aboutsummaryrefslogtreecommitdiffstats
path: root/posts/packagist_own_git_server.md
blob: 5525d31ffb11c608cfa0e87b4c310f704663f679 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
---
title: Packagist with your own Git Server
published: 2018-05-29
modified: 2016-06-02
---

The [Packagist](https://packagist.org/) service is used to make it possible to 
install PHP dependencies using the [Composer](https://getcomposer.org/) tool. 
It is very much "optimized" for GitHub, but using your own Git server is also 
supported, although it has some rough edges:

1. Packagist is not able to connect to web servers using the 
[Modern compatibility](https://wiki.mozilla.org/Security/Server_Side_TLS#Modern_compatibility) 
TLS configuration (issue [#918](https://github.com/composer/packagist/issues/918));
2. Packagist's `update-package` hook requires the repository URL to have at 
least two path segments (issue [#917](https://github.com/composer/packagist/issues/917));
3. Packgist's Git hook documentation could be more clear.

It is not so difficult to work around these issues though. Hopefully these 
workarounds will not be required anymore in the future.

### TLS

You can use the 
[Intermediate compatibility](https://wiki.mozilla.org/Security/Server_Side_TLS#Intermediate_compatibility_.28default.29) 
TLS configuration for your "git" virtual host.

### Path Segments

If you set up your Git server according to my previous blog post 
[here](git_server_centos.html), you will have the problem that the 
`update-package` Git hook to won't work with Packagist. The repository URL must 
contain at least two path segments. So, for example the repository URL 
`https://HOST/php-yubitwee` won't work, but 
`https://HOST/fkooman/php-yubitwee` will.

In order to work around this, you can modify the `repo.url` and `repo.path` 
fields in `/etc/cgitrc`, e.g.:

    repo.url=fkooman/php-yubitwee
    repo.path=/var/lib/git/fkooman/php-yubitwee.git

Then move the repository directory to `/var/lib/git/fkooman/php-yubitwee.git` 
from `/var/lib/git/php-yubitwee.git` as well. That should be sufficient. 
Don't forget to clear the cache as documented in the previous blog post.

### Git Hook

The Packagist Git hook configuration is more or less documented 
[here](https://packagist.org/about#how-to-update-packages).

What I actually ended up doing is put the following script as `post-receive` in 
my Git repository `hooks` directory, e.g. 
`/var/lib/git/fkooman/php-yubitwee.git/hooks/post-receive`:

    #!/bin/sh
    API_TOKEN=12345abcde

    /usr/bin/curl \
        -s \
        -X POST \
        -H "Content-Type: application/json" \
        "https://packagist.org/api/update-package?username=fkooman&apiToken=${API_TOKEN}" \
        -d '{"repository":{"url":"https://HOST/fkooman/php-yubitwee"}}'

Note that the `PACKAGIST_PACKAGE_URL` as mentioned on the Packagist 
documentation page is actually *your* Git repository URL.

Make sure the file is executable:

    $ chmod 0755 /var/lib/git/fkooman/php-yubitwee.git/hooks/post-receive

You can actually run it directly to test it, otherwise it will be triggered 
when you push to your Git server.

**Update (2018-06-02)**: there are a couple of more things to keep in mind. One
is that you need add a `source` key under `support` in `composer.json`, 
otherwise the "Source" link on Packagist will keep pointing to GitHub:

    "support": {
        "email": "fkooman@tuxed.net",
        "source": "https://git.tuxed.net/fkooman/php-yubitwee"
    },

There is another problem with checking for updated tags. It seems Packagist 
won't find the new tags when committing a new tag to the repository. This 
could be due to cgit caching... At the moment I have no idea how to properly 
investigate this...

In addition, you MUST push a new (tagged) release before Composer will retrieve
the code from your new repository location in case you moved your repository. 
The older version(s) will keep being pulled in from the old location, even if 
they are no longer available there, thus breaking Composer if it depend on your
code. Not great.

All in all, it may not be the worst idea to not use Packagist at all for your
packages, and instead just specify the repository directly in the 
`composer.json` of the projects that depend on your code, for example:

    "repositories": [
        {
            "type": "vcs",
            "url": "https://git.tuxed.net/fkooman/php-yubitwee"
        }
    ],

    ...

    "require": {
        "fkooman/yubitwee": "^1"
    },

    ...

That would solve all Packagist problems, and in the process reduce another 
(direct) proprietary dependency from the list!