Keep only the relevant environment variables in the container cache key

The container cache key included the entire environment (minus a hand-maintained
denylist - #4924, #4925), so any unrelated env var that differs between invocations
(CI runners inject per-job vars on every run) flipped the key and forced a full
container recompile + ignoreErrors re-validation.

The container only depends on the environment through (a) %env.X% references in
loaded configs and (b) env read at build time by a CompilerExtension (PHPStan reads
only PHPSTAN_FNSR, in FnsrExtension::beforeCompile()). Keep exactly those env vars
in the cache key - the %env.NAME% names (matching Nette's %([\w.-]*)% grammar) plus
self::BUILD_TIME_ENV_VARIABLES - and drop the rest. The container parameters still
carry the full env, so %env.*% resolution is unaffected; this only narrows the key.

ContainerCacheKeyEnvGuardTest enforces that every env var read at build time by a
CompilerExtension is declared, so a future build-time getenv() cannot silently reuse
a stale container.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: SanderMuller

src/DependencyInjection/Configurator.php

@@ -12,19 +12,25 @@
 use PHPStan\File\FileReader;
 use PHPStan\File\FileWriter;
 use PHPStan\Turbo\TurboExtensionEnabler;
+use function array_fill_keys;
+use function array_intersect_key;
 use function array_keys;
 use function count;
 use function error_reporting;
 use function explode;
+use function file_get_contents;
 use function hash_file;
 use function implode;
 use function in_array;
 use function is_dir;
 use function is_file;
 use function ksort;
+use function preg_match;
+use function preg_match_all;
 use function restore_error_handler;
 use function set_error_handler;
 use function sprintf;
+use function str_contains;
 use function str_ends_with;
 use function substr;
 use function time;
@@ -38,6 +44,14 @@
 final class Configurator extends \Nette\Bootstrap\Configurator
 {
 
+	/**
+	 * Environment variables PHPStan reads at build time inside a CompilerExtension, so the compiled
+	 * container depends on them and they must stay in the container cache key. FnsrExtension reads
+	 * PHPSTAN_FNSR in beforeCompile(). Enforced by ContainerCacheKeyEnvGuardTest, which fails if any
+	 * CompilerExtension reads an env var that is neither listed here nor referenced via %env.*%.
+	 */
+	public const BUILD_TIME_ENV_VARIABLES = ['PHPSTAN_FNSR'];
+
 	/** @var string[] */
 	private array $allConfigFiles = [];
 
@@ -97,6 +111,23 @@ public function loadContainer(): string
 		// make sure invocations via blackfire use the same container
 		unset($staticParameters['env']['BLACKFIRE_AGENT_SOCKET']);
 
+		// The container only depends on the environment through (a) %env.X% references in loaded
+		// configs and (b) env read at build time inside a CompilerExtension (PHPStan itself reads only
+		// PHPSTAN_FNSR, in FnsrExtension). Keep exactly those env vars in the cache key and drop the
+		// rest, so unrelated env vars (CI/terminal/session-injected) no longer flip the key and force a
+		// full container recompile + ignoreErrors re-validation - phpstan/phpstan#14072. (The container
+		// parameters still carry the full env via $this->staticParameters, so %env.*% resolution is
+		// unaffected; this only narrows the cache key.)
+		if (isset($staticParameters['env'])) {
+			$relevantEnvVariableNames = $this->relevantEnvVariableNamesForCacheKey();
+			if ($relevantEnvVariableNames !== null) {
+				$staticParameters['env'] = array_intersect_key(
+					$staticParameters['env'],
+					array_fill_keys($relevantEnvVariableNames, true),
+				);
+			}
+		}
+
 		$containerKey = [
 			$staticParameters,
 			array_keys($this->dynamicParameters),
@@ -231,6 +262,45 @@ public function createContainer(bool $initialize = true): OriginalNetteContainer
 		return $container;
 	}
 
