Everybody is using composer these days -- including Rackspace. Their PHP SDK page instructs how to install the sdk into one's project using composer. I'm wondering mostly how to manage my git working directory when composer is being used. I've noticed some rough spots in working with a buddy.
I created an empty dir to see what these install instructions would do to.
mkdir /tmp/foo
cd /tmp/foo
# insert composer install instructions here
php composer.phar require rackspace/php-opencloud
Using version ^1.16 for rackspace/php-opencloud
./composer.json has been created
Loading composer repositories with package information
Updating dependencies (including require-dev)
Package operations: 5 installs, 0 updates, 0 removals
- Installing mikemccabe/json-patch-php (0.1.0): Downloading (100%)
- Installing psr/log (1.0.2): Downloading (100%)
- Installing symfony/event-dispatcher (v2.8.18): Downloading (100%)
- Installing guzzle/guzzle (v3.9.3): Downloading (100%)
- Installing rackspace/php-opencloud (v1.16.0): Downloading (100%)
symfony/event-dispatcher suggests installing symfony/dependency-injection ()
symfony/event-dispatcher suggests installing symfony/http-kernel ()
guzzle/guzzle suggests installing guzzlehttp/guzzle (Guzzle 5 has moved to a new package name. The package you have installed, Guzzle 3, is deprecated.)
Package guzzle/guzzle is abandoned, you should avoid using it. Use guzzlehttp/guzzle instead.
Writing lock file
Generating autoload files
Ignoring for a moment the deprecated package warning which has apparently been around for two years, and various conversations, I see that this operation has yielded a variety of files and folders:
composer.json
composer.lock
composer.phar
vendor
Now I've seen in many cases of .gitignore files that ignore the vendor folder (understandably so as one wouldn't want this bloatfest in one's repo) but I've never once seen composer.json, composer.lock, or composer.phar in the .gitignore file. I don't see composer.phar in any of these .gitignore files but it's my strong suspicion this file doesn't belong in the repo either as it has been auto-installed by the composer instructions.
What about composer.json and composer.lock? Seems to me that, because these files change with every composer require command I run, that these files could be a hotspot in the repo as separate devs all run installs for various packages they want. Do they belong in the repo? Or do we commit composer.json and leave composer.lock out? The composer docs about the lock file say that it contains the 'exact versions' of whatever files were installed (presumably by the most recent require/install/update command).
I'm guessing that composer.json and composer.lock should both go in the repo so the various devs stay in sync, but since the vendor file is .gitignored, Seems like we'll have to run php composer.phar update whenever the composer.json file gets changed by somebody.
Can anyone outline a protocol for dealing with composer and git together?