fix(docker): drop git from runtime, remove orphaned opcache.preload_user

Production runtime image doesn't need git (composer install runs in a separate stage); cuts a non-trivial CVE surface. opcache.preload_user without opcache.preload produces a startup warning — drop it; we don't have a preload script. Image still builds cleanly and php-fpm boots without warnings. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-26 23:07:59 -04:00
parent e264326b0b
commit 548fc5f1ee
1 changed files with 1 additions and 2 deletions
--- a/3
+++ b/3
@@ -39,7 +39,7 @@ ENV COMPOSER_ALLOW_SUPERUSER=1 \

 RUN apt-get update \
    && apt-get install -y --no-install-recommends \
-        git unzip curl ca-certificates \
+        curl ca-certificates \
        libzip-dev libpng-dev libjpeg-dev libfreetype6-dev libwebp-dev \
        libicu-dev libonig-dev libxml2-dev libcurl4-openssl-dev libssl-dev \
        pkg-config \
@@ -68,7 +68,6 @@ RUN { \
        echo 'opcache.memory_consumption=256'; \
        echo 'opcache.interned_strings_buffer=16'; \
        echo 'opcache.max_accelerated_files=20000'; \
-        echo 'opcache.preload_user=www-data'; \
    } > /usr/local/etc/php/conf.d/zz-opcache.ini

 # php-fpm pool — listen on 0.0.0.0:9000 (sidecar nginx connects to localhost)