Migrate PHP packages to the unified packages.sury.org repository

[tomjn]

Draft — migrates PHP sourcing for currently-supported Ubuntu releases from the Launchpad ppa:ondrej/php to the unified packages.sury.org repo, ahead of the PPA being retired.

Closes #2797 (tracking).

Why

The ondrej Launchpad PPA is being sunset (accelerated by the Launchpad DDoS); the maintainer is consolidating on packages.sury.org. See oerdnj/deb.sury.org#73.

Scope: supported releases only

The unified repo serves jammy (22.04), noble (24.04), resolute (26.04) — confirmed via dists/<codename>/Release. It does not serve focal/bionic, because ondrej deletes packages once an Ubuntu release reaches EOL (true of the PPA too) — so those are already dead upstream and are left untouched here.

Changes

• sources-ubuntu-{jammy,noble}.list → deb [signed-by=/usr/share/keyrings/debsuryorg-archive-keyring.gpg] https://packages.sury.org/php/ <codename> main
• php_register_apt_keys routes by codename: installs the official deb.sury.org archive keyring (debsuryorg-archive-keyring.deb) on jammy/noble/resolute; EOL releases fall through to the existing Launchpad key logic
• ondrej-ppa-pin pins the deb.sury.org origin alongside the legacy PPA origin
• Removed the stale "packages.sury.org blocks VMs with HTTP 418" comment (long obsolete; apt access to the repo returns 200)

Validation

• The Ubuntu 24 (noble) CI job is the real test — it proves noble PHP installs cleanly from sury, and that GitHub Actions datacenter IPs aren't blocked.
• resolute's source file is handled in the Ubuntu 26 branch (Add Ubuntu 26.04 (Resolute Raccoon) support #2796), which rebases onto this once merged.

Notes / possible follow-ups

• The sury keyring is installed via the official .deb (downloaded at provision time). A shipped offline fallback key (as done for nginx/mariadb) could be added if desired.
• network_check in provision-helpers.sh still probes ppa.launchpadcontent.net; could add packages.sury.org as the supported-release critical host.

[tomjn]

CI result: mechanics validated, blocked on upstream extension parity

The Ubuntu 24 (noble) provisioning job exercised the migration end to end. The sury path works:

• debsuryorg-archive-keyring (.deb) installs cleanly
• https://packages.sury.org/php noble InRelease + Packages download and verify — no HTTP 418, no signature error (confirms datacenter/CI access is fine and the old 418 note was obsolete)
• Base PHP 8.2 and common extensions resolve from sury

Blocker: the sury noble suite is missing several PHP extensions VVV installs, so the package step fails:

E: Unable to locate package php8.2-memcache / php8.2-memcached / php8.2-redis
E: Unable to locate package php8.2-pcov / php8.2-ssh2 / php8.2-yaml / php8.2-xdebug
E: Package 'php8.2-imagick' has no installation candidate

These exist on the legacy Launchpad PPA (so develop stays green) but aren't published on packages.sury.org yet — the same parity gap tracked in oerdnj/deb.sury.org#73 / #91 (imagick, redis, etc. incomplete for Ubuntu).

Status: implementation is complete and correct; do not merge until the unified repo reaches extension parity for jammy/noble (at minimum: xdebug, redis, imagick, memcached, yaml, ssh2, pcov). The CI job here is the readiness signal — it goes green once upstream catches up.