I’m using PHP_CodeSniffer in my GitLab CI/CD pipelines to ensure my code is properly formatted. The job looks like follows:
stages:
- test
- build
- deploy
coding_standard:
stage: test
script:
- curl -OL https://squizlabs.github.io/PHP_CodeSniffer/phpcs.phar
- php phpcs.phar --extensions=php .
That’s working as expected. However, the exact version of the tool is not specified here. So if there’s suddenly a new major version of PHP_Codesniffer, the CI/CD job might fail, although my PHP code hasn’t changed.
Furthermore, I currently have the tool installed globally on my local machine. In that way, I cannot have a specific version of the tool for every PHP project.
Now I’d like to add the tool as Composer dev-dependency (require-dev
).
In the CI/CD job I would then call composer install
instead of downloading the tool via curl.
The problem: That will download all packages needlessly, instead of just PHP_Codesniffer and its dependencies. Can I prevent that?
2
Answers
Why not download any tagged version from Github through https://github.com/squizlabs/PHP_CodeSniffer/releases, like https://github.com/squizlabs/PHP_CodeSniffer/releases/download/3.6.0/phpcs.phar?
Using a PHAR is better than installing such stuff using Composer, as you might install other incompatible dependencies that way (this is not the case with phpcs, but other tools like phpmd install other dependencies from Symfony)
You can’t do this with composer. You can’t even install "only the dev dependencies". It’s all the dependencies, all the non-dev dependencies, and that’s all.
And it’s generally a bad idea to install this kind of dependency as a project dependency, since very easily you can enter in dependency hell for reasons beyond your actual application needs. Development tools should not bring that level of complexity and danger to your deployment strategy.
To get around this, you could use something like the Composer Bin Plugin to isolate these dependencies and yet install them through composer. Then on CI you’d run
composer install
on this directory only, and run the tool from this location (or symlink it tobin
, which is what the plugin does when it’s installed, but you wouldn’t have it installed in CI if you are not installing all the dependencies anyway).