version bumps

[shelane]

Summary by CodeRabbit

• Chores
  • Refreshed container images: PHP 8.1–8.4 updated to latest patch releases.
  • Upgraded bundled tools across images: Composer 2.8.12, WP‑CLI 2.12.0, Acquia CLI 2.49.0, jq 1.8.1, yq 4.47.2.
  • Terminus set to 4.1.0 for PHP 8.2–8.4; PHP 8.1 remains on 3.6.2.
  • Builds will use the updated runtimes and tooling versions for all supported PHP images.

[coderabbitai]

📝 Walkthrough

Walkthrough

Bumps PHP base images and updates pinned versions of Composer 2, WP-CLI, Acquia CLI, jq, yq across Dockerfiles for 8.1–8.4. Terminus updated to 4.1.0 for 8.2–8.4; 8.1 keeps 3.6.2 with an added pin comment. No control-flow or build-step structural changes.

Changes

Cohort / File(s)	Summary of changes
Base image updates 8.1/Dockerfile, 8.2/Dockerfile, 8.3/Dockerfile, 8.4/Dockerfile	php:8.1.32 -> 8.1.33; 8.2.28 -> 8.2.29; 8.3.20 -> 8.3.26; 8.4.6 -> 8.4.13 (all -fpm-bookworm).
Common tooling pins (Composer, WP-CLI, Acquia CLI, jq, yq) 8.1/Dockerfile, 8.2/Dockerfile, 8.3/Dockerfile, 8.4/Dockerfile	COMPOSER2_VERSION 2.8.8 -> 2.8.12; WPCLI_VERSION 2.11.0 -> 2.12.0; ACQUIA_CLI_VERSION 2.41.1 -> 2.49.0; JQ_VERSION 1.7.1 -> 1.8.1; YQ_VERSION 4.45.1 -> 4.47.2.
Terminus version adjustments 8.1/Dockerfile	TERMINUS_VERSION unchanged at 3.6.2; added comment “Pin Terminus 3.6.2 for PHP 8.1”.
Terminus upgrade 8.2/Dockerfile, 8.3/Dockerfile	TERMINUS_VERSION 3.6.2 -> 4.1.0.
Terminus stabilization 8.4/Dockerfile	TERMINUS_VERSION 4.0.0-alpha2 -> 4.1.0.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Title Check	❓ Inconclusive	The provided title “version bumps” does point to the fact that multiple component versions are being updated, but it is too generic and does not specify which Docker images or CLI tools are affected, making it hard for reviewers to grasp the scope at a glance.	Consider updating the title to something more specific, for example “Bump PHP Docker base images and CLI tool versions,” so that the key changes are immediately clear to collaborators.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/version-bumps

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a0b4703 and 63ded70.

📒 Files selected for processing (4)

• 8.1/Dockerfile (1 hunks)
• 8.2/Dockerfile (1 hunks)
• 8.3/Dockerfile (1 hunks)
• 8.4/Dockerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Build: 8.4/arm64
• GitHub Check: Build: 8.1/amd64
• GitHub Check: Build: 8.3/arm64
• GitHub Check: Build: 8.1/arm64
• GitHub Check: Build: 8.4/amd64
• GitHub Check: Build: 8.2/arm64
• GitHub Check: Build: 8.2/amd64
• GitHub Check: Build: 8.3/amd64

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (4)

8.2/Dockerfile (1)

171-196: Optional: add checksum verification for downloaded tools.
Use upstream-provided SHA256 sums to harden supply chain.

Example for composer2 within this RUN block:

-  curl -fsSL "https://github.com/composer/composer/releases/download/${COMPOSER2_VERSION}/composer.phar" -o /usr/local/bin/composer2; \
+  curl -fsSL "https://github.com/composer/composer/releases/download/${COMPOSER2_VERSION}/composer.phar" -o /usr/local/bin/composer2; \
+  curl -fsSL "https://github.com/composer/composer/releases/download/${COMPOSER2_VERSION}/composer.phar.sha256sum" -o /tmp/composer2.sha256sum; \
+  (cd /usr/local/bin && sha256sum -c /tmp/composer2.sha256sum); \

8.3/Dockerfile (1)

171-196: Optional: checksum verification for downloads.
Same approach as suggested in 8.2 to validate artifacts at build time.

8.4/Dockerfile (1)

171-196: Optional: checksum verification for downloads.
Recommend validating at least the core tooling (composer2, terminus, wp, acli).

8.1/Dockerfile (1)

171-196: Optional: checksum verification for downloads.
Same as other versions; add SHA256 checks where feasible.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a0b4703 and 9159475.

📒 Files selected for processing (4)

• 8.1/Dockerfile (2 hunks)
• 8.2/Dockerfile (2 hunks)
• 8.3/Dockerfile (2 hunks)
• 8.4/Dockerfile (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (8)

• GitHub Check: Build: 8.2/amd64
• GitHub Check: Build: 8.1/amd64
• GitHub Check: Build: 8.3/amd64
• GitHub Check: Build: 8.1/arm64
• GitHub Check: Build: 8.2/arm64
• GitHub Check: Build: 8.4/arm64
• GitHub Check: Build: 8.3/arm64
• GitHub Check: Build: 8.4/amd64

🔇 Additional comments (8)

8.2/Dockerfile (2)

1-1: Base image bump LGTM.

---

161-169: Verified all specified release assets exist for amd64 and arm64 (all URLs returned HTTP 200).

8.3/Dockerfile (2)

1-1: Base image bump LGTM.

---

161-169: Asset availability verified for all bumped versions (all URLs returned HTTP 200).

8.4/Dockerfile (2)

1-1: Base image bump LGTM.

---

161-169: Assets validated: all bumped tool versions (including Terminus 4.1.0) returned HTTP 200.

8.1/Dockerfile (2)

1-1: Base image bump LGTM.

---

160-169: Version bumps OK; all tools confirmed PHP 8.1 compatible. Acquia CLI requires ^8.1; WP-CLI’s ^8.0 covers 8.1. Terminus pin rationale preserved.