Authorisation with auth.json

In order to build and update your Magento instance an auth.json file must be available to BlueFinch Patch with valid credentials. If your repositories contain an auth.json, this is already the case.

If your repositories do not contain an auth.json, you will need to provide BlueFinch Patch with it manually. You can do this for each repository within its Settings page. This will be stored securely encrypted and only used for accessing your dependencies during Job runs.

Your auth.json will look something like this:

{
  "http-basic": {
    "repo.magento.com": {
      "username": "<public-key>",
      "password": "<private-key>"
    }
  }
}

Tip

If you use private Packagist, it may also need to contain a token generated from packagist.com. Consider using a token that allows for updates, a read only token will not work to add new mirrored packages and will likely fail during new patch releases.

If you have other repositories that provide third-party dependencies, keys for them will need to be included as well. This includes vendors like Amasty, Mageworx, and others.

You may also have installed packages directly from GitHub repositories. If this is the case, your auth.json should also include a GitHub oauth token.

{
  ...
  "github-oauth": {
    "github.com": "token"
  }
  ...
}

Testing your auth.json

You can verify your auth.json locally prior to uploading by doing the following.

Verify access to packages

1. Clean up the existing vendor directory with rm -rf vendor/
2. Place the auth.json you are going to upload in your project root.
3. Run the following command to trigger the installation with only the auth.json in your project root.

   # override COMPOSER_AUTH to ensure no environment auth.json is provided
   # override COMPOSER_HOME to ensure no global auth.json is provided
   # install without cache and no interaction to emulate CI executions
   COMPOSER_AUTH='{}' COMPOSER_HOME=$(mktemp -d) composer install --no-cache --no-interaction --no-scripts --no-plugins

4. If you have any errors then update your auth.json and repeat the command until it executes successfully.
5. If you have any github.com repositories present in your composer.json then a token should be provided to ensure no rate-limiting is applied, these rate limits are not often reproducible locally so a token should be provided in any case.
6. If you source your magento/* repositories from a private packagist instance, then an update token should be provided.

Verify access to repositories

At this point you have valid credentials to install all your current packages, we also need to confirm that your credentials allow for scans across your repositories

The following command can take a little bit of time to run depending on the number of repositories you have present in composer.json

# override COMPOSER_AUTH to ensure no environment auth.json is provided
# override COMPOSER_HOME to ensure no global auth.json is provided
# update without cache and no interaction to emulate CI executions
COMPOSER_AUTH='{}' COMPOSER_HOME=$(mktemp -d) composer update nothing --no-install --no-cache --no-interaction --no-scripts --no-plugins