+	/**
+	 * Names of the environment variables whose value can change the generated container, so they must
+	 * stay in the container cache key: every %env.NAME% referenced across the loaded configs, plus the
+	 * env vars PHPStan reads at build time itself (self::BUILD_TIME_ENV_VARIABLES). All other env vars
+	 * are dropped from the key. Returns null when a config references the whole %env% array, in which
+	 * case the entire environment must be kept.
+	 *
+	 * @return list<string>|null
+	 */
+	private function relevantEnvVariableNamesForCacheKey(): ?array
+	{
+		$names = self::BUILD_TIME_ENV_VARIABLES;
+		foreach ($this->allConfigFiles as $file) {
+			$contents = @file_get_contents($file);
+			if ($contents === false || !str_contains($contents, '%env')) {
+				continue;
+			}
+
+			// A bare %env% reference exposes the whole environment to the container; keep all of it.
+			if (preg_match('~%env%~', $contents) === 1) {
+				return null;
+			}
+
+			// Match Nette's parameter-name grammar (%([\w.-]*)% in Config\Adapters\NeonAdapter), so a
+			// valid reference like %env.MY-VAR% is not missed (which would drop MY-VAR from the key and
+			// reuse a stale container on change). The %, space etc. terminating the name keep comment
+			// prose like "%env.* foo" from being captured.
+			if (preg_match_all('~%env\.([\w.-]+)%~', $contents, $matches) === 0) {
+				continue;
+			}
+
+			foreach ($matches[1] as $name) {
+				$names[] = $name;
+			}
+		}
+
+		return $names;
+	}
+
 	/**
 	 * @return string[]
 	 */

tests/PHPStan/DependencyInjection/ContainerCacheKeyEnvGuardTest.php

@@ -0,0 +1,71 @@
+<?php declare(strict_types = 1);
+
+namespace PHPStan\DependencyInjection;
+
+use PHPUnit\Framework\TestCase;
+use RecursiveDirectoryIterator;
+use RecursiveIteratorIterator;
+use SplFileInfo;
+use function file_get_contents;
+use function implode;
+use function in_array;
+use function preg_match_all;
+use function sort;
+use function str_contains;
+use const PHP_EOL;
+
+/**
+ * Guards the container-cache-key narrowing in Configurator (phpstan/phpstan#14072): when no config
+ * references %env.*%, env vars are dropped from the cache key, so any env var a CompilerExtension
+ * reads at *build time* (getenv()/$_ENV) must be declared in Configurator::BUILD_TIME_ENV_VARIABLES -
+ * otherwise changing it would silently reuse a stale container. A new build-time env read in any
+ * extension fails this test instead of re-opening that hole. Detection is intentionally simple, with
+ * documented limits (acceptable - PHPStan's build-time env access goes through these patterns):
+ * literal env-var names only (route dynamic ones via %env.*), getenv()/$_ENV reads (not $_SERVER),
+ * and classes that directly extend CompilerExtension (not env read in a helper they delegate to).
+ */
+final class ContainerCacheKeyEnvGuardTest extends TestCase
+{
+
+	public function testBuildTimeEnvReadsInCompilerExtensionsAreDeclared(): void
+	{
+		$srcDir = __DIR__ . '/../../../src';
+		$offenders = [];
+
+		/** @var SplFileInfo $file */
+		foreach (new RecursiveIteratorIterator(new RecursiveDirectoryIterator($srcDir, RecursiveDirectoryIterator::SKIP_DOTS)) as $file) {
+			if (!$file->isFile() || $file->getExtension() !== 'php') {
+				continue;
+			}
+
+			$contents = file_get_contents($file->getPathname());
+			if ($contents === false || !str_contains($contents, 'extends CompilerExtension')) {
+				continue;
+			}
+
+			if (preg_match_all('~(?:getenv\(|\$_ENV\[)\s*[\'"]([A-Za-z_][A-Za-z0-9_]*)[\'"]~', $contents, $matches) === 0) {
+				continue;
+			}
+
+			foreach ($matches[1] as $envName) {
+				if (in_array($envName, Configurator::BUILD_TIME_ENV_VARIABLES, true)) {
+					continue;
+				}
+
+				$offenders[] = $file->getFilename() . ': ' . $envName;
+			}
+		}
+
+		sort($offenders);
+
+		$this->assertSame(
+			[],
+			$offenders,
+			'A CompilerExtension reads an environment variable at build time that is not declared in '
+			. 'Configurator::BUILD_TIME_ENV_VARIABLES. Add it there (so it stays in the container cache '
+			. 'key and a change recompiles), or read it via %env.* in a config instead:' . PHP_EOL
+			. implode(PHP_EOL, $offenders),
+		);
+	}
+
+}

