Experimentally provide executable version of PIE

.github/workflows/build-and-push-docker-image.yml

@@ -2,7 +2,7 @@
 # in a way to pass those permissions on, e.g.:
 #
 #  build-and-push-docker-image:
-#    needs: build-phar
+#    needs: build-assets
 #    permissions:
 #      contents: read
 #      id-token: write

.github/workflows/build-assets.yml

@@ -0,0 +1,161 @@
+# Invoking this pipeline requires additional permissions, so must be invoked
+# in a way to pass those permissions on, e.g.:
+#
+#  build-assets:
+#    permissions:
+#      contents: read
+#      id-token: write
+#      attestations: write
+#    uses: ./.github/workflows/build-assets.yml
+
+name: "Build the PIE assets"
+
+on:
+  workflow_call:
+
+permissions:
+  contents: read
+
+jobs:
+  build-phar:
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      matrix:
+        operating-system:
+          - ubuntu-latest
+        php-versions:
+          - '8.1'
+    permissions:
+      # id-token:write is required for build provenance attestation.
+      id-token: write
+      # attestations:write is required for build provenance attestation.
+      attestations: write
+    steps:
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          coverage: none
+          tools: composer, box
+          php-version: "${{ matrix.php-version }}"
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      # Fixes `git describe` picking the wrong tag - see https://github.com/php/pie/issues/307
+      - run: git fetch --tags --force
+      # Ensure some kind of previous tag exists, otherwise box fails
+      - run: git describe --tags HEAD || git tag 0.0.0
+      - uses: ramsey/composer-install@v3
+      - name: Build PHAR
+        run: box compile
+      - name: Check the PHAR executes
+        run: php pie.phar --version
+      - name: Generate build provenance attestation
+        # It does not make sense to do this for PR builds, nor do contributors
+        # have permission to do. We can't write attestations to `php/pie` in an
+        # unprivileged context, otherwise anyone could send a PR with malicious
+        # code, which would store attestation that `php/pie` built the PHAR, and
+        # it would look genuine. So this should NOT run for PR builds.
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: '${{ github.workspace }}/pie.phar'
+      - uses: actions/upload-artifact@v5
+        with:
+          name: pie-${{ github.sha }}.phar
+          path: pie.phar
+
+  build-executable:
+    needs:
+     - build-phar
+    runs-on: ${{ matrix.operating-system }}
+    strategy:
+      fail-fast: false
+      matrix:
+        operating-system:
+          - ubuntu-24.04
+          - ubuntu-24.04-arm
+          - macos-15-intel
+          - macos-26
+          - windows-2025
+    permissions:
+      # id-token:write is required for build provenance attestation.
+      id-token: write
+      # attestations:write is required for build provenance attestation.
+      attestations: write
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Download SPC (non-Windows)
+        if: runner.os != 'Windows'
+        run: |
+          # @todo find a better way to do this :/
+          # Source URL: https://static-php.dev/en/guide/manual-build.html#build-locally-using-spc-binary-recommended
+          case "${{ matrix.operating-system }}" in
+            ubuntu-24.04)
+              curl -fsSL -o spc https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-linux-x86_64
+              ;;
+
+            ubuntu-24.04-arm)
+              curl -fsSL -o spc https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-linux-aarch64
+              ;;
+
+            macos-15-intel)
+              curl -fsSL -o spc https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-macos-x86_64
+              ;;
+
+            macos-26)
+              curl -fsSL -o spc https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-macos-aarch64
+              ;;
+
+            *)
+              echo "unsupported operating system: ${{ matrix.operating-system }}"
+              exit 1
+              ;;
+          esac
+          chmod +x spc
+          echo "SPC_BINARY=./spc" >> $GITHUB_ENV
+          echo "PIE_BINARY_OUTPUT=pie-${{ runner.os }}-${{ runner.arch }}" >> $GITHUB_ENV
+      - name: Download SPC (Windows)
+        if: runner.os == 'Windows'
+        run: |
+          curl.exe -fsSL -o spc.exe https://dl.static-php.dev/static-php-cli/spc-bin/nightly/spc-windows-x64.exe
+          chmod +x spc.exe
+          echo "SPC_BINARY=.\spc.exe" >> $env:GITHUB_ENV
+          echo "PIE_BINARY_OUTPUT=pie-${{ runner.os }}-${{ runner.arch }}.exe" >> $env:GITHUB_ENV
+
+      - name: Grab the pie.phar from artifacts
+        uses: actions/download-artifact@v5
+        with:
+          name: pie-${{ github.sha }}.phar
+
+      - name: Build for ${{ runner.os }} ${{ runner.arch }} on ${{ matrix.operating-system }}
+        run: ${{ env.SPC_BINARY }} craft resources/spc/craft.yml
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - name: Bundle pie.phar into executable PIE binary
+        run: ${{ env.SPC_BINARY }} micro:combine pie.phar --output=${{ env.PIE_BINARY_OUTPUT }}
+
+      - name: Setup PHP
+        uses: shivammathur/setup-php@v2
+        with:
+          coverage: none
+          tools: composer
+          php-version: "7.4"
+      - name: Quick validation that the binary runs
+        run: ./${{ env.PIE_BINARY_OUTPUT }} show --all
+
+      - name: Generate build provenance attestation
+        # It does not make sense to do this for PR builds, nor do contributors
+        # have permission to do. We can't write attestations to `php/pie` in an
+        # unprivileged context, otherwise anyone could send a PR with malicious
+        # code, which would store attestation that `php/pie` built the binaries,
+        # and it would look genuine. So this should NOT run for PR builds.
+        if: github.event_name != 'pull_request'
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: '${{ github.workspace }}/${{ env.PIE_BINARY_OUTPUT }}'
+
+      - uses: actions/upload-artifact@v5
+        with:
+          name: pie-${{ github.sha }}-${{ runner.os }}-${{ runner.arch }}.bin
+          path: ${{ env.PIE_BINARY_OUTPUT }}

