{"id":13617893,"url":"https://github.com/ramsey/composer-install","last_synced_at":"2026-03-16T02:11:22.312Z","repository":{"id":37989800,"uuid":"296427614","full_name":"ramsey/composer-install","owner":"ramsey","description":":gift: A GitHub Action to streamline installation of PHP dependencies with Composer.","archived":false,"fork":false,"pushed_at":"2025-12-15T21:02:11.000Z","size":2780,"stargazers_count":256,"open_issues_count":18,"forks_count":36,"subscribers_count":3,"default_branch":"v3","last_synced_at":"2026-02-24T13:16:57.236Z","etag":null,"topics":["cache","composer","github-actions","install","php"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ramsey.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":".github/FUNDING.yml","license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null},"funding":{"github":"ramsey"}},"created_at":"2020-09-17T19:50:08.000Z","updated_at":"2026-02-19T10:29:38.000Z","dependencies_parsed_at":"2024-02-23T20:21:41.702Z","dependency_job_id":"d2de0c1d-3314-4bee-9d8e-7500a3174388","html_url":"https://github.com/ramsey/composer-install","commit_stats":{"total_commits":146,"total_committers":9,"mean_commits":16.22222222222222,"dds":0.5342465753424658,"last_synced_commit":"3bbf9379433241759c5520eaad0dc8e471cb2be5"},"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/ramsey/composer-install","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ramsey%2Fcomposer-install","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ramsey%2Fcomposer-install/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ramsey%2Fcomposer-install/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ramsey%2Fcomposer-install/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ramsey","download_url":"https://codeload.github.com/ramsey/composer-install/tar.gz/refs/heads/v3","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ramsey%2Fcomposer-install/sbom","scorecard":{"id":760956,"data":{"date":"2025-08-11","repo":{"name":"github.com/ramsey/composer-install","commit":"3cf229dc2919194e9e36783941438d17239e8520"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5,"checks":[{"name":"Packaging","score":-1,"reason":"packaging workflow not detected","details":["Warn: no GitHub/GitLab publishing workflow detected."],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Maintained","score":5,"reason":"6 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":5,"reason":"Found 14/28 approved changesets -- score normalized to 5","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":-1,"reason":"no workflows found","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":-1,"reason":"No tokens found","details":null,"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":-1,"reason":"no dependencies found","details":null,"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: MIT License: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 16 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}}]},"last_synced_at":"2025-08-22T23:29:50.401Z","repository_id":37989800,"created_at":"2025-08-22T23:29:50.401Z","updated_at":"2025-08-22T23:29:50.401Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":30020113,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-03-02T20:56:45.032Z","status":"ssl_error","status_checked_at":"2026-03-02T20:51:18.182Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cache","composer","github-actions","install","php"],"created_at":"2024-08-01T20:01:49.913Z","updated_at":"2026-03-16T02:11:22.302Z","avatar_url":"https://github.com/ramsey.png","language":"Shell","funding_links":["https://github.com/sponsors/ramsey"],"categories":["Shell"],"sub_categories":[],"readme":"\u003ch1 align=\"center\"\u003eramsey/composer-install\u003c/h1\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003cstrong\u003eA GitHub Action to streamline installation of PHP dependencies with Composer.\u003c/strong\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n    \u003ca href=\"https://github.com/ramsey/composer-install\"\u003e\u003cimg src=\"https://img.shields.io/badge/source-ramsey/composer--install-blue.svg?style=flat-square\" alt=\"Source Code\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ramsey/composer-install/blob/main/LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-MIT-darkcyan.svg?style=flat-square\" alt=\"Read License\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://github.com/ramsey/composer-install/actions/workflows/continuous-integration.yml\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/ramsey/composer-install/continuous-integration.yml?branch=v3\u0026logo=github\u0026style=flat-square\" alt=\"Build Status\"\u003e\u003c/a\u003e\n    \u003ca href=\"https://codecov.io/gh/ramsey/composer-install\"\u003e\u003cimg src=\"https://img.shields.io/codecov/c/gh/ramsey/composer-install/v3?label=codecov\u0026logo=codecov\u0026style=flat-square\" alt=\"Codecov Code Coverage\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n## About\n\nramsey/composer-install is a GitHub Action to streamline installation of\nComposer dependencies in workflows. It installs your Composer dependencies and\ncaches them for improved build times.\n\nThis project adheres to a [code of conduct](CODE_OF_CONDUCT.md).\nBy participating in this project and its community, you are expected to\nuphold this code.