search

CORE-POS / IS4C

Cooperative Operational Retail Environment
http://www.core-pos.com
GNU General Public License v2.0
63 stars 44 forks source link

How best to manage Composer #1173

Closed lgedgar closed 1 year ago

lgedgar commented 1 year ago

master

Office (both?)

Perhaps all 3..

Working on a demo site which should always run "latest" CORE. So this is not a fork, just running master branch from this repo. Will be auto-upgrading it nightly to keep it current.

The problem comes with Composer, and the composer.json file. As of Composer 2.5.4, but probably earlier versions too, the composer install command now prompts about explicitly enabling some plugins, for the install to work. Getting 3 separate prompts, like:

ledgar@demo:/srv/corepos/upstream/IS4C$ composer install
composer/installers contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "composer/installers" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y
corepos/composer-installer contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "corepos/composer-installer" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?] y
oomphinc/composer-installers-extender contains a Composer plugin which is currently not in your allow-plugins config. See https://getcomposer.org/allow-plugins
Do you trust "oomphinc/composer-installers-extender" to execute code and wish to enable it now? (writes "allow-plugins" to composer.json) [y,n,d,?]  y

NB. it's also possible to avoid the prompts, by enabling ahead of time via commands:

composer config --no-plugins allow-plugins.composer/installers true
composer config --no-plugins allow-plugins.corepos/composer-installer true
composer config --no-plugins allow-plugins.oomphinc/composer-installers-extender true

In either case the end result is that composer.json has been modified with these plugin allowances:

diff --git a/composer.json b/composer.json
index 98111049a..f67531ccb 100644
--- a/composer.json
+++ b/composer.json
@@ -66,5 +66,12 @@
             "COREPOS\\Fannie\\API\\": "fannie/classlib2.0/",
             "COREPOS\\Fannie\\Plugin\\": "fannie/modules/plugins2.0/"
         }
+    },
+    "config": {
+        "allow-plugins": {
+            "composer/installers": true,
+            "corepos/composer-installer": true,
+            "oomphinc/composer-installers-extender": true
+        }
     }
 }

So that means git status no longer is clean, which means git pull cannot happen until it's cleaned up. I also tried adding --global to the composer config commands, which did add plugin allowances to a different file, ~/.config/composer/config.json - but then composer install still gave same prompts, so not sure why that would be ignoring the global allowances..?

The basic nightly upgrade plan will be e.g.:

cd /srv/corepos/upstream/IS4C
git pull
composer install

But that won't work given the dirty working folder. A workaround for now will be to tweak that sequence to be more like:

cd /srv/corepos/upstream/IS4C
git checkout -- composer.json
git pull
composer config --no-plugins allow-plugins.composer/installers true
composer config --no-plugins allow-plugins.corepos/composer-installer true
composer config --no-plugins allow-plugins.oomphinc/composer-installers-extender true
composer install

I'm wondering then, what should happen here to improve the situation. Is there any harm in adding the plugin allowances directly to composer.json in this master repo? (I don't know what the implications might be.) Is there some other trick I should know about etc.?

Another issue when forking the repo and adding custom plugins, is that esp. the composer.lock file becomes essentially irreconcilable between the fork and upstream, so any changes made to upstream are difficult to merge into the fork. I plan to avoid that by way of Poser (cf. #1074) and keeping plugins separate. (So far no plugins need any extra Composer packages..) But am curious if there is some strategy that might "normally" be used aside from Poser, to add extra packages while preserving upstream composer.lock etc.?

lgedgar commented 1 year ago

Dang it, nevermind.. I had a typo in my composer config --global command, have fixed that and now those global allowances are being respected. No more prompts happening in the CORE folder..

Sorry for noise!