.github/workflows/continuous-integration.yml

@@ -187,14 +187,14 @@ jobs:
       - name: Run phpstan
         run: vendor/bin/phpstan
 
-  build-phar:
+  build-assets:
     needs:
       - unit-tests
       - coding-standards
       - static-analysis
-    # See build-phar.yml for a list of the permissions and why they are needed
+    # See build-assets.yml for a list of the permissions and why they are needed
     permissions:
       contents: read
       id-token: write
       attestations: write
-    uses: ./.github/workflows/build-phar.yml
+    uses: ./.github/workflows/build-assets.yml

.github/workflows/docker-nightly-image-push.yml

@@ -11,18 +11,18 @@ permissions:
   contents: read
 
 jobs:
-  build-phar:
+  build-assets:
     if: github.ref_name == github.event.repository.default_branch
-    # See build-phar.yml for a list of the permissions and why they are needed
+    # See build-assets.yml for a list of the permissions and why they are needed
     permissions:
       contents: read
       id-token: write
       attestations: write
-    uses: ./.github/workflows/build-phar.yml
+    uses: ./.github/workflows/build-assets.yml
 
   build-and-push-docker-image:
     if: github.ref_name == github.event.repository.default_branch
-    needs: build-phar
+    needs: build-assets
     # See build-and-push-docker-image.yml for a list of the permissions and why they are needed
     permissions:
       contents: read

.github/workflows/docs.yml

@@ -17,20 +17,20 @@ concurrency:
   cancel-in-progress: false
 
 jobs:
-  build-phar:
+  build-assets:
     if: github.ref_name == github.event.repository.default_branch
-    # See build-phar.yml for a list of the permissions and why they are needed
+    # See build-assets.yml for a list of the permissions and why they are needed
     permissions:
       contents: read
       id-token: write
       attestations: write
-    uses: ./.github/workflows/build-phar.yml
+    uses: ./.github/workflows/build-assets.yml
 
   build-docs-package:
     if: github.ref_name == github.event.repository.default_branch
     runs-on: ubuntu-latest
     needs:
-      - build-phar
+      - build-assets
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -40,12 +40,22 @@ jobs:
         uses: actions/download-artifact@v6
         with:
           name: pie-${{ github.sha }}.phar
-      - name: Verify the PHAR
+      - name: Fetch the executable PIEs from artifacts
+        uses: actions/download-artifact@v5
+        with:
+          path: executable-pie-binaries
+          pattern: pie-${{ github.sha }}-*.bin
+          merge-multiple: true
+      - name: Verify the PHAR and binaries
         env:
           GH_TOKEN: ${{ github.token }}
-        run: gh attestation verify pie.phar --repo ${{ github.repository }}
+        run: |
+          gh attestation verify pie.phar --repo ${{ github.repository }} ;
+          find executable-pie-binaries -type f -exec gh attestation verify {} --repo ${{ github.repository }} \;
       - name: Copy PHAR into docs
         run: cp pie.phar docs-package/pie-nightly.phar
+      - name: Copy executables into docs
+        run: cp executable-pie-binaries/* docs-package/
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v4
         with: