From 548fc5f1eef94b0c03fac49ee38da6c72405525f4caca9f699a50e2c0a2c016b Mon Sep 17 00:00:00 2001
From: Andrew <andrewmurray@ezscale.cloud>
Date: Sun, 26 Apr 2026 23:07:59 -0400
Subject: [PATCH] fix(docker): drop git from runtime, remove orphaned
 opcache.preload_user
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Production runtime image doesn't need git (composer install runs in a
separate stage); cuts a non-trivial CVE surface. opcache.preload_user
without opcache.preload produces a startup warning — drop it; we don't
have a preload script.

Image still builds cleanly and php-fpm boots without warnings.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 Dockerfile | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 46c1b42..6b9d947 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -39,7 +39,7 @@ ENV COMPOSER_ALLOW_SUPERUSER=1 \
 
 RUN apt-get update \
     && apt-get install -y --no-install-recommends \
-        git unzip curl ca-certificates \
+        curl ca-certificates \
         libzip-dev libpng-dev libjpeg-dev libfreetype6-dev libwebp-dev \
         libicu-dev libonig-dev libxml2-dev libcurl4-openssl-dev libssl-dev \
         pkg-config \
@@ -68,7 +68,6 @@ RUN { \
         echo 'opcache.memory_consumption=256'; \
         echo 'opcache.interned_strings_buffer=16'; \
         echo 'opcache.max_accelerated_files=20000'; \
-        echo 'opcache.preload_user=www-data'; \
     } > /usr/local/etc/php/conf.d/zz-opcache.ini
 
 # php-fpm pool — listen on 0.0.0.0:9000 (sidecar nginx connects to localhost)