Run composer-lock-updater in your CI system for bot-powered composer.lock pull requests.
Run composer-lock-updater in your CI system for bot-powered
composer.lock pull requests.
When you run
- Clones a given GitHub or GitLab repository to a working
composer updatewithin the working directory.
- Submits a pull request if changes are detected to a tracked
Et voila! Now your dependencies are no longer six months out of date.
composer-lock-updater is different than dependabot in that it bundles all of your updates into one pull request, instead of creating separate pull requests for each dependency.
composer-lock-updater is a PHP library that can be installed with Composer:
composer global require danielbachhuber/composer-lock-updater
composer-lock-updater depends on
git being available on the system. For use with GitHub, also install the official
hub CLI tool. For use with GitLab, you can use the unofficial
lab CLI tool that emulates
lab will need to be authenticated with their respective services in order to create the pull/merge requests.
Run composer-lock-updater within an existing GitHub repository with:
composer-lock-updater defaults to using
git config --get remote.origin.url. If you'd like to specify a different value, either pass the repository URL as the first positional argument or define a
CLU_GIT_URL environment variable.
To use composer-lock-updater with a GitLab repository, use:
composer-lock-updater also supports the following environment variables to modify its behavior:
CLU_COMPOSER_INSTALL_ARGS: Arguments passed to
composer install; defaults to
CLU_COMPOSER_UPDATE_ARGS: Arguments passed to
composer update; defaults to
--no-progress --no-dev --no-interaction.
CLU_GIT_NAME: Name used for Git commits; defaults to 'composer-lock-update'.
CLU_GIT_EMAIL: Email used for Git commits; defaults to 'composer-lock-update@localhost'.
This wouldn't be very useful if it didn't run automatically for you.
To configure composer-lock-updater to run on Travis master branch builds, add the following to your
after_script: - | ### # Only run on one job of a master branch build ### if [ -z "$CLU_RUN" ] || [ "$TRAVIS_BRANCH" != master ] ; then echo "composer.lock update disabled for this build" return fi ### # Install composer-lock-updater ### export PATH="$HOME/.composer/vendor/bin:$PATH" composer global require danielbachhuber/composer-lock-updater ### # Install hub for creating GitHub pull requests # # You could also replace this with lab to create GitLab merge requests. ### wget -O hub.tgz https://github.com/github/hub/releases/download/v2.2.9/hub-linux-amd64-2.2.9.tgz tar -zxvf hub.tgz export PATH=$PATH:$PWD/hub-linux-amd64-2.2.9/bin/ ### # Optional: install Sensio Labs security checker to include security advisories in PR comments ### mkdir -p $HOME/bin wget -O $HOME/bin/security-checker.phar http://get.sensiolabs.org/security-checker.phar chmod +x $HOME/bin/security-checker.phar ### # Run composer-lock-updater ### clu $CLU_REPO_URL
To grant commit and pull request access to the Travis build, define these private environment variables in the Travis control panel:
Make sure to replace
<repo> with the appropriate values.
Lastly, because of the
CLU_RUN environment variable, composer-lock-updater is disabled by default. Enable it for one job per build by modifying your environment matrix:
matrix: include: - php: 7.1 env: WP_VERSION=latest PHP_APCU=enabled CLU_RUN=1 - php: 7.0 env: WP_VERSION=latest PHP_APCU=enabled - php: 5.6 env: WP_VERSION=latest PHP_APCU=enabled
Because composer-lock-updater is running on the
after_script step, make sure to verify it's working correctly, because it won't fail your build if misconfigured.