tests/PHPStan/DependencyInjection/ContainerCacheKeyEnvTest.php

@@ -0,0 +1,178 @@
+<?php declare(strict_types = 1);
+
+namespace PHPStan\DependencyInjection;
+
+use Override;
+use PHPStan\File\FileHelper;
+use PHPUnit\Framework\TestCase;
+use function count;
+use function getenv;
+use function glob;
+use function is_dir;
+use function md5;
+use function putenv;
+use function rmdir;
+use function sprintf;
+use function sys_get_temp_dir;
+use function uniqid;
+use function unlink;
+use const DIRECTORY_SEPARATOR;
+
+final class ContainerCacheKeyEnvTest extends TestCase
+{
+
+	private const ENV_VAR = 'PHPSTAN_TEST_W1_CACHE_KEY';
+
+	private string $tmpDir;
+
+	private string|false $envBackup;
+
+	#[Override]
+	protected function setUp(): void
+	{
+		$this->envBackup = getenv(self::ENV_VAR);
+		$this->tmpDir = sys_get_temp_dir() . '/phpstan-container-cache-key-' . md5(uniqid());
+		$this->removeDirectory($this->tmpDir);
+	}
+
+	#[Override]
+	protected function tearDown(): void
+	{
+		if ($this->envBackup === false) {
+			putenv(self::ENV_VAR);
+		} else {
+			putenv(sprintf('%s=%s', self::ENV_VAR, $this->envBackup));
+		}
+
+		$this->removeDirectory($this->tmpDir);
+	}
+
+	public function testEnvironmentIsDroppedFromCacheKeyWhenNoConfigReferencesIt(): void
+	{
+		// No loaded config uses %env.*%, so an unrelated env change must NOT recompile the container.
+		putenv(sprintf('%s=first', self::ENV_VAR));
+		$this->buildContainer(__DIR__ . '/containerCacheKey-noenv.neon');
+
+		putenv(sprintf('%s=second', self::ENV_VAR));
+		$this->buildContainer(__DIR__ . '/containerCacheKey-noenv.neon');
+
+		$this->assertSame(
+			1,
+			$this->countCompiledContainers(),
+			'Changing an unrelated environment variable should reuse the cached container.',
+		);
+	}
+
+	public function testEnvironmentStaysInCacheKeyWhenAConfigReferencesIt(): void
+	{
+		// A loaded config uses %env.*%, so the environment is relevant and a change must recompile.
+		putenv(sprintf('%s=first', self::ENV_VAR));
+		$this->buildContainer(__DIR__ . '/containerCacheKey-withenv.neon');
+
+		putenv(sprintf('%s=second', self::ENV_VAR));
+		$this->buildContainer(__DIR__ . '/containerCacheKey-withenv.neon');
+
+		$this->assertSame(
+			2,
+			$this->countCompiledContainers(),
+			'When a config references %env.*%, changing it must recompile the container.',
+		);
+	}
+
+	public function testDashedEnvVariableReferenceStaysInCacheKey(): void
+	{
+		// %env.MY-VAR% is a valid Nette reference (parameter-name grammar %([\w.-]*)%). The env-name
+		// extraction must keep dash/dot/digit-start names too - otherwise changing such a referenced
+		// var would reuse a stale container, the regression class W1 fixes.
+		$envName = 'PHPSTAN_TEST_W1-DASH';
+		$backup = getenv($envName);
+		try {
+			putenv(sprintf('%s=first', $envName));
+			$this->buildContainer(__DIR__ . '/containerCacheKey-withenv-dashed.neon');
+
+			putenv(sprintf('%s=second', $envName));
+			$this->buildContainer(__DIR__ . '/containerCacheKey-withenv-dashed.neon');
+
+			$this->assertSame(
+				2,
+				$this->countCompiledContainers(),
+				'A %env.* reference whose name contains a dash must keep that var in the cache key.',