\n\n## Dependencies\n\nThis GitHub Action requires [PHP](https://www.php.net) and\n[Composer](https://getcomposer.org). One way to ensure you have both is to use\nthe [Setup PHP GitHub Action](https://github.com/shivammathur/setup-php).\n\nThe step that sets up PHP and Composer for your environment *must* come before\nthe ramsey/composer-install step.\n\n## Usage\n\nUse ramsey/composer-install as step within a job. This example also shows use of\nthe [Setup PHP](https://github.com/shivammathur/setup-php) action as a step.\n\n```yaml\n- uses: \"shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f\" # 2.37.0\n  with:\n    php-version: \"latest\"\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n```\n\n\u003e [!TIP]\n\u003e There is no need to set up a separate caching step since ramsey/composer-install handles this for you.\n\n### Input Parameters\n\n#### dependency-versions\n\nThe `dependency-versions` input parameter allows you to select whether the job\nshould install the locked, highest, or lowest versions of Composer dependencies.\n\nValid values are:\n\n* `locked`: (default) installs the locked versions of Composer dependencies\n  (equivalent to running `composer install`)\n\n* `highest`: installs the highest versions of Composer dependencies\n  (equivalent to running `composer update`)\n\n* `lowest`: installs the lowest versions of Composer dependencies (equivalent\n  to running `composer update --prefer-lowest --prefer-stable`)\n\nFor example:\n\n```yaml\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    dependency-versions: \"lowest\"\n```\n\n#### composer-options\n\nramsey/composer-install always passes the `--no-interaction`, `--no-progress`,\nand `--ansi` options to the `composer` command. If you'd like to pass additional\noptions, you may use the `composer-options` input parameter.\n\nFor example:\n\n```yaml\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    composer-options: \"--ignore-platform-reqs --optimize-autoloader\"\n```\n\n#### composer-filename\n\nIf you have a custom Composer filename, you may use `composer-filename` to change\nthe filename Composer uses. For example, your Composer file could be\n`composer-gh-actions.json` or `composer-staging.json` instead of the default\n`composer.json`.\n\nYou should specify the filename without the extension, since it will determine\nboth the JSON and lock filenames to use. The default value is `\"composer\"`,\nwhich will use `composer.json` and `composer.lock` as the filenames.\n\nFor example:\n\n```yaml\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    composer-filename: \"composer-gh-actions\"\n```\n\n#### working-directory\n\nThe `working-directory` input parameter allows you to specify a different\nlocation for your `composer.json` file. For example, if your `composer.json` is\nlocated in `packages/acme-foo/`, use `working-directory` to tell\nramsey/composer-install where to run things.\n\n```yaml\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    working-directory: \"packages/acme-foo\"\n```\n\nYou may use this step as many times as needed, if you have multiple\n`composer.json` files.\n\nFor example:\n\n```yaml\n# Install dependencies using composer.json in the root.\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n\n# Install dependencies using composer.json in src/Component/Config/\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    working-directory: \"src/Component/Config\"\n\n# Install dependencies using composer.json in src/Component/Validator/\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    working-directory: \"src/Component/Validator\"\n```\n\n#### ignore-cache\n\nNormally, ramsey/composer-install preserves composer's cache between jobs\nso that subsequent identically-invoked jobs execute faster.\nIf you have jobs for which you wish to completely ignore the caching step, you\nmay use the `ignore-cache` input parameter. When present, ramsey/composer-install\nwill neither read from nor write to the cache.\n\nValues of `'yes'`, `true`, or `1` will tell the action to ignore the cache. For\nany other value, the action will use the default behavior, which is to read from\nand store to the cache.\n\n```yaml\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    ignore-cache: \"yes\"\n```\n\n#### custom-cache-key\n\nThere may be times you wish to specify your own cache key. You may do so with\nthe `custom-cache-key` input parameter. When provided, ramsey/composer-install\nwill not use the auto-generated cache key, so if your `composer.json` or\n`composer.lock` files change, you'll need to update the custom cache key if you\nwish to update the cache.\n\n```yaml\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    custom-cache-key: \"my-custom-cache-key\"\n```\n\n#### custom-cache-suffix\n\n`ramsey/composer-install` will auto-generate a cache key which is composed of\nthe following elements:\n* The OS image name, like `Linux`, `Windows`, etc.\n* The exact PHP version, like `8.5.4`.\n* The options passed via `composer-options`.\n* The dependency version setting as per `dependency-versions`.\n* The working directory as per `working-directory`.\n* A hash of the `composer.json` and/or `composer.lock` files.