DataDog · realFlowControl · Jun 22, 2026 · Jun 22, 2026 · Jun 22, 2026 · Jun 22, 2026
@@ -21,7 +21,7 @@ jobs:
       CARGO_TARGET_DIR: /tmp/build-cargo
       RUST_TOOLCHAIN: nightly-2025-06-13
     container:
-      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-8
+      image: datadog/dd-trace-ci:php-${{matrix.php-version}}_bookworm-9
       # https://docs.github.com/en/actions/creating-actions/dockerfile-support-for-github-actions#user
       options: --user root
 
@@ -86,7 +86,7 @@ jobs:
       CARGO_TARGET_DIR: /tmp/build-cargo
       UBSAN_OPTIONS: print_stacktrace=1:halt_on_error=1
     container:
-      image: datadog/dd-trace-ci:php-8.5_bookworm-8
+      image: datadog/dd-trace-ci:php-8.5_bookworm-9
       options: --user root
 
     steps:

@@ -3,6 +3,7 @@ stages:
   - tests
   - deploy
   - ci-build
+  - ci-publish
 
 variables:
   GIT_SUBMODULE_STRATEGY: recursive
@@ -17,7 +18,6 @@ include:
   - project: DataDog/apm-reliability/libdatadog-build
     ref: 5826819695d93286569e70ed087ae6bf906ce2c3
     file: templates/ci_authenticated_job.yml
-  - local: .gitlab/ci-images.yml
 
 generate-templates:
   stage: build
@@ -56,6 +56,7 @@ generate-templates:
     - php ./.gitlab/generate-appsec.php   | tee .gitlab/appsec-gen.yml
     - php ./.gitlab/generate-profiler.php | tee .gitlab/profiler-gen.yml
     - php ./.gitlab/generate-shared.php   | tee .gitlab/shared-gen.yml
+    - php ./.gitlab/generate-ci-images.php | tee .gitlab/ci-images-gen.yml
   variables:
     GIT_SUBMODULE_STRATEGY: none
   artifacts:
@@ -89,6 +90,22 @@ appsec-trigger:
     PARENT_PIPELINE_ID: $CI_PIPELINE_ID
     GIT_SUBMODULE_PATHS: libdatadog appsec/third_party/cpp-base64 appsec/third_party/libddwaf appsec/third_party/libddwaf-rust appsec/third_party/msgpack-c
 
+# Manual maintenance pipeline that (re)builds the CI Docker images. Generated
+# from dockerfiles/ci/*/docker-compose.yml + .env so versions live in one place.
+# No strategy: depend — the parent must not wait on these manual jobs.
+ci-images:
+  stage: ci-build
+  rules:
+    - when: manual
+      allow_failure: true
+  needs:
+    - job: generate-templates
+      artifacts: true
+  trigger:
+    include:
+      - artifact: .gitlab/ci-images-gen.yml
+        job: generate-templates
+
 profiler-trigger:
   stage: tests
   needs: [ "generate-templates" ]

