disclaimer: I have limited familiarity with this topic.
Managing dependencies with composer is ideal. However, It seems that challenges arise with 1) private/paid plugins, 2) non-dev clients who want to update without having to deal with composer, and 3) large number of composer deps to be constantly updated.
I respect that you’re ambitiously trying to deal with a tough issue. After doing only a superficial reading of your process, my main concerns are 1) the complexity of the process, 2) the modifications required to Trellis (but ultimately maybe Trellis core will need modification to address the issue?), and 3) the result that you would end up with version mismatch between installed plugins and plugin versions listed in composer.json and composer.lock. On this last point, for example, imagine that a user updates a plugin but your next Trellis deploy downgrades back to the older version listed in composer.lock. But maybe your process somehow prevents that.
I wonder if it would actually be less hassle – and easier for someone else to inherit your project – if you were to just have the clients or an update notifier plugin email you about needed updates, then you just do them manually via the regular composer process.
Composer access to private plugins
This isn’t directly on topic, but for the sake of completeness, I’ll mention that there is a fair amount of discussion and option related to dealing with private plugins in composer. Here’s a big long thread on various options with private plugins. A couple big agencies I know of have begun using private packagist with great satisfaction.
Updating composer dependencies
I’m even less familiar with the issue of autoupdating composer dependencies. I suspect that few people have found a broadly applicable solution.
Some recent posts that are related in my mind:
- autoupdate plugins so users don’t do it and conflict with composer versions
- challenge of having many projects and plugins to constantly update
As for being notified of needed plugin updates, I don’t have a service I’ve used personally, but there are plugins that will at least offer notification via email, e.g., WP Updates Notifier and Wordfence. I haven’t evaluated them, so these aren’t endorsements. Even if you are notified you still face the labor of manually updating all the composer deps.
I haven’t even tried looking yet, but it seems like there should be a service that…
- monitors/detects updates for plugins you specify
- autoupdates a project’s composer.json and composer.lock
(and commits updates to project) - triggers a CI build and deploy
I’d be interested to hear about solutions people have discovered.