PHP CI/CD Pipelines — Modern Deployment for a Language That Powers 77% of the Web

PHP's deployment model has evolved far beyond FTP uploads. Modern PHP applications use Composer for dependency management, require specific PHP extensions compiled for the target version, and depend on opcache for production performance. A pipeline that does not handle these correctly produces slow, broken, or insecure deployments.

PHP extension management is a common source of CI failures. Extensions like pdo_pgsql, gd, intl, redis, and imagick need to be compiled for your specific PHP version. The official Docker PHP images provide docker-php-ext-install and docker-php-ext-configure, but getting the right system packages installed first requires careful Dockerfile configuration.

Testing PHP applications in CI requires PHPUnit or Pest, a database for integration tests, and potentially a running web server for functional tests. Without proper setup, tests that pass locally fail in CI due to missing extensions, different PHP configurations, or database connection issues.

We build a multi-stage Dockerfile starting from php:8.3-fpm-alpine with all required extensions compiled in the build stage. Composer dependencies are installed with --no-dev --optimize-autoloader --classmap-authoritative for production, and the vendor directory is cached by composer.lock hash. We separate extension installation into its own Docker layer so it is cached across builds.

Testing runs PHPUnit or Pest with MySQL/PostgreSQL service containers. We configure PHPStan or Psalm for static analysis at the highest practical level. Code style is enforced with PHP-CS-Fixer. All quality checks run in parallel to minimize pipeline duration. Coverage reports are generated in Clover format and published as PR comments.

For production, Nginx and PHP-FPM run in the same container or as separate containers behind a reverse proxy. We configure opcache with opcache.preload for frameworks that support it (Symfony, Laravel) and set opcache.validate_timestamps=0 for production to avoid stat() calls. Deployments use a rolling strategy with health check endpoints that verify database connectivity and cache availability.

A modern PHP CI/CD pipeline:

• Extension management — all PHP extensions compiled and cached in Docker layers
• Composer caching — dependencies cached by lockfile hash, optimized autoloader
• Quality gates — PHPStan/Psalm static analysis, PHP-CS-Fixer formatting
• Test automation — PHPUnit/Pest with database services and coverage reporting
• Opcache optimization — preloading and production-tuned settings
• Zero-downtime deployment — rolling updates with PHP-FPM graceful reload
• Security scanning — composer audit and Roave security advisories check