Bump and pin the base layer

[IsaacG]

This is a good opportunity to bump PHP to 8.5 while we're at it, too. Is that something you'd like to see happen here?

[homersimpsons]

I'm not for nor against pinning here. I believe that supply chain attack risk is rather low here (we do not build those images often and those are well maintained packages).

I would hope that dependabot report new updates.

About PHP8.5 we will upgrade later with the test suite an test runner.

Note that an @exercism/guardians should approve this. @IsaacG I think you are one, I do not know if you can self approve.

[IsaacG]

1. I agree the supply chain risk here is pretty low.
2. Dependabot can update hashes but it doesn't sync cross-track. If we update every couple of months, a shell script should make it pretty easy to bump hashes uniformly.
3. I cannt self-approve so I'll need to wait for another @exercism/guardians to help out.

[BethanyG]

LGTM.

[IsaacG]

+cc @mk-mxp

[IsaacG]

See also exercism/php-test-runner#173

[homersimpsons]

2. Dependabot can update hashes but it doesn't sync cross-track. If we update every couple of months, a shell script should make it pretty easy to bump hashes uniformly.

Yes dependabot won't do cross-repo, but it may still open merge requests on every repo.

PHP releases are generally once per year so we can update once a year.

If there is a little (time) desync it should be fine.

[IsaacG]

The problem with using Dependabot is that there's no way to ensure it uses the same hash consistently across the various repos. It might update the represented with SHA 123, go off for an hour during which a new SHA can be pushed, then use SHA 456 for the test runner.