How to automatically update Composer dependencies with Source Operations

Goal

This guide details how to automatically update Composer dependencies on a specific environment, so that you can test the changes before deploying to production.

Assumptions

You will need:

Problems

Keeping your code base and its dependencies up to date is critical for so many reasons, and it is always possible to forget and miss a security upgrade.

Even though Platform.sh makes it easy to update dependencies, thanks to its support for all the famous package managers (Composer, npm, gem…), it is better to automate that process, so that this issue never happens.

That is the goal of this how-to guide.

Steps

1. Install the CLI on the application container

Create a machine user that you invite to your project. Get an API token from this machine user account (read the documentation here) and run the following command:

cd my-platformsh-project/
platform variable:create -e master --level environment --name env:PLATFORMSH_CLI_TOKEN --sensitive true --value 'your API token'

Your local CLI will automatically detect the current project and add the env:PLATFORMSH_CLI_TOKEN environment variable to your project.

Then install the CLI on your application container via a new build hook defined in .platform.app.yaml:

hooks:
    build: |
        curl -sS https://platform.sh/cli/installer | php

2. Enable Source Operations

Create a dedicated update-dependencies branch where we will automatically run and test Composer updates.

platform branch update-dependencies -e master

On that newly created branch, add the following lines in the .platform.app.yaml:

source:
    operations:
        update:
            command: |
                composer update
                git add composer.lock
                git commit -m "Update Composer dependencies."

This configuration defines an arbitrary update source operation which will run the composer update command and commit the changes to the composer.lock file, before redeploying the environment on which it has been triggered.

3. Automatically trigger the update source operation

Define a new cron entry to automatically trigger the update source operation in .platform.app.yaml:

crons:
    update:
        # Trigger the update source operation every day at 00:00.
        spec: '0 0 * * *'
        cmd: |
            if [ "$PLATFORM_BRANCH" = update-dependencies ]; then
                platform environment:sync code data --no-wait --yes
                platform source-operation:run update --no-wait --yes
            fi

Every day, this cron will synchronize the update-dependencies environment with its parent master, and trigger the update source operation on it.

4. Deploy the changes

Use Git to deploy the changes:

git add .platform.app.yaml
git commit -m "Enable automated Composer updates on the update-dependencies branch via cron."
git push platform update-dependencies

Conclusion

This is how easy it is to automate the update of Composer dependencies (or any other package manager dependencies if you are not using PHP) on Platform.sh.

The next step should be to enable a Platform.sh notification alert (Email, Slack…) so that you know when the environment has been updated and you can test the changes before deploying those to production.