I’m using PHP_CodeSniffer in my GitLab CI/CD pipelines to ensure my code is properly formatted. The job looks like follows:
stages: - test - build - deploy coding_standard: stage: test script: - curl -OL https://squizlabs.github.io/PHP_CodeSniffer/phpcs.phar - php phpcs.phar --extensions=php .
That’s working as expected. However, the exact version of the tool is not specified here. So if there’s suddenly a new major version of PHP_Codesniffer, the CI/CD job might fail, although my PHP code hasn’t changed.
Furthermore, I currently have the tool installed globally on my local machine. In that way, I cannot have a specific version of the tool for every PHP project.
Now I’d like to add the tool as Composer dev-dependency (require-dev
).
In the CI/CD job I would then call composer install
instead of downloading the tool via curl.
The problem: That will download all packages needlessly, instead of just PHP_Codesniffer and its dependencies. Can I prevent that?
Advertisement
Answer
You can’t do this with composer. You can’t even install “only the dev dependencies”. It’s all the dependencies, all the non-dev dependencies, and that’s all.
And it’s generally a bad idea to install this kind of dependency as a project dependency, since very easily you can enter in dependency hell for reasons beyond your actual application needs. Development tools should not bring that level of complexity and danger to your deployment strategy.
To get around this, you could use something like the Composer Bin Plugin to isolate these dependencies and yet install them through composer. Then on CI you’d run composer install
on this directory only, and run the tool from this location (or symlink it to bin
, which is what the plugin does when it’s installed, but you wouldn’t have it installed in CI if you are not installing all the dependencies anyway).