用 Satis 处理私有资源包

Satis is a static composer repository generator. It is a bit like an ultra-lightweight, static file-based version of packagist and can be used to host themetadata of your company's private packages, or your own. It basically acts asa micro-packagist. You can get it fromGitHub or install via CLI:composer.phar create-project composer/satis —stability=dev.

Satis 是一个静态的 composer 代码库生成器。

Setup

For example let's assume you have a few packages you want to reuse across yourcompany but don't really want to open-source. You would first define a Satisconfiguration: a json file with an arbitrary name that lists your curatedrepositories.

Here is an example configuration, you see that it holds a few VCS repositories,but those could be any types of repositories. Then ituses "require-all": true which selects all versions of all packages in therepositories you defined.

The default file Satis looks for is satis.json in the root of the repository.

  1. {
  2.     "name": "My Repository",
  3.     "homepage": "http://packages.example.org",
  4.     "repositories": [
  5.         { "type": "vcs", "url": "http://github.com/mycompany/privaterepo" },
  6.         { "type": "vcs", "url": "http://svn.example.org/private/repo" },
  7.         { "type": "vcs", "url": "http://github.com/mycompany/privaterepo2" }
  8.     ],
  9.     "require-all": true
  10. }

If you want to cherry pick which packages you want, you can list all the packagesyou want to have in your satis repository inside the classic composer require key,using a "*" constraint to make sure all versions are selected, or anotherconstraint if you want really specific versions.

  1. {
  2.     "repositories": [
  3.         { "type": "vcs", "url": "http://github.com/mycompany/privaterepo" },
  4.         { "type": "vcs", "url": "http://svn.example.org/private/repo" },
  5.         { "type": "vcs", "url": "http://github.com/mycompany/privaterepo2" }
  6.     ],
  7.     "require": {
  8.         "company/package": "*",
  9.         "company/package2": "*",
  10.         "company/package3": "2.0.0"
  11.     }
  12. }

Once you did this, you just run php bin/satis build <configuration file> <build dir>.For example php bin/satis build config.json web/ would read the config.jsonfile and build a static repository inside the web/ directory.

When you ironed out that process, what you would typically do is run thiscommand as a cron job on a server. It would then update all your package infomuch like Packagist does.

Note that if your private packages are hosted on GitHub, your server should havean ssh key that gives it access to those packages, and then you should addthe —no-interaction (or -n) flag to the command to make sure it falls backto ssh key authentication instead of prompting for a password. This is also agood trick for continuous integration servers.

Set up a virtual-host that points to that web/ directory, let's say it ispackages.example.org. Alternatively, with PHP >= 5.4.0, you can use the built-inCLI server php -S localhost:port -t satis-output-dir/ for a temporary solution.

Usage

In your projects all you need to add now is your own composer repository usingthe packages.example.org as URL, then you can require your private packages andeverything should work smoothly. You don't need to copy all your repositoriesin every project anymore. Only that one unique repository that will updateitself.

  1. {
  2.     "repositories": [ { "type": "composer", "url": "http://packages.example.org/" } ],
  3.     "require": {
  4.         "company/package": "1.2.0",
  5.         "company/package2": "1.5.2",
  6.         "company/package3": "dev-master"
  7.     }
  8. }

Security

To secure your private repository you can host it over SSH or SSL using a clientcertificate. In your project you can use the options parameter to specify theconnection options for the server.

Example using a custom repository using SSH (requires the SSH2 PECL extension):

  1. {
  2.     "repositories": [
  3.         {
  4.             "type": "composer",
  5.             "url": "ssh2.sftp://example.org",
  6.             "options": {
  7.                 "ssh2": {
  8.                     "username": "composer",
  9.                     "pubkey_file": "/home/composer/.ssh/id_rsa.pub",
  10.                     "privkey_file": "/home/composer/.ssh/id_rsa"
  11.                 }
  12.             }
  13.         }
  14.     ]
  15. }
Tip: See ssh2 context options for more information.

Example using HTTP over SSL using a client certificate:

  1. {
  2.     "repositories": [
  3.         {
  4.             "type": "composer",
  5.             "url": "https://example.org",
  6.             "options": {
  7.                 "ssl": {
  8.                     "local_cert": "/home/composer/.ssl/composer.pem"
  9.                 }
  10.             }
  11.         }
  12.     ]
  13. }
Tip: See ssl context options for more information.

Downloads

When GitHub or BitBucket repositories are mirrored on your local satis, the build process will includethe location of the downloads these platforms make available. This means that the repository and your setup dependon the availability of these services.

At the same time, this implies that all code which is hosted somewhere else (on another service or for example inSubversion) will not have downloads available and thus installations usually take a lot longer.

To enable your satis installation to create downloads for all (Git, Mercurial and Subversion) your packages, add thefollowing to your satis.json:

  1. {
  2.     "archive": {
  3.         "directory": "dist",
  4.         "format": "tar",
  5.         "prefix-url": "https://amazing.cdn.example.org",
  6.         "skip-dev": true
  7.     }
  8. }

Options explained

  • directory: the location of the dist files (inside the output-dir)
  • format: optional, zip (default) or tar
  • prefix-url: optional, location of the downloads, homepage (from satis.json) followed by directory by default
  • skip-dev: optional, false by default, when enabled (true) satis will not create downloads for branches
    Once enabled, all downloads (include those from GitHub and BitBucket) will be replaced with a local version.

prefix-url

Prefixing the URL with another host is especially helpful if the downloads end up in a private Amazon S3bucket or on a CDN host. A CDN would drastically improve download times and therefore package installation.

Example: A prefix-url of http://my-bucket.s3.amazonaws.com (and directory set to dist) creates download URLswhich look like the following: http://my-bucket.s3.amazonaws.com/dist/vendor-package-version-ref.zip.

Resolving dependencies

It is possible to make satis automatically resolve and add all dependencies for your projects. This can be usedwith the Downloads functionality to have a complete local mirror of packages. Just add the followingto your satis.json:

  1. {
  2.     "require-dependencies": true
  3. }

When searching for packages, satis will attempt to resolve all the required packages from the listed repositories.Therefore, if you are requiring a package from Packagist, you will need to define it in your satis.json.

如果您发现文档中有错误,或者能够帮我们完善文档,请提交到我们的 Github 仓库吧

原文: https://docs.phpcomposer.com/articles/handling-private-packages-with-satis.html