Skip to main content
Ungathered Thoughts

Showing Composer dependency changes on MRs from a CI job

I am a fan of davidrjonas/composer-lock-diff for making visible the dependency changes in a change, and often use its --md output to make this highly visible in a merge request.

I decided to make a quick job that would give me a one-click run of the tool in the merge request pipelines, so I could copy from there back to the MR.

composer changes:
needs: [ ]
stage: check
rules:
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
changes:
- composer.lock
allow_failure: true
script:
- PATH=$PATH:$( composer global config home )/vendor/bin
- git fetch origin
- composer global require davidrjonas/composer-lock-diff:^1.0
- composer-lock-diff --from origin/$CI_MERGE_REQUEST_TARGET_BRANCH_NAME --md | tee composer-changes.txt

Catching an artifact with tee isn't much help really, it's quicker to copy straight from the job output, but you can add that file as an artifact if you like.

(I'm still deciding whether this is best with or without a when: manual.)

Probably Gitlab has a more full-featured version of this in its fancy money tools - but this small addition is really handy.

It would be nice to extend this to automatically add a "Dependency changes" section to the MR description, or in a comment.

See also: Dependency Track from Gitlab CI.