With tooly composer-script you can version needed PHAR files in your project's composer.json without adding them directly to a VCS,
- to save disk space at vcs repository
- to be sure that all developers in your project get the required toolchain
- to prepare a CI/CD System
- (optional) to automatically check the GPG signature verification for each tool
Every PHAR file will be saved in the composer binary directory.
An real example can be found here.
- PHP >= 5.6
- Composer
To use the script execute the following command:
composer require --dev tm/tooly-composer-script
Then add the script in the composer.json under "scripts" with the event names you want to trigger. For example:
...
"scripts": {
"post-install-cmd": "Tooly\\ScriptHandler::installPharTools",
"post-update-cmd": "Tooly\\ScriptHandler::installPharTools"
},
...
Look here for more informations about composer events.
The composer.json scheme has a part "extra" which is used for the script. Its described here.
In this part you can add your needed phar tools under the key "tools".
...
"extra": {
...
"tools": {
"phpunit": {
"url": "https://phar.phpunit.de/phpunit-5.5.0.phar",
"sign-url": "https://phar.phpunit.de/phpunit-5.5.0.phar.asc"
},
"phpcpd": {
"url": "https://phar.phpunit.de/phpcpd-2.0.4.phar",
"only-dev": true,
"rename": true
},
"security-checker": {
"url": "http://get.sensiolabs.org/security-checker.phar",
"force-replace": true
},
}
...
}
...
After you add the name of the tool as key, you need only one further parameter. The "url". The url can be a link to a specific version, such as x.y.z, or a link to the latest version for this phar.
Rename the downloaded tool to the name that is used as key.
If this parameter is set tooly checks if the PHAR file in url has a valid signature by comparing signature in sign-url.
This option is useful if you want to be sure that the tool is from the expected author.
Note: For the check you need a further requirement and a GPG binary in your $PATH variable.
You can add the requirement with this command:
composer require tm/gpg-verifier
This check often fails if you dont has the public key from the tool author in your GPG keychain.
This option is useful if you want to add an extra layer of stability to your daily build processes.
In case the required url is not accessible and a fallback-url
is set, tooly uses the fallback url to download the phar file.
The fallback url can be a link to a specific version, such as x.y.z, or a link to the latest version for this phar.
Every time you update or install with composer the phar tools are checked. You are asked if you want to overwrite the existing phar if the remote and local phar has not the same checksum.
Except you set this parameter.
This option is useful if you has a link to the latest version of a tool and always want a replacement. Or you run composer in non-interactive mode (for example in a CI system) and want a replacement.
But is also useful if some require-dev library has one of the tools as own requirement.
This parameter means that this phar is only needed in developing mode.
So the command composer [install|update] --no-dev
ignores this phar tool.
Note: Therefore tooly must be a no-dev requirement
To furthermore have auto-suggestion you should set the "include_path" option in the project.
Please refer to CONTRIBUTING.md for information on how to contribute.