Skip to content

Check if symfony.lock is up to date #825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
cs278 opened this issue Oct 25, 2021 · 5 comments
Closed

Check if symfony.lock is up to date #825

cs278 opened this issue Oct 25, 2021 · 5 comments

Comments

@cs278
Copy link

cs278 commented Oct 25, 2021

We run composer symfony:recipes:install in our CI pipeline to check that the symfony.lock file doesn't have any updates that are missing from the PR, usually these originate from dependabot, if the symfony.lock file has uncommitted changes after running flex we fail the build.

We've since discovered that the symfony:recipes:install command will exit with an error if you are not authenticated with any of your repositories, however by the time it exits symfony.lock has already been modified with the packages that are missing. If you run the command again it now passes even though the previous run failed, perhaps it should reverse the changes to symfony.lock?

Could a new command that just checks if the symfony.lock file is up to date and exits with an error if not, skipping the rest of the work that the symfony:recipes:install command does, be added for use in CI pipelines?
@nicolas-grekas
Copy link
Member

Can you try composer recipes?

@cs278
Copy link
Author

cs278 commented Oct 25, 2021

Can you try composer recipes?

Doesn't modify the symfony.lock, or tell you what's missing from the file.

@maxhelias
Copy link
Contributor

You can use the -o flag to display only the out-of-date recipes with a code exit 1

@cs278
Copy link
Author

cs278 commented Oct 27, 2021
edited
Loading

Perhaps a worked example would help explain things.

Environment set up 
cd $(mktemp -d)
git init .
echo /vendor > .gitignore
git add .gitignore
git commit -m init
composer require symfony/flex
$ git add . && git commit -m flex

I'm not talking about recipes directly, if you install a new package it gets added to the symfony.lock for example:

$ composer require psr/log
$ git diff symfony.lock
diff --git a/symfony.lock b/symfony.lock
index d67ef32..a45ba9c 100644
--- a/symfony.lock
+++ b/symfony.lock
@@ -1,4 +1,7 @@
 {
+    "psr/log": {
+        "version": "1.1.4"
+    },
     "symfony/flex": {
         "version": "1.17",
         "recipe": {
$ git reset --hard

However if you install a no package without the flex plugin loaded (e.g. dependabot):

$ composer require --no-plugins psr/log
$ git diff symfony.lock
# Nothing

It's not an out of date recipes so the following doesn't help:

$ composer recipes -o
name             : symfony/flex
version          : 1.17
status           : up to date
installed recipe : https://github.com/symfony/recipes/tree/master/symfony/flex/1.17
files            : 

└──.env
$ git diff
# Nothing

Now run symfony:recipes:install and the symfony.lock file gets modified:

$ composer symfony:recipes:install
$ git diff symfony.lock
diff --git a/symfony.lock b/symfony.lock
index d67ef32..a45ba9c 100644
--- a/symfony.lock
+++ b/symfony.lock
@@ -1,4 +1,7 @@
 {
+    "psr/log": {
+        "version": "1.1.4"
+    },
     "symfony/flex": {
         "version": "1.17",
         "recipe": {

What would be ideal is having a command (or option) that either does that modification without talking to remote package repositories or one that simply checks if the symfony.lock file is in sync.

@nicolas-grekas
Copy link
Member

composer update php could be the solution, at least once #869 is merged.
Feel free to submit a PR if not.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@cs278 @nicolas-grekas @maxhelias