Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

package deployment command and provenance with gh actions. #1468

Open
RodrigoDornelles opened this issue Oct 2, 2024 · 2 comments
Open

package deployment command and provenance with gh actions. #1468

RodrigoDornelles opened this issue Oct 2, 2024 · 2 comments

Comments

@RodrigoDornelles
Copy link

I was thinking about creating some libs using the Haxe language, as I can transpile it to Lua, JS, PHP... etc., reusing all the logic and making some small adjustments.

In NPM there is no problem with this because you have the npm publish command and you can send your package after a specific build as a minification or pre-compiled code.

But in composer packagist, package deployment is associated with the source code, well the source code would just be hash and some js and php decorations.

I think it might be interesting to have a way like NPM to publish a pre-build package, currently they have a system that checks whether the CD pipeline was actually published, it's something interesting if the concern is security against malware.
@stof
Copy link
Contributor

stof commented Oct 4, 2024

Packagist.org does not host any archive of the code (which is the main reason why it does not need to have an infrastructure owned by Microsoft to run it btw, as the cost of shipping metadata is much less than the cost of storing and distributing all the code). So there is no way to upload a pre-build package to packagist.org.

I see (at least) 2 possible ways here:

  • host your own composer repository exposing your PHP packages (for which you can then have the logic you want to ship the archives that composer will download). The drawback is that it requires users of your package to register your repository in their project (so a little bit less convenient than if it is registered in packagist.org which is registered by default in composer)
  • use a GitHub (or Gitlab) repository storing the pre-built code (with only your CD pipeline writing in that repository) and register that repository in packagist.org. This is actually the way Symfony is managing its packages: all development happens in a mono-repo, but users of the framework are consuming the "subtree" repository in which a bot extracts each package to be consumed by composer.

@RodrigoDornelles
Copy link
Author

@stof One thing I thought about, to keep the same repository, would be to at least select a secondary branch, so that my CD pipeline would build and drop it in a completely separate branch. But I would need to be able to specify it in composer.json somehow.

I don't really like the idea of ​​pointing to a binary repo instead of a source repo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@stof @RodrigoDornelles