Packagist with your own Git Server
Published on 2018-05-29 | Last modified on 2016-06-02
The Packagist service is used to make it possible to install PHP dependencies using the Composer tool. It is very much "optimized" for GitHub, but using your own Git server is also supported, although it has some rough edges:
- Packagist is not able to connect to web servers using the Modern compatibility TLS configuration (issue #918);
- Packagist's
update-packagehook requires the repository URL to have at least two path segments (issue #917); - Packgist's Git hook documentation could be more clear.
It is not so difficult to work around these issues though. Hopefully these workarounds will not be required anymore in the future.
TLS
You can use the Intermediate compatibility TLS configuration for your "git" virtual host.
Path Segments
If you set up your Git server according to my previous blog post
here, you will have the problem that the
update-package Git hook to won't work with Packagist. The repository URL must
contain at least two path segments. So, for example the repository URL
https://HOST/php-yubitwee won't work, but
https://HOST/fkooman/php-yubitwee will.
In order to work around this, you can modify the repo.url and repo.path
fields in /etc/cgitrc, e.g.:
repo.url=fkooman/php-yubitwee
repo.path=/var/lib/git/fkooman/php-yubitwee.git
Then move the repository directory to /var/lib/git/fkooman/php-yubitwee.git
from /var/lib/git/php-yubitwee.git as well. That should be sufficient.
Don't forget to clear the cache as documented in the previous blog post.
Git Hook
The Packagist Git hook configuration is more or less documented here.
What I actually ended up doing is put the following script as post-receive in
my Git repository hooks directory, e.g.
/var/lib/git/fkooman/php-yubitwee.git/hooks/post-receive:
#!/bin/sh
API_TOKEN=12345abcde
/usr/bin/curl \
-s \
-X POST \
-H "Content-Type: application/json" \
"https://packagist.org/api/update-package?username=fkooman&apiToken=${API_TOKEN}" \
-d '{"repository":{"url":"https://HOST/fkooman/php-yubitwee"}}'
Note that the PACKAGIST_PACKAGE_URL as mentioned on the Packagist
documentation page is actually your Git repository URL.
Make sure the file is executable:
$ chmod 0755 /var/lib/git/fkooman/php-yubitwee.git/hooks/post-receive
You can actually run it directly to test it, otherwise it will be triggered when you push to your Git server.
Update (2018-06-02): there are a couple of more things to keep in mind. One
is that you need add a source key under support in composer.json,
otherwise the "Source" link on Packagist will keep pointing to GitHub:
"support": {
"email": "fkooman@tuxed.net",
"source": "https://git.tuxed.net/fkooman/php-yubitwee"
},
There is another problem with checking for updated tags. It seems Packagist won't find the new tags when committing a new tag to the repository. This could be due to cgit caching... At the moment I have no idea how to properly investigate this...
In addition, you MUST push a new (tagged) release before Composer will retrieve the code from your new repository location in case you moved your repository. The older version(s) will keep being pulled in from the old location, even if they are no longer available there, thus breaking Composer if it depend on your code. Not great.
All in all, it may not be the worst idea to not use Packagist at all for your
packages, and instead just specify the repository directly in the
composer.json of the projects that depend on your code, for example:
"repositories": [
{
"type": "vcs",
"url": "https://git.tuxed.net/fkooman/php-yubitwee"
}
],
...
"require": {
"fkooman/yubitwee": "^1"
},
...
That would solve all Packagist problems, and in the process reduce another (direct) proprietary dependency from the list!