@ -0,0 +1,43 @@
+# Not alpine, due to possible performance issues of MUSL malloc.
+#
+# In theory this should not be relevant because PHP uses its own allocator,
+# but some one-time initialization logic inside PHP bypasses it,
+# which means system malloc *is* used more often especially in cases like these.
+
+FROM php:8.4-cli
+
+# This line invalidates cache when master branch changes
+ADD https://github.com/vimeo/psalm/commits/master.atom /dev/null
+
+ADD https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions /usr/local/bin/
+
+RUN sed 's/-O2/-O3/g' -i /usr/local/bin/install-php-extensions && \
+    chmod +x /usr/local/bin/install-php-extensions && \
+    install-php-extensions pcntl mbstring xml dom igbinary opcache && \
+    rm /usr/local/bin/install-php-extensions
+
+RUN apt-get update && apt-get -y --no-install-recommends install git unzip && apt-get clean && rm -rf /var/lib/apt/lists/*
+
+ADD bin/docker/php.ini /usr/local/lib/php.ini
+
+COPY --from=composer:2 /usr/bin/composer /usr/bin/composer
+
+ARG PSALM_REV=dev-master
+RUN COMPOSER_ALLOW_SUPERUSER=1 \
+    COMPOSER_HOME="/composer" \
+    composer global require vimeo/psalm:${PSALM_REV} --prefer-dist --no-progress --dev && \
+    rm /usr/bin/composer /usr/local/bin/phpdbg /usr/local/bin/php-cgi /usr/local/lib/libphp.so
+
+ENV PATH /composer/vendor/bin:${PATH}
+
+# Add entrypoint script
+
+COPY ./bin/docker/entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+# Squash into single layer
+FROM scratch
+COPY --from=0 / /
+
+WORKDIR "/app"
+ENTRYPOINT ["/entrypoint.sh"]
diff --git a/bin/docker/entrypoint.sh b/bin/docker/entrypoint.sh
@@ -0,0 +1,35 @@
+#!/bin/sh -l
+set -e
+
+TAINT_ANALYSIS=""
+if [ "$INPUT_SECURITY_ANALYSIS" = "true" ]; then
+    TAINT_ANALYSIS="--taint-analysis"
+fi
+
+REPORT=""
+if [ ! -z "$INPUT_REPORT_FILE" ]; then
+    REPORT="--report=$INPUT_REPORT_FILE"
+fi
+
+SHOW_INFO=""
+if [ "$INPUT_SHOW_INFO" = "true" ]; then
+  SHOW_INFO="--show-info=true"
+fi
+
+PHP_VERSION=""
+if [ -n "$INPUT_PHP_VERSION" ]; then
+  PHP_VERSION="--php-version=$INPUT_PHP_VERSION"
+fi
+
+if [ -n "$INPUT_RELATIVE_DIR" ]
+then
+    if [ -d "$INPUT_RELATIVE_DIR" ]; then
+        echo "changing directory into $INPUT_RELATIVE_DIR"
+        cd "$INPUT_RELATIVE_DIR"
+    else
+    	echo "given relative_dir not existing"
+	exit 1
+    fi
+fi
+
+/composer/vendor/bin/psalm --force-jit --no-cache $TAINT_ANALYSIS $REPORT $SHOW_INFO $PHP_VERSION $*
diff --git a/bin/docker/php.ini b/bin/docker/php.ini
@@ -0,0 +1,36 @@
+memory_limit = -1
+zend.assertions = -1
+display_errors = On
+display_startup_errors = On
+
+ffi.enable=true
+
+zend_extension=opcache
+
+[opcache]
+opcache.memory_consumption=512M
+opcache.enable=1
+opcache.enable_cli=1
+opcache.jit=function
+opcache.validate_timestamps=0
+opcache.jit_buffer_size=128M
+opcache.file_update_protection=0
+opcache.max_accelerated_files=1000000
+opcache.interned_strings_buffer=64
+
+opcache.jit_prof_threshold=0.000000001
+opcache.jit_max_root_traces=  100000
+opcache.jit_max_side_traces=  100000
+opcache.jit_max_exit_counters=100000
+opcache.jit_hot_loop=1
+opcache.jit_hot_func=1
+opcache.jit_hot_return=1
+opcache.jit_hot_side_exit=1
+opcache.optimization_level=0x7FFEBFFF
+opcache.log_verbosity_level=0
+opcache.save_comments=1
+
+opcache.jit_blacklist_root_trace=255
+opcache.jit_blacklist_side_trace=255
+
+opcache.protect_memory=1