@@ -1,109 +1,44 @@
+# DO NOT EDIT THE GENERATED LINUX JOBS — they are produced by
+# .gitlab/generate-ci-images.php from the docker-compose.yml + .env files.
+# This file holds the STATIC preamble (stages, templates) and the Windows jobs,
+# which have no multi-arch manifest and stay hand-maintained.
+
+stages:
+  - ci-build
+  - ci-publish
+
 variables:
-  CI_REGISTRY_USER:
-    value: ""
-    description: "Your docker hub username"
-  CI_REGISTRY_TOKEN:
-    value: ""
-    description: "Your docker hub personal access token, can be created following this doc https://docs.docker.com/docker-hub/access-tokens/#create-an-access-token"
-  CI_REGISTRY:
-    value: "docker.io"
-
-CentOS:
-  stage: ci-build
-  rules:
-    - when: manual
-      allow_failure: true
-  needs: []
-  tags: ["arch:amd64"]
-  timeout: 4h
-  image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble
-  variables:
-    DDCI_CONFIGURE_OTEL_EXPORTER: "true"
-  parallel:
-    matrix:
-      - PHP_VERSION:
-        - base
-        - php-8.5
-        - php-8.4
-        - php-8.3
-        - php-8.2
-        - php-8.1
-        - php-8.0
-        - php-7.4
-        - php-7.3
-        - php-7.2
-        - php-7.1
-        - php-7.0
-  script:
-    - cd dockerfiles/ci/centos/7
-    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
-    - docker buildx bake --no-cache --pull --push $PHP_VERSION
-
-Alpine:
+  CI_REGISTRY_IMAGE: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci"
+
+.linux_image_build:
   stage: ci-build
   rules:
     - when: manual
       allow_failure: true
   needs: []
-  tags: ["arch:amd64"]
   timeout: 4h
   image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble
   variables:
     DDCI_CONFIGURE_OTEL_EXPORTER: "true"
-  parallel:
-    matrix:
-      - PHP_VERSION:
-        - base-alpine
-        - 8.5-alpine
-        - 8.4-alpine
-        - 8.3-alpine
-        - 8.2-alpine
-        - 8.1-alpine
-        - 8.0-alpine
-        - 7.4-alpine
-        - 7.3-alpine
-        - 7.2-alpine
-        - 7.1-alpine
-        - 7.0-alpine
-  script:
-    - cd dockerfiles/ci/alpine_compile_extension
-    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
-    - docker buildx bake --no-cache --pull --push $PHP_VERSION
-
-Bookworm:
-  stage: ci-build
+    KUBERNETES_CPU_REQUEST: "8"
+    KUBERNETES_CPU_LIMIT: "8"
+    KUBERNETES_MEMORY_REQUEST: "16Gi"
+    KUBERNETES_MEMORY_LIMIT: "16Gi"
+    MAKE_JOBS: "$KUBERNETES_CPU_LIMIT"
+
+.linux_publish:
+  stage: ci-publish
   rules:
     - when: manual
       allow_failure: true
+  # No deps: a publish just mirrors whatever already exists in
+  # registry.ddbuild.io to Docker Hub, so it can run without (re)building.
   needs: []
-  tags: ["arch:amd64"]
-  timeout: 4h
-  image: 486234852809.dkr.ecr.us-east-1.amazonaws.com/docker:29.4.0-noble
+  trigger:
+    project: DataDog/public-images
+    branch: main
   variables:
-    DDCI_CONFIGURE_OTEL_EXPORTER: "true"
-  parallel:
-    matrix:
-      - PHP_VERSION:
-        - base
-      - PHP_VERSION:
-        - php-8.5
-        - php-8.4
-        - php-8.3
-        - php-8.2
-        - php-8.1
-        - php-8.0
-        - php-8.0-shared-ext
-        - php-7.4
-        - php-7.4-shared-ext
-        - php-7.3
-        - php-7.2
-        - php-7.1
-        - php-7.0
-        MAKE_JOBS: ["2"]
-  script:
-    - cd dockerfiles/ci/bookworm
-    - echo "$CI_REGISTRY_TOKEN" | docker login -u "$CI_REGISTRY_USER" --password-stdin "$CI_REGISTRY"
-    - docker buildx bake --no-cache --pull --push $PHP_VERSION
+    IMG_REGISTRIES: "dockerhub"
 
 .windows_image_build:
   stage: ci-build
@@ -164,13 +99,6 @@ Bookworm:
 
     cd dockerfiles\ci\windows
 
-    $env:DOCKER_CONFIG = Join-Path $env:CI_PROJECT_DIR ".docker"
-    New-Item -ItemType Directory -Force -Path $env:DOCKER_CONFIG | Out-Null
-    Set-Content -Encoding ascii -Path (Join-Path $env:DOCKER_CONFIG "config.json") -Value '{"auths":{}}'
-
-    $env:CI_REGISTRY_TOKEN | docker login -u "$env:CI_REGISTRY_USER" --password-stdin "$env:CI_REGISTRY"
-    if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
-
     docker version
     if ($LASTEXITCODE -ne 0) { exit $LASTEXITCODE }
 
