Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding composer.lock in VCS ? #10446

Open
drupol opened this issue Dec 3, 2023 · 6 comments
Open

Adding composer.lock in VCS ? #10446

drupol opened this issue Dec 3, 2023 · 6 comments

Comments

@drupol
Copy link
Contributor

drupol commented Dec 3, 2023
edited
Loading

Hi there,

I'm writing to suggest an enhancement for the vimeo/psalm project to improve its integration and ensure long-term reliability, particularly for package managers like apt, rpm, yum, nix, etc etc.

The primary goal here is to enable reproducibility of the exact build of the PHAR released, down to the last bit. This is crucial, especially when distributing it as a binary for reasons of reliability and security.

To achieve this, I propose adding a composer.lock file to the vimeo/psalm repository. This file will ensure that psalm is reproducible on any system, regardless of environmental differences, by locking down specific versions of dependencies. Its absence currently hinders the ability to precisely replicate the builds you provide in your GitHub releases, introducing potential variability.

For example, in Nix, we have to provide our own composer.lock for each update, as seen here: NixOS/nixpkgs#271920

For reference, here are some projects that have recognized the value of versioning the composer.lock file:

If there are concerns about including the composer.lock file in the main repository, could it be an option to add it to the release artifacts on GitHub instead? This compromise would still greatly benefit reproducibility and consistency in dependency management.

Thank you for considering this enhancement. I look forward to your response.
@psalm-github-bot Psalm Github bot
Copy link

Hey @drupol, can you reproduce the issue on https://psalm.dev ?

@drupol
Copy link
Contributor Author

drupol commented Dec 3, 2023

Hey @drupol, can you reproduce the issue on https://psalm.dev ?

No, but I cannot reproduce the Psalm PHAR on my local machine 🥲

@drupol drupol mentioned this issue Dec 5, 2023
Closed
13 tasks
@danog
Copy link
Collaborator

danog commented Jan 17, 2024

Hi @drupol, note that the composer versions of the packages used to build the phar are already included inside of the phar, in the phar-versions.php file, you could use that instead of composer.lock.

@danog
Copy link
Collaborator

danog commented Jan 17, 2024

Mmm though only the versions Psalm and php-parser are included... I'll merge a commit to also bundle the entire composer.lock as well.

@drupol
Copy link
Contributor Author

drupol commented Jan 17, 2024
edited
Loading

That could be a potential solution, as long as we can extract the composer.lock used to build the phar, I'm happy!

I think in PHPUnit they had a command to print-out the composer.lock file, that could also be a cool thing.

danog added a commit to danog/psalm that referenced this issue Jan 17, 2024
@danog
Add composer.lock to phar (fixes vimeo#10446)
ac95e25
@weirdan
Copy link
Collaborator

weirdan commented Jan 17, 2024

Providing composer lock bundled with built artifacts (such as phar file) is definitely a good idea. Adding it to VCS is a lot less beneficial and can actually lead to 'works on my machine' situations because composer ignores composer.lock files of your dependencies (see https://getcomposer.org/doc/02-libraries.md#lock-file).

@danog danog mentioned this issue Jan 18, 2024
Open
@drupol drupol mentioned this issue Feb 2, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weirdan @drupol @danog