How to use GitLab with Composer

Learn how to securely create composer auth.json in your PHP CI/CD pipeline | Twelve Factor App

Picture for How to use GitLab with Composer
Picture by Matt Chad
Author photo
Matt Chad
February 21, 2023

With the growing popularity of Infrastructure as Code (IaC) and cloud solutions, a resilient CI/CD pipeline is the foundation on which companies creating high-quality software rely. The GitLab continuous delivery system provides a flexible configuration interface that enables the use of the Twelve-Factor App methodology. The third rule says that anything that can vary between deployments must be stored in environment (environment) variables.

GitLab provides a clean user interface for defining environment variables. The values can be a short string or a JSON file. In addition, simple control flags allow you to define the availability and scope of variables (production/staging).

A special flag - masked variable - prevents secrets from leaking into the GitLab CI logs. However, restriction on the masked variable format forbids to obscure file env vars. It is an unacceptable vulnerability to store credentials as a plain text. Fortunately, programmatic configuration available from the composer shell command line is an elegant solution to this inconvenience.

Programmatically create auth.json

To create an entry in auth.json use composer config command. It works with an existing auth.json and can build it from scratch as well. Be sure to provide the full path, which is then expanded to JSON object notation. The following command composer config http-basic.repo.magento.com public-key private-key will create auth.json in the root directory:

{
    "http-basic": {
        "repo.magento.com": {
            "username": "public-key",
            "password": "private-key"
        }
    }
}

If the file already exists, a new entry will be added to the correct clause.

Another call to composer config http-basic.another.vendor.com other-public-key other-private-key will update http-basic with new line. Note that new record was added to the scope of existing http-basic key:

{
    "http-basic": {
        "repo.magento.com": {
            "username": "public-key",
            "password": "private-key"
        },
        "another.vendor.com": {
            "username": "other-public-key",
            "password": "other-private-key"
        }
    }
}

Script for creating composer auth.json

HTTP basic is one of the many authorization methods available for composer repositories. Let's add gitlab-token to a Kustom Repo for demonstration. A simple template script that you can safely use in the GitLab CI can have the following contents:

#!/bin/bash
echo "Configuring composer auth.json..."
[[ -n $COMPOSER_MAGENTO_KEY ]] && composer config http-basic.repo.magento.com "$COMPOSER_MAGENTO_KEY" "$COMPOSER_MAGENTO_SECRET"
[[ -n $COMPOSER_GITLAB_KUSTOM_TOKEN ]] && composer config gitlab-token.gitlab.com "$COMPOSER_GITLAB_KUSTOM_TOKEN"

Empty or not configured environment variables are omitted.

Add exit 1 at the end of every line if you need to stop the pipeline when environment variable is missing

#!/bin/bash
# Breaks script if any command returns a non-zero exit status
set -e

echo "Configuring composer auth.json..."
[[ -n $COMPOSER_MAGENTO_KEY ]] && composer config http-basic.repo.magento.com "$COMPOSER_MAGENTO_KEY" "$COMPOSER_MAGENTO_SECRET" || exit 1
[[ -n $COMPOSER_GITLAB_KUSTOM_TOKEN ]] && composer config gitlab-token.gitlab.com "$COMPOSER_GITLAB_KUSTOM_TOKEN" || exit 1

You can 'echo' a missing variable name, this part was removed for brevity.

Refer to documentation for additional options on the composer website. Learn more about Twelve-Factor methodology.

Consulting avatar

Do you need assistance with your Magento 2 store?

Share this post

Find more posts by tags
Explore all tags