Got a question about committing the entire October CMS instance. I want to lock my app down to a specific version in git, so I include the composer.lock file. When I setup everything in another instance, it adds a lot more files to the git structure. This causes git to see this stuff and not sure why.
what’s the exact process for this so I don’t run into this?
We usually use a .gitignore file that ignores everything. Then we include all the files and folders that are project specific:
# Exclude all by default
*
# Include project-specific files
!.gitignore
!composer.*
!.env.*
!auth.json
!app
!app/**/*
!themes
!themes/**/*
!plugins
!plugins/your-vendor
!plugins/your-vendor/your-plugin
That is a novel approach, and so clean. Would it be alright if we added it to the documentation?
Please, go ahead! The only minor problem with this setup is if you want to bootstrap a working October installation after cloning the git repo (during a deployment or new project setup). Since the storage, bootstrap or config folders are probably missing, you cannot simply run composer install to get everything up and running.
We use the following helper script to move the repo’s content into a folder, install October into a temporary directory, copy the october installation over and then copying the original files over the created installation.
It’s not pretty by any means, but has served us well for many many projects without any issues so far!
Our process is usually:
git clone repo./bootstrap.sh (file below)#!/bin/sh
set -e
set -x
# Install October CMS
# - Move existing repo files to a _originals/ folder
# - Install October into a tmp directory
# - Move all files from the tmp directory to the current directory
# - Restore repo files from _originals/
if [ -d "modules/editor" ]; then
echo "October is already installed, skipping setup"
exit 0
fi
echo "Installing October CMS"
# Move all repo contents to _orignials/
mkdir _originals
rsync -rlv --exclude 'composer.phar' --exclude 'vendor' --exclude 'auth.json' --exclude '_originals' --remove-source-files ./ _originals/
# Install October into a tmp directory
rm -rf /tmp/october_install
composer create-project october/october /tmp/october_install --no-scripts
# Move installation to pwd
rsync -lr --exclude 'themes/demo' --remove-source-files /tmp/october_install/ ./
# Restore original files
rsync -rlv --remove-source-files ./_originals/ ./
rm -rf _originals
# Install dependencies
composer install --no-interaction
echo "Installation successful"
should auth.json really be included? I know this topic is about a year old, but it is a really solid answer and I want to raise the possibility of it including a security issue. auth.json.
anyone able to answer if including auth.json in your repo is a security risk, or is this standard practice and available publicly?
It is a security issue and is excluded by default when you install October via composer. If you plan to keep your repo private, it’s fine, but even then, I don’t trust it.
Best practice is to use project:set when installing to a different place.
Here is the composer article on this topic.
Note: Make sure the
auth.jsonfile is in.gitignoreto avoid leaking credentials into your git history.
Note that you can also use the COMPOSER_AUTH environment variable or store it in the global composer config.