@@ -212,3 +140,38 @@ Bookworm:
         - "php-7.4"
         - "php-7.3"
         - "php-7.2"
+
+Publish Windows:
+  stage: ci-publish
+  rules:
+    - when: manual
+      allow_failure: true
+  needs:
+    - job: "Windows 1: Tool Images"
+    - job: "Windows 2: PHP Images"
+  trigger:
+    project: DataDog/public-images
+    branch: main
+  parallel:
+    matrix:
+      - TAG_NAME:
+        - "windows-base-vc15"
+        - "windows-base-vs16"
+        - "windows-base-vs17"
+        - "windows-vc15"
+        - "windows-vs16"
+        - "windows-vs17"
+        - "php-8.5_windows"
+        - "php-8.4_windows"
+        - "php-8.3_windows"
+        - "php-8.2_windows"
+        - "php-8.1_windows"
+        - "php-8.0_windows"
+        - "php-7.4_windows"
+        - "php-7.3_windows"
+        - "php-7.2_windows"
+  variables:
+    IMG_SOURCES: "registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:${TAG_NAME}"
+    IMG_DESTINATIONS: "dd-trace-ci:${TAG_NAME}"
+    IMG_REGISTRIES: "dockerhub"
+    IMG_SIGNING: false
@@ -0,0 +1,31 @@
+<?php echo file_get_contents(__DIR__ . '/ci-images.static.yml'); ?>
+<?php foreach ($osList as ['name' => $os, 'dir' => $dir, 'services' => $services]): ?>
+
+# One build job per PHP version. buildx bake reads the per-service x-bake
+# platforms from docker-compose.yml and builds BOTH arches on the amd64 runner's
+# managed "ci" builder, pushing a multi-arch manifest straight to the tag in the
+# compose `image:` field. No per-arch split, no manifest fuse job.
+<?= $os ?> build:
+  extends: .linux_image_build
+  tags: ["arch:amd64"]
+  parallel:
+    matrix:
+      - PHP_VERSION:
+<?php foreach (array_keys($services) as $svc): ?>
+          - <?= $svc, "\n" ?>
+<?php endforeach; ?>
+  script:
+    - cd <?= $dir, "\n" ?>
+    - docker buildx bake --no-cache --pull --push "${PHP_VERSION}"
+<?php foreach ($services as $svc => $tag): ?>
+
+# Mirror to Docker Hub. Independent (needs: [] via .linux_publish): just syncs
+# whatever is already in registry.ddbuild.io, so it can run without rebuilding.
+"<?= $os ?> publish: <?= $svc ?>":
+  extends: .linux_publish
+  variables:
+    IMG_SOURCES: "<?= $registry ?>:<?= $tag ?>"
+    IMG_DESTINATIONS: "dd-trace-ci:<?= $tag ?>"
+    IMG_SIGNING: false
+<?php endforeach; ?>
+<?php endforeach; ?>
@@ -71,7 +71,7 @@
 "test appsec extension":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-${PHP_MAJOR_MINOR}_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_CPU_LIMIT: 3
@@ -393,7 +393,7 @@
 "appsec code coverage":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -515,7 +515,7 @@
 "appsec lint":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:php-8.3_bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:php-8.3_bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 9Gi
@@ -537,7 +537,7 @@
 "test appsec helper asan":
   stage: test
   extends: .appsec_test
-  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8
+  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9
   variables:
     KUBERNETES_CPU_REQUEST: 3
     KUBERNETES_MEMORY_REQUEST: 3Gi
@@ -563,7 +563,7 @@
 #"fuzz appsec helper":
 #  stage: test
 #  extends: .appsec_test
-#  image: registry.ddbuild.io/images/mirror/datadog/dd-trace-ci:bookworm-8
+#  image: registry.ddbuild.io/ci/dd-trace-php/dd-trace-ci:bookworm-9
 #  variables:
 #    KUBERNETES_CPU_REQUEST: 3
 #    KUBERNETES_MEMORY_REQUEST: 5Gi