Skip to content

ci: commit composer.lock for reproducible CI builds#29

Open
danielgnh wants to merge 2 commits into
mainfrom
claude/wizardly-lichterman-c4e23b
Open

ci: commit composer.lock for reproducible CI builds#29
danielgnh wants to merge 2 commits into
mainfrom
claude/wizardly-lichterman-c4e23b

Conversation

@danielgnh

Copy link
Copy Markdown
Member

Problem

CI Rector runs fail whenever rectorphp releases a new version: composer.lock was gitignored and rector/rector floats on ^2.3, so CI's fresh composer install resolved a newer Rector (with new rules) than contributors had locally. This broke PRs #17, #22, #27, and #28.

Fix

  • Remove composer.lock from .gitignore and commit it. CI now installs the exact versions contributors have locally (rector 2.5.3, phpstan 2.2.5, php-cs-fixer 3.91.3). A new Rector release can no longer change what CI runs; upgrades become explicit composer update commits.
  • No workflow changes needed: all four workflows already key their dependency cache on hashFiles('**/composer.lock') — that hash was always empty before and now works as intended.
  • Remove the unused ClobAuthenticator::$chainId property. Pinning PHPStan to 2.2.5 surfaced one real property.onlyWritten error that would have made CI red: the property's only read passes it back into its own constructor via withCredentials(); EIP-712 signing uses Eip712Signer's own chainId. ⚠️ Minor BC note: this removes the third constructor parameter of ClobAuthenticator (nothing in this repo constructed it with that argument except Client, which is updated).

Verification

  • composer validate --strict passes; lock is in sync with composer.json
  • Fresh composer install from the lock, then: Rector dry-run ✅, PHPStan ✅, PHP CS Fixer ✅, 214 tests / 539 assertions ✅

🤖 Generated with Claude Code

danielgnh and others added 2 commits July 12, 2026 22:01
CI runs a fresh 'composer install' with no lock file, so every new
rector/phpstan release changed the versions CI ran vs. what
contributors had locally (broke PRs #17, #22, #27, #28). Committing
the lock makes CI resolve the exact same versions as local dev, and
makes the existing hashFiles('**/composer.lock') cache keys in the
four workflows actually work (they previously always hashed nothing).

Locked tool versions: rector 2.5.3, phpstan 2.2.5, php-cs-fixer 3.91.3.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
PHPStan 2.2.5 (now pinned via composer.lock) flags the property as
only-written: its sole read passes it back into its own constructor
in withCredentials(). EIP-712 signing uses Eip712Signer's own chainId,
so the authenticator's copy never affects behavior.

Note: this removes the third constructor parameter of
ClobAuthenticator, a BC break for code constructing it directly with
a chainId or positional credentials argument.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant