Using variables inside composer.json

Erogenesis · September 17, 2024, 10:26am

I’m in a situation where I would like to use a specific plugin and based on its documentation I would need to add API keys into composer.json.

I think that solution is not keeping best practises in mind by adding secrets to composer.json.

I’ve seen many posts here about the topic where people use variables in composer.json like {%VARIABLE_NAME} and it seems to work for them but I couldn’t find any documentation about that matter.

Using Trellis v1.10.0.

I’m trying to install Rank Math Pro via composer, How to Install Rank Math PRO Using Composer?.

{
    "require": {
    "wpackagist-plugin/seo-by-rank-math":"*",
    "rankmath/seo-by-rank-math-pro": "*"
},
"repositories": [
    {
        "type": "composer",
        "url": "https://wpackagist.org"
    },
    {
        "type": "package",
        "package": {
            "name": "rankmath/seo-by-rank-math-pro",
            "type": "wordpress-plugin",
            "version": "2.7.0",
              "dist": {
                "type": "zip",
                "url": "https://rankmath.com/download/510590/?username=testcomposer&api_key=29d4f7d643804e96512114d420b76693"
            },
            "require": {
                "composer/installers": "*"
            }
        }
    }
],
"extra": {
    "installer-paths": {
        "wp-content/plugins/{$name}/": ["type:wordpress-plugin"]
    }
}
}

In my composer I’d like to implement it with variables RANKMATH_USER and RANKMATH_KEY. Those variables are present in .env, also checked it in Trellis server.

{
      "type": "package",
      "package": {
        "name": "rankmath/seo-by-rank-math-pro",
        "version": "2.7.0",
        "type": "wordpress-plugin",
        "dist": {
          "type": "zip",
          "url": "https://rankmath.com/download/510590/?username={%RANKMATH_USER}&api_key={%RANKMATH_KEY}"
        },
        "require": {
          "composer/installers": "*"
        }
      }
    },

After trying to install Rank Math Pro with that solution, I get error. Diving deeper with composer install -vvv I see that composer is not converting the variables to secrets, resulting in a redirect and composer thinking that no-access page is a .zip file (which it’s not and the build fails).

Installs: rankmath/seo-by-rank-math-pro:2.7.0
  - Downloading rankmath/seo-by-rank-math-pro (2.7.0)
Downloading https://rankmath.com/download/510590/?username={%RANKMATH_USER}&api_key={%RANKMATH_KEY}
[302] https://rankmath.com/download/510590/?username={%RANKMATH_USER}&api_key={%RANKMATH_KEY}

When replacing variables with hard coded username and key it works as expected.

I also provisioned the server again but that didn’t help it.

Am I missing something?
Best regards / Arli

ben · September 18, 2024, 5:50pm

https://getcomposer.org/doc/05-repositories.md#custom-repositories

{$VARIABLE} is how you would want to use environment variables

RistoKaalma · September 18, 2024, 8:17pm

You could also try this syntax:

{
      "type": "package",
      "package": {
        "name": "rankmath/seo-by-rank-math-pro",
        "version": "2.7.0",
        "type": "wordpress-plugin",
        "dist": {
          "type": "zip",
          "url": "https://rankmath.com/download/510590/?username={%RANKMATH_USER}&api_key={%RANKMATH_KEY}"
        },
        "require": {
          "composer/installers": "^2.0.0",
          "ffraenz/private-composer-installer": "^5.0.0"
        }
      }
    },

…with adding the following to your composer.json config section:

"config": {
    ...,
    "allow-plugins": {
      ...,
      "ffraenz/private-composer-installer": true
    }
  },

Can’t say if the ffraenz/private-composer-installer package is still worth using since it was last updated in 2020 but it still gets the work done for me.