Oryx icon indicating copy to clipboard operation
Oryx copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Add feature to install php composer libraries without dev dependencies

Open ronaldijsfontein opened this issue 3 years ago • 9 comments

Feature Request

Scenario

I want to deploy a PHP site in non development mode to a server using composer.

Issue

Oryx installs the composer libraries with the following command in src/BuildScriptGenerator/Php/PhpBashBuildSnippet.sh.tpl

php $composer install --ignore-platform-reqs --no-interaction

This installation will install all dev dependencies. These dependencies should never be installed on a non development environment. To my surprise I find no configuration option to install the composer libraries without dev dependencies.

Pseudo code example:

{{ if ComposerWithoutDev }}
   php $composer install --ignore-platform-reqs --no-interaction --no dev
{{else}}
   ...
{{end}}

ronaldijsfontein avatar Aug 11 '22 09:08 ronaldijsfontein

@ronaldijsfontein Hey Ronald, apologies for the delayed response -- supporting the php $composer arguments that directly affect users' builds is a good decision, but for this specific case, I did see from the PHP composer documentation that they have a COMPOSER_NO_DEV environment variable that you should be able to set in the context of your build that will act as though you provided the --no-dev argument to the above command. Is this something that you view as a viable short-term solution, or would you prefer Oryx to have a mechanism in its oryx build command that allows you to provide it directly in the php $composer command linked above?

cormacpayne avatar Aug 17 '22 20:08 cormacpayne

@cormacpayne I found the COMPOSER_NO_DEV environment variable in the composer docs. I read the Oryx docs but did not find a way to inject an environment variable into the build process. Could you point me in the right direction how I should do this?

ronaldijsfontein avatar Aug 17 '22 21:08 ronaldijsfontein

@ronaldijsfontein Sure thing -- real quick: what is the mechanism by which you are trying to deploy your application? Zip deployment in the Azure Portal, GitHub Actions, Azure CLI, etc.?

cormacpayne avatar Aug 17 '22 22:08 cormacpayne

@cormacpayne Currently I push to local git to start the deployment

ronaldijsfontein avatar Aug 17 '22 22:08 ronaldijsfontein

@ronaldijsfontein In the Portal, would you mind navigating to your web app and selecting Configuration under the Settings tab, and from there, you should be able to set the COMPOSER_NO_DEV environment variable in the Application settings section. From the docs, the value for this variable should be just 1 to enable it. This should be propagated to the container running the oryx build; if not, please let me know and I'll follow up with the App Service team to provide proper guidance here.

cormacpayne avatar Aug 17 '22 23:08 cormacpayne

@cormacpayne I did try to do this before without any luck. After your tip I tried it again (with and without "deployment_slot_setting"). Again without luck, the dev dependencies did install.

The documentation mentions changing the build behaviour with environment variables. https://github.com/microsoft/Oryx/blob/main/doc/configuration.md

"Oryx provides configuration options through environment variables so that you can apply minor adjustments and still utilize the automatic build process. The following variables are supported today...."

Only a subset is supported. COMPOSER_NO_DEV is not on the list of supported environment variables.

It would be nice if the variable was added to the supported list. Deploying composer libraries with dev dependencies is seen as a big security risk.

ronaldijsfontein avatar Aug 18 '22 09:08 ronaldijsfontein

Having recently encountered deployment problems with a dev package being included in composer's install via Oryx, I was researching if there was any way to tell Oryx to use --no-dev. I'm really glad to see there is an environment variable, but I can confirm that it didn't work for me either. If I run composer install myself on the server, it picks up the flag and omits dev dependencies, but Oryx still seems to be installing everything.

In the meantime, I'm rerunning composer in a startup script to clean up the dev dependencies, but that is definitely less than ideal since it increases deployment time and introduces changes after the files are moved from repository to wwwroot on Azure.

NVV-WebManager avatar Mar 03 '23 21:03 NVV-WebManager

Also confirmed that setting COMPOSER_NO_DEV in Settings > Configuration does not work.

Also tried setting PRE_BUILD_COMMAND to export COMPOSER_NO_DEV=1 but that didn't work. Nor doing it in a script in PRE_BUILD_SCRIPT_PATH

pb30 avatar Aug 04 '23 18:08 pb30

Any update on this? I was thinking in the way of having a modified composer.json for production that doesn't include dev dependencies, but I'm not sure how I would do that yet.

jakeburkart avatar Dec 08 '23 19:12 jakeburkart