+			);
+		} finally {
+			if ($backup === false) {
+				putenv($envName);
+			} else {
+				putenv(sprintf('%s=%s', $envName, $backup));
+			}
+		}
+	}
+
+	public function testBuildTimeEnvVariableStaysInCacheKey(): void
+	{
+		// FnsrExtension reads getenv('PHPSTAN_FNSR') in beforeCompile() and rewires the container, so
+		// the compiled container depends on it even though no config references %env.*%. Toggling it
+		// must recompile - otherwise the change would be silently ignored (a stale container).
+		$backup = getenv('PHPSTAN_FNSR');
+		try {
+			putenv('PHPSTAN_FNSR=0');
+			$this->buildContainer(__DIR__ . '/containerCacheKey-noenv.neon');
+
+			putenv('PHPSTAN_FNSR=1');
+			$this->buildContainer(__DIR__ . '/containerCacheKey-noenv.neon');
+
+			$this->assertSame(
+				2,
+				$this->countCompiledContainers(),
+				'Changing PHPSTAN_FNSR (read at build time by FnsrExtension) must recompile the container.',
+			);
+		} finally {
+			if ($backup === false) {
+				putenv('PHPSTAN_FNSR');
+			} else {
+				putenv(sprintf('PHPSTAN_FNSR=%s', $backup));
+			}
+		}
+	}
+
+	private function buildContainer(string $additionalConfigFile): void
+	{
+		$rootDir = __DIR__ . '/../../..';
+		$fileHelper = new FileHelper($rootDir);
+		$rootDir = $fileHelper->normalizePath($rootDir, '/');
+		$containerFactory = new ContainerFactory($rootDir);
+		$containerFactory->create(
+			$this->tmpDir,
+			[
+				$containerFactory->getConfigDirectory() . '/config.level8.neon',
+				$additionalConfigFile,
+			],
+			[],
+		);
+	}
+
+	private function countCompiledContainers(): int
+	{
+		$containers = glob($this->tmpDir . '/cache/nette.configurator/Container_*.php');
+
+		return $containers === false ? 0 : count($containers);
+	}
+
+	private function removeDirectory(string $directory): void
+	{
+		if (!is_dir($directory)) {
+			return;
+		}
+
+		$entries = glob($directory . DIRECTORY_SEPARATOR . '*');
+		foreach ($entries === false ? [] : $entries as $entry) {
+			if (is_dir($entry)) {
+				$this->removeDirectory($entry);
+			} else {
+				@unlink($entry);
+			}
+		}
+
+		@rmdir($directory);
+	}
+
+}

tests/PHPStan/DependencyInjection/containerCacheKey-noenv.neon

@@ -0,0 +1,2 @@
+parameters:
+	customRulesetUsed: true

tests/PHPStan/DependencyInjection/containerCacheKey-withenv-dashed.neon

@@ -0,0 +1,5 @@
+# References an env var whose name contains a dash (%env.PHPSTAN_TEST_W1-DASH%) - a valid Nette
+# reference (Nette's parameter-name grammar is %([\w.-]*)%). The env-name extraction must keep such
+# names in the container cache key too, otherwise changing this var would reuse a stale container.
+parameters:
+	tmpDir: %env.PHPSTAN_TEST_W1-DASH%

tests/PHPStan/DependencyInjection/containerCacheKey-withenv.neon

@@ -0,0 +1,6 @@
+# References an environment variable via %env.<name>%, so that env var must stay in the container
+# cache key - otherwise changing it would wrongly reuse a stale container. The resolved tmpDir value
+# is irrelevant here (ContainerFactory::create() overrides tmpDir with its own argument); the
+# reference itself is what keeps PHPSTAN_TEST_W1_CACHE_KEY in the cache key.
+parameters:
+	tmpDir: %env.PHPSTAN_TEST_W1_CACHE_KEY%