PACKAGIST.md

Packagist Publishing Guide

The imunify/malware-scanner PHP library is published on Packagist via a public GitHub mirror at cloudlinux/imunify-malware-scanner.

Architecture

GitLab monorepo (php-library/)
        │
        │  CI job triggered by v* tag
        │  uses git subtree split --prefix=php-library
        ▼
GitHub (cloudlinux/imunify-malware-scanner)
        │
        │  webhook notifies Packagist automatically
        ▼
Packagist (imunify/malware-scanner)

How to release a new version

1. Make your changes to php-library/ in the monorepo and merge to main.

2. Create a repo-wide release tag:

   git tag 1.1.0
   git push origin 1.1.0

3. The sync:php-library-to-github CI job will automatically:

   • Extract php-library/ into a standalone branch
   • Push it to the GitHub repo's main branch
   • Create a v1.1.0 tag on GitHub

4. Packagist picks up the new version via its GitHub webhook. No manual action needed.

CI/CD setup

Required CI variable

Variable	Description
GITHUB_SYNC_TOKEN	Fine-grained GitHub PAT with Contents: Read+Write scoped to cloudlinux/imunify-malware-scanner. Store as a masked, protected variable in GitLab > Settings > CI/CD > Variables.

CI jobs

Job	Stage	Trigger	Purpose
sync:php-library-to-github	deploy-production	Tag X.Y.Z (repo-wide)	Syncs library to GitHub and creates version tag
test:php-library-packagist-install	test	main (auto), staging (manual)	Verifies composer require imunify/malware-scanner works
test:php-library-zip-usability	test	All branches	Verifies ZIP download flow works

What gets published

Only the contents of php-library/ are pushed to GitHub:

Included	Excluded from composer install --prefer-dist
src/ (library code)	tests/ (via .gitattributes)
composer.json	phpunit.xml (via .gitattributes)
LICENSE	.gitattributes, .gitignore
README.md
tests/ (in repo, not in dist)

Packagist account

• Package: https://packagist.org/packages/imunify/malware-scanner
• Auto-update: Enabled via GitHub webhook
• Maintainers: Managed through the Packagist account (registered with company email)

Versioning

Follow semver:

• Patch (v1.0.1): Bug fixes, no API changes
• Minor (v1.1.0): New features, backward compatible
• Major (v2.0.0): Breaking API changes

The composer.json does not contain a version field — Packagist derives versions from git tags.

Troubleshooting

CI job fails with auth error: The GITHUB_SYNC_TOKEN may be expired. Generate a new fine-grained PAT at GitHub > Settings > Personal access tokens, scoped to cloudlinux/imunify-malware-scanner with Contents: Read+Write.

Packagist not updating: Check the webhook at https://github.com/cloudlinux/imunify-malware-scanner/settings/hooks (requires admin access). You can also manually trigger an update from the Packagist package page.

Tag already exists on GitHub: If you need to re-push a tag, delete it first:

git push github :refs/tags/v1.1.0
git push github v1.1.0