François' Blog

Packagist with your own Git Server

2018-05-29

The Packagist service is used to make it possible to install PHP dependencies using the Composer tool. It is very much "optimized" for GitHub, but using your own Git server is also supported, although it has some rough edges:

  1. Packagist is not able to connect to web servers using the Modern compatibility TLS configuration (issue #918);
  2. Packagist's update-package hook requires the repository URL to have at least two path segments (issue #917);
  3. Packgist's Git hook documentation could be more clear.

It is not so difficult to work around these issues though. Hopefully these workarounds will not be required anymore in the future.

TLS

You can use the Intermediate compatibility TLS configuration for your "git" virtual host.

Path Segments

If you set up your Git server according to my previous blog post here, you will have the problem that the update-package Git hook to won't work with Packagist. The repository URL must contain at least two path segments. So, for example the repository URL https://HOST/php-yubitwee won't work, but https://HOST/fkooman/php-yubitwee will.

In order to work around this, you can modify the repo.url and repo.path fields in /etc/cgitrc, e.g.:

repo.url=fkooman/php-yubitwee
repo.path=/var/lib/git/fkooman/php-yubitwee.git

Then move the repository directory to /var/lib/git/fkooman/php-yubitwee.git from /var/lib/git/php-yubitwee.git as well. That should be sufficient. Don't forget to clear the cache as documented in the previous blog post.

Git Hook

The Packagist Git hook configuration is more or less documented here.

What I actually ended up doing is put the following script as post-receive in my Git repository hooks directory, e.g. /var/lib/git/fkooman/php-yubitwee.git/hooks/post-receive:

#!/bin/sh
API_TOKEN=12345abcde

/usr/bin/curl \
    -s \
    -X POST \
    -H "Content-Type: application/json" \
    "https://packagist.org/api/update-package?username=fkooman&apiToken=${API_TOKEN}" \
    -d '{"repository":{"url":"https://HOST/fkooman/php-yubitwee"}}'

Note that the PACKAGIST_PACKAGE_URL as mentioned on the Packagist documentation page is actually your Git repository URL.

Make sure the file is executable:

$ chmod 0755 /var/lib/git/fkooman/php-yubitwee.git/hooks/post-receive

You can actually run it directly to test it, otherwise it will be triggered when you push to your Git server.

Update (2018-06-02): there are a couple of more things to keep in mind. One is that you need add a source key under support in composer.json, otherwise the "Source" link on Packagist will keep pointing to GitHub:

"support": {
    "email": "fkooman@tuxed.net",
    "source": "https://git.tuxed.net/fkooman/php-yubitwee"
},

There is another problem with checking for updated tags. It seems Packagist won't find the new tags when committing a new tag to the repository. This could be due to cgit caching... At the moment I have no idea how to properly investigate this...

In addition, you MUST push a new (tagged) release before Composer will retrieve the code from your new repository location in case you moved your repository. The older version(s) will keep being pulled in from the old location, even if they are no longer available there, thus breaking Composer if it depend on your code. Not great.

All in all, it may not be the worst idea to not use Packagist at all for your packages, and instead just specify the repository directly in the composer.json of the projects that depend on your code, for example:

"repositories": [
    {
        "type": "vcs",
        "url": "https://git.tuxed.net/fkooman/php-yubitwee"
    }
],

...

"require": {
    "fkooman/yubitwee": "^1"
},

...

That would solve all Packagist problems, and in the process reduce another (direct) proprietary dependency from the list!

Last updated on 2016-06-02

Return to Index