Composer Authentication
Publish PHP packages to Packagist
No CI Authentication Needed
Packagist pulls packages directly from your Git repository. You only need to set up a webhook once, then Release Pilot handles tagging.
How Packagist Works
Unlike npm or PyPI, you don't push packages to Packagist. Instead:
- Register your package on Packagist (one-time setup)
- Configure a GitHub webhook to notify Packagist of updates
- When you push a tag, Packagist fetches the new version from your repo
- Users can immediately
composer requireyour package
Initial Setup
1. Register on Packagist
- Go to packagist.org and sign in
- Click "Submit" and enter your repository URL
- Packagist will validate your
composer.json
2. Configure GitHub Webhook
This ensures Packagist updates immediately when you push tags:
- Go to your repo Settings → Webhooks
- Add webhook with URL:
https://packagist.org/api/github?username=YOUR_PACKAGIST_USERNAME - Content type:
application/json - Secret: Get from your Packagist profile → "Show API Token"
- Events: Select "Just the push event"
Alternative: Packagist API Token
You can also use GitHub Actions to notify Packagist via API, but the webhook method is simpler and more reliable.
Workflow Configuration
Release Pilot just needs to create and push tags:
permissions:
contents: write
jobs:
release:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: a-line-services/release-pilot@v1
with:
github-token: ${{ secrets.GITHUB_TOKEN }}Release Pilot Configuration
In your .github/release-pilot.yml:
ecosystem: composer
versionFile: composer.json
tagPrefix: vcomposer.json Requirements
Required Fields
{
"name": "vendor/package-name",
"description": "A short description of your package",
"type": "library",
"license": "MIT",
"autoload": {
"psr-4": {
"Vendor\\\\PackageName\\\\": "src/"
}
},
"require": {
"php": ">=8.1"
}
}Note: Packagist extracts versions from Git tags, not from composer.json. You don't need a version field.
Private Packages
For private packages, you have several options:
Private Packagist
Private Packagist is the commercial offering for private packages:
- Sign up at packagist.com
- Add your private repository
- Configure authentication in your projects
Satis (Self-Hosted)
Run your own Composer repository with Satis:
# satis.json
{
"name": "My Private Repository",
"homepage": "https://packages.example.com",
"repositories": [
{"type": "vcs", "url": "git@github.com:your-org/private-package.git"}
],
"require-all": true
}VCS Repository (Direct)
For small teams, reference private repos directly in composer.json:
{
"repositories": [
{
"type": "vcs",
"url": "git@github.com:your-org/private-package.git"
}
],
"require": {
"your-org/private-package": "^1.0"
}
}Version Constraints
Composer uses semantic versioning with these tag formats:
| Tag | Composer Version |
|---|---|
v1.2.3 |
1.2.3 |
1.2.3 |
1.2.3 |
v2.0.0-beta.1 |
2.0.0-beta1 |
Verifying Your Release
After Release Pilot creates a tag:
- Check your package page on Packagist for the new version
- The webhook should trigger within seconds
- If not updating, manually click "Update" on your Packagist package page
# Test installation
composer require your-vendor/your-package:1.2.3Troubleshooting
| Issue | Solution |
|---|---|
| Version not appearing | Check webhook delivery in GitHub Settings → Webhooks |
| Invalid composer.json | Run composer validate locally |
| Wrong version detected | Ensure tag follows semver (e.g., v1.2.3) |