\n\nIf you don't want to generate your own cache key, but do want to make the cache key\neven more specific, you can specify a suffix to be added to the cache key via the\n`custom-cache-suffix` parameter.\n\n```yaml\n# Adds a suffix to the cache key which is equivalent to the full date-time\n# of \"last Monday 00:00\", which means that the cache will be force refreshed\n# via the first workflow which is run every Monday.\n- uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n  with:\n    custom-cache-suffix: $(/bin/date -u --date='last Mon' \"+%F\")\n```\n\n\u003e [!WARNING]\n\u003e Specifying a `custom-cache-key` will take precedence over the `custom-cache-suffix`.\n\n\n#### require-lock-file\n\nBy default, if no composer.lock file is found in the working directory\nramsey/composer-install will invoke `composer update` regardless of the value of\n`dependency-versions`.\n\nIf this is set to a value of `true`, ramsey/composer-install will fail in its\nexecution if it does not find a lock file.\n\n\n### Fork and private repositories\n\nSometimes it's necessary to use the `repositories` key in your `composer.json` to\npull in forks, PRs with patches, or private repositories. In this case, your\nGitHub Action may start failing with a `Could not authenticate against github.com`\nerror message. To solve this, you need to use an authorized token. Luckily,\n[GHA provides you with one automatically at each run][]; all you need to do is\nset the `repository-projects` permission to `read`:\n\n```yaml\njob:\n  permissions:\n    repository-projects: read\n  steps:\n  # ...\n  - uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n    env:\n      COMPOSER_AUTH: '{\"github-oauth\": {\"github.com\": \"${{ secrets.GITHUB_TOKEN }}\"}}'\n```\n\nIn the example above, `COMPOSER_AUTH` is the [default environment variable that Composer supports][]\nto dynamically configure its authentication. If you have other authentication tokens\nin use, and you don't want to conflict with those, you can record the token\nprogrammatically, as in the example below:\n\n```yaml\njob:\n  permissions:\n    repository-projects: read\n  steps:\n  # ...\n  - run: composer config -- github-oauth.github.com ${{ secrets.GITHUB_TOKEN }}\n    name: Register GitHub token for Composer\n  - uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n```\n\nNote that this approach is only valid for public forks; if you need to access\nprivate repositories, you must create a secret in the repository that runs the\naction, and use it to store a Personal Access Token with a `read:project` scope\nfrom a user that is allowed to read those repositories, and use in place of\n`secrets.GITHUB_TOKEN`. In the following example, the PAT is stored in a secret\ncalled `COMPOSER_PAT`:\n\n```yaml\nenv:\n  COMPOSER_AUTH: '{\"github-oauth\": {\"github.com\": \"${{ secrets.COMPOSER_PAT }}\"}}'\n```\n\nFor more information on how to do that on your repository, see [Creating a personal access token][]\nand [Creating encrypted secrets for a repository][] on GitHub documentation.\n\n### Matrix Example\n\nGitHub Workflows allow you to set up a [job matrix](https://docs.github.com/en/actions/reference/workflow-syntax-for-github-actions#jobsjob_idstrategymatrix),\nwhich allows you to configure multiple jobs for the same steps by using variable\nsubstitution in the job definition.\n\nHere's an example of how you might use the `dependency-versions` and\n`composer-options` input parameters as part of a job matrix.\n\n```yaml\nstrategy:\n  matrix:\n    php:\n      - \"8.3\"\n      - \"8.4\"\n      - \"8.5\"\n    dependencies:\n      - \"lowest\"\n      - \"highest\"\n    include:\n      - php-version: \"8.3\"\n        composer-options: \"--ignore-platform-reqs\"\n\nsteps:\n  - uses: \"actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd\" # v6.0.2\n  - uses: \"shivammathur/setup-php@accd6127cb78bee3e8082180cb391013d204ef9f\" # 2.37.0\n    with:\n      php-version: \"${{ matrix.php }}\"\n  - uses: \"ramsey/composer-install@a35c6ebd3d08125aaf8852dff361e686a1a67947\" # 3.2.0\n    with:\n      dependency-versions: \"${{ matrix.dependencies }}\"\n      composer-options: \"${{ matrix.composer-options }}\"\n```\n\n## Contributing\n\nContributions are welcome! Before contributing to this project, familiarize\nyourself with [CONTRIBUTING.md](CONTRIBUTING.md).\n\n## Copyright and License\n\nThe ramsey/composer-install GitHub Action is copyright © [Ben Ramsey](https://benramsey.com)\nand licensed for use under the terms of the MIT License (MIT). Please see\n[LICENSE](LICENSE) for more information.\n\n\n[GHA provides you with one automatically at each run]: https://docs.github.com/en/actions/security-for-github-actions/security-guides/automatic-token-authentication\n[default environment variable that Composer supports]: https://getcomposer.org/doc/articles/authentication-for-private-packages.md#authentication-using-the-composer-auth-environment-variable\n[Creating a personal access token]: https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token\n[Creating encrypted secrets for a repository]: https://docs.github.com/en/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Framsey%2Fcomposer-install","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Framsey%2Fcomposer-install","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Framsey%2Fcomposer-install/lists"}