Decoupling your Composer from GitHub and Packagist made easy
One of the things I learned very early on about working with a large team, is if you don’t make tasks as frictionless as possible, they have a tendency to not get done.
When we bought into using Behat as our functional testing framework of choice, it came with a mandate that when we install Behat, it cannot come from public sources. GitHub goes down. Repositories get updated. There have been instances of repos being compromised. We had to insulate ourselves from all of that risk. Fortunately, Composer has a GREAT tool for this, called Satis.
Satis provides you a way to create your own Packagist repository, complete with distributable tarballs of supported libraries. The one problem that I ran into (and this may have since been fixed? I’m not sure!) is that I couldn’t get it to download the dependencies of my dependencies. For example, your composer.json requires Package A which requires Package B. When I tried this, Satis would only build a repository with Package A. Knowing this would cause trouble down the line, I decided there had to be a way to make this simpler.
Out of that, Satis Repository Builder was born.
It will generate a Satis repository and upload it to S3 all with a single command. It’s still got some cleanup, but I realized that if I hadn’t done it in the last 4 months I wasn’t likely to do it in the next 4, and perhaps some feedback (or pull requests!) will spur some new life into my interest in it.
Once you have uploaded your repo, you can simply use the following setup in your composer.json to enforce pulling from your Satis repository:
That’s it! I’m sure there’s tons that can be done to the repo builder, and I look forward to seeing issues and pull requests!
One last piece of advice from the trenches
When you’re using a tool like this to decouple yourself from the risk of third party updates, be sure you are as specific as possible. List all of your dependencies and your dependencies dependencies, so when you do need to go back and upgrade a version of something, you control the scope of the update, not composer. The more specific you are in your composer.json about versions, the less variation you will see between builds of your satis repository.
there is actually a simpler way: making Satis include the dependencies of your dependencies: http://getcomposer.org/doc/articles/handling-private-packages-with-satis.md#resolving-dependencies
I could swear that didn’t exist when I went to do this 4-5 months ago, but maybe I missed it. Thanks!