-
Notifications
You must be signed in to change notification settings - Fork 53
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Composer.lock and plugin version control strategy #175
Comments
We already re-added the To sum it up. I'd prefer project dependencies and version numbers be consistent and same across production, all developers on local, and CI servers automatically. My suggestion would be adding |
Thanks for the suggestions. The development->production git push + git hook
syncing would benefit from composer.lock.
There is no way to guarantee that version numbers be consistent and same
across production and development. Any user can at any time install or
upgrade a plugin in wp-admin or via wp-ci and the composer.json or
composer.lock files would not get any updates. WordPress does not offer the
same developer experience for dependency management as e.g. NodeJS with
package.json offers.
In local one can however run 'wp-pull-production-plugins' to sync from
production->development.
|
True but keeping And surely not any user, some roles for sure :) |
+1 |
+1 for reverting f954bdd We just ran into this issue ourselves, when pushing
We would also prefer committing Preventing version drift should be managed by team (in development) and permissions (preventing plugin updates in wp-admin) or communication (agreeing that updates are never done through wp-admin). Alternatively https://github.com/Seravo/wordpress/blob/master/scripts/git-hooks/post-receive#L72 should delete |
I noticed that
composer.lock
was recently automatically ignored from the version control f954bddI have read the commit notes and agree that the file has many issues as updates in production do not (to my knowledge) update
composer.lock
and packages incomposer.json
have no fixed version most of the time.As a background we have usually added the WordPress.org plugins via composer and kept premium and custom plugins in version control. Now, when you add a new plugin via composer, there is pre-made git hook in production that also installs it if there is change in
composer.lock
. If this file is not in version control, this automation will not work (manual command needed in production).As a developer I don't want to have this manual and easy to forget thing in the workflow which leaves (at least) two strategies:
composer.lock
to the version control and keep workflow the same.composer.json
in the first place. This will lead to moreuncommited changes
in production situations, but fix all issues withcomposer.lock
. For this option, we'll need to change the default.gitignore
for plugins each time.What do you think? With this change there is a hole in the workflow when a new (WordPress.org) plugin is added to the site in local development that needs some kind of solution.
The text was updated successfully, but these errors were encountered: