Page MenuHomePhabricator

Update Composer >=1.9.3 for CI jobs
Closed, ResolvedPublic

Description

We recently added support in Jenkins jobs for passing an auth token along with requests generated by Composer to the GitHub APIs (T106452: Composer activity from Cloud VPS hosts can be rate limited by GitHub). This seems to be working, but it is also likely to stop working on or before November 13, 2020. This will be caused by an upstream feature deprecation at GitHub.

The fix needed on our side is to upgrade Composer to a newer version which is following the announced change. Composer version 1.9.3 includes the required changes. It has been nearly 2 years since we updated Composer (T125343: Upgrade integration/composer to 1.6.5 stable), so it is probably past due anyway. At the moment I write this, v1.10.1 is the most current Composer release.

Event Timeline

Change 586142 had a related patch set uploaded (by BryanDavis; owner: Bryan Davis):
[integration/composer@master] Update composer to 1.10.1

https://gerrit.wikimedia.org/r/586142

v1.10.1 supports PHP >=v5.3.9 so this should not be a problem.

v1.10.1 supports PHP >=v5.3.9 so this should not be a problem.

It was more updating the platform restraint in composer.json for that repo. See my comment. We presumably don't need a version so low?

It was more updating the platform restraint in composer.json for that repo. See my comment. We presumably don't need a version so low?

See my comment in response. :) Matching the version constraints used in the upstream project seems prudent. If we pull in newer dependencies than they test against it will be difficult to get them to work on any issues this may introduce.

I honestly am not sure why we don't just use the upstream PHAR file, but I won't try to readjudicate that decision at this time.

I honestly am not sure why we don't just use the upstream PHAR file, but I won't try to readjudicate that decision at this time.

This repository holds Composer and its dependencies. It is meant to safely deploy Composer on the Wikimedia cluster since:

  1. we can NOT download from third parties
  2. there is no Debian package for Composer (until Debian Stretch, which has 1.2.2)

Even in buster it's 1.8.4, so that's too old - https://packages.debian.org/buster/composer

We still can't download from third parties... But bundling the phar into integration/config seems sensible

I honestly am not sure why we don't just use the upstream PHAR file, but I won't try to readjudicate that decision at this time.

Storing binary files in git isn't the greatest, and at the time we were using git to deploy composer to the various CI instances. But since we use docker now we can just keep the sha256sum in the repo and download the phar during the image build process and verify it then. 👍 from me.

Change 586155 had a related patch set uploaded (by Reedy; owner: Reedy):
[integration/config@master] dockerfiles: [composer-php70] Update composer to v1.10.1

https://gerrit.wikimedia.org/r/586155

Change 586155 abandoned by Reedy:
dockerfiles: [composer-php70] Update composer to v1.10.1

https://gerrit.wikimedia.org/r/586155

Change 586154 had a related patch set uploaded (by Reedy; owner: Reedy):
[integration/config@master] Replace integration/composer repo with composer.phar

https://gerrit.wikimedia.org/r/586154

Change 586154 merged by jenkins-bot:
[integration/config@master] dockerfiles: [composer-php70] Replace integration/composer repo with phar

https://gerrit.wikimedia.org/r/586154

Change 586142 merged by jenkins-bot:
[integration/composer@master] Update composer to 1.10.15

https://gerrit.wikimedia.org/r/586142

Change 588032 had a related patch set uploaded (by Jforrester; owner: Jforrester):
[integration/config@master] jjb: Move images to ones based on composer 1.10.5 phar not 1.6.5 local repo

https://gerrit.wikimedia.org/r/588032

Change 588032 merged by jenkins-bot:
[integration/config@master] jjb: Move to images based on composer 1.10.5 phar, not 1.6.5 local repo

https://gerrit.wikimedia.org/r/588032