Setting up and securing a private Composer repository

Imageby John C.

As you might know, most Composer packages are hosted on Packagist. It's the default composer package repository and it's also free for open-source composer packages. If you don't want your packages to be open for the world to see and use, Private Packagist is for you. However, costs can add up quickly.

Introducing Satis

Satis is an open-source solution for self-hosting composer repositories. In fact, it's more like a cached Composer proxy meets static site generator.

The way it works is by downloading the required packages from any source Composer supports (e.g. GitHub or Packagist) and then re-hosting those packages on your own server. Additionally, Satis is a static site generator. This means that once it's set up and Satis has generated the necessary files, we can serve our packages straight from any high performance webserver (like NGINX or S3) without running PHP.

Setting up Satis with private repositories

The Satis docs are straight forward: download Satis from GitHub, add your packages to the satis.json config file and run the build command.

Here's a version of what that satis.json config looks like:

{
  "name": "my-company/satis",
  "homepage": "https://satis.my-company.com",
  "output-dir": "public",
  "repositories": [
    { "type": "vcs", "url": "https://github.com/my-company/private-package-1" },
    { "type": "vcs", "url": "https://github.com/my-company/private-package-2" }
  ],
  "archive": {
    "directory": "dist",
    "skip-dev": false
  },
  "require-all": true
}

A couple of notes:

  • The output-dir is set to public.
  • In archive we configure Satis to create downloads for our packages that will be hosted on our Satis server.
  • We're requiring all versions to be available on our satis using require-all.

Building Satis

Next we'll generate the static Satis files and package archives using the build command:

php bin/satis build

If your repositories are private, you'll need to give your live Satis server access. This can be achieved by generating a GitHub OAuth token and adding that to the ~/.composer/auth.json file on your Satis server.

{
    "github-oauth": {
        "github.com": "oauth_token_goes_here"
    }
}

Now, run php bin/satis satis.json on the production satis server to generate the Satis repository files. If everything goes well, the public/ directory will be created with:

  • packages.json: contains a reference to available versions.
  • dist/: contains ZIP-archives for the hosted packages.
  • index.html: a nice GUI with information about the packages.

Congratulations, you've just proxied packages on your private GitHub repositories to a public Satis server!