Bypass Packagist for the package under test in module-ci.yml#1060
Merged
Conversation
Register the module's GitHub repo as a `vcs` composer source before the inject step, so `composer require <pkg>:dev-<branch>` resolves against the git remote rather than Packagist. Packagist's CDN can lag 30-90s behind a freshly pushed branch, which causes spurious "Could not find package" failures on PRs whose CI starts immediately after the push (e.g. altis-dev-tools#1059, where the workflow ran 61s after branch push and Packagist had not yet replicated the new branch). The git remote always sees the new branch, so this race is eliminated. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
mikelittle
requested review from
ferschubert-hm,
filter182,
jerico,
vladislavhmn and
wisyhambolu
jerico
reviewed
May 14, 2026
jerico
approved these changes
May 14, 2026
Contributor
jerico
left a comment
jerico
left a comment
There was a problem hiding this comment.
Aside from verbose comments, it's working as expected. Verified on humanmade/altis-sso#179 by rerunning the CI
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vcscomposer source inmodule-ci.ymlbefore the existing inject step, socomposer require <pkg>:dev-<branch>resolves against the git remote rather than Packagist.Could not find package … with version dev-<branch>failures on PRs whose CI starts immediately after the push. Pulling from GitHub directly always sees the new branch.Why
Concrete repro: PR #1059 (Dependabot config tweak) — workflow ran ~61s after branch push, Packagist hadn't replicated
dev-dependabot-patch-only-non-masteryet, composer require failed. A re-run minutes later succeeded with no code changes.Travis didn't have this race because it pulled directly from a VCS repo. The new GHA workflow goes through Packagist, which is fine for normal use but flaky for "CI immediately after branch push." Most affected: Dependabot PRs, since they always trigger CI within seconds of pushing the branch.
Scope of the change
composer config repositories.<pkg> vcs <url>runs in\$HOME/test-root(the throwaway skeleton clone the workflow creates each run). It mutates only that ephemeralcomposer.json.composer.jsonis touched, no Packagist-side config changes, nothing user-facing.altis/<name>lives athumanmade/altis-<name>.git. True for every module today.Follow-up after merge
Module callers pin this workflow by SHA in their own
.github/workflows/ci.yml. After merge, runhumanmade/altis/scripts/update-module-gha-ref.shto re-pin the 12 callers — same script used after #1056.Test plan
Module CIself-test) passes.🤖 Generated with Claude Code