ci: commit composer.lock for reproducible CI builds#29
Open
danielgnh wants to merge 2 commits into
Open
Conversation
CI runs a fresh 'composer install' with no lock file, so every new rector/phpstan release changed the versions CI ran vs. what contributors had locally (broke PRs #17, #22, #27, #28). Committing the lock makes CI resolve the exact same versions as local dev, and makes the existing hashFiles('**/composer.lock') cache keys in the four workflows actually work (they previously always hashed nothing). Locked tool versions: rector 2.5.3, phpstan 2.2.5, php-cs-fixer 3.91.3. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
PHPStan 2.2.5 (now pinned via composer.lock) flags the property as only-written: its sole read passes it back into its own constructor in withCredentials(). EIP-712 signing uses Eip712Signer's own chainId, so the authenticator's copy never affects behavior. Note: this removes the third constructor parameter of ClobAuthenticator, a BC break for code constructing it directly with a chainId or positional credentials argument. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
CI Rector runs fail whenever rectorphp releases a new version:
composer.lockwas gitignored andrector/rectorfloats on^2.3, so CI's freshcomposer installresolved a newer Rector (with new rules) than contributors had locally. This broke PRs #17, #22, #27, and #28.Fix
composer.lockfrom.gitignoreand commit it. CI now installs the exact versions contributors have locally (rector 2.5.3, phpstan 2.2.5, php-cs-fixer 3.91.3). A new Rector release can no longer change what CI runs; upgrades become explicitcomposer updatecommits.hashFiles('**/composer.lock')— that hash was always empty before and now works as intended.ClobAuthenticator::$chainIdproperty. Pinning PHPStan to 2.2.5 surfaced one realproperty.onlyWrittenerror that would have made CI red: the property's only read passes it back into its own constructor viawithCredentials(); EIP-712 signing usesEip712Signer's own chainId.ClobAuthenticator(nothing in this repo constructed it with that argument exceptClient, which is updated).Verification
composer validate --strictpasses; lock is in sync with composer.jsoncomposer installfrom the lock, then: Rector dry-run ✅, PHPStan ✅, PHP CS Fixer ✅, 214 tests / 539 assertions ✅🤖 Generated with Claude Code