Conductor will group and schedule automated dependency updates on your own Continuous Integration platform. If the update succeeds, Conductor sends you a pull request to your code hosting platform (GitHub, GitLab, Bitbucket) with the changed composer.lock file and, if necessary, other files modified by Composer plugins or scripts.

To use Conductor:

• You need to be approved for early access to Conductor. Join to the waitlist and wait for approval.
• You need a Private Packagist trial or subscription on the cloud plan.
• You need to add a workflow to your Continuous Integration platform to run Composer updates, described below.

Add packages to update automatically

Once you have a Private Packagist organization and Conductor is enabled for you, log into your Private Packagist organization and click on the "Updates" tab in the main navigation.

Conductor will manage dependencies for packages added to Private Packagist via synchronization that have a composer.lock file committed to the repository.

Create a workflow on your CI

GitHub Actions

Create a new GitHub Actions workflow in .github/workflows/dependency-update.yaml of your GitHub repository using the template below:

name: Private Packagist Conductor
run-name: "${{ github.event.client_payload.commitMessage }}"

on:
    repository_dispatch:
        types:
            - dependency_update

permissions:
    contents: write

jobs:
    update:
        name: Private Packagist Conductor
        runs-on: "ubuntu-latest"
        env:
            COMPOSER_AUTH: ${{ secrets.COMPOSER_AUTH }}

        steps:
            - uses: actions/checkout@v4

            - name: Install PHP
              uses: "shivammathur/setup-php@v2"
              with:
                  coverage: "none"
                  ini-values: "memory_limit=-1"
                  php-version: "8.2"

            # Set up any necessary config files or database here before composer install is run

            - name: Install dependencies
              uses: "ramsey/composer-install@v3"

            - name: Composer update
              run: "${{ github.event.client_payload.updateCommand.plain }}"

            - name: Commit and push
              uses: stefanzweifel/git-auto-commit-action@v5
              with:
                  commit_message: ${{ github.event.client_payload.commitMessage }}
                  commit_user_name: ${{ github.event.client_payload.git.name }}
                  commit_user_email: ${{ github.event.client_payload.git.email }}
                  branch: ${{ github.event.client_payload.branch }}
                  create_branch: true
                  file_pattern: '.'
                  push_options: '--force'

            - name: Call webhook from Private Packagist to create the PR
              run: |
                  curl -fsSL -X POST ${{ github.event.client_payload.webhook.executedUrl }}

            - name: Call webhook from Private Packagist to notify about build failure
              if: ${{ failure() }}
              run: |
                  curl -fsSL -X POST ${{ github.event.client_payload.webhook.errorUrl }}

1. Adjust the PHP Version used in the "Install PHP" step
2. Commit and push the workflow to your main branch of your package repository

Create a secret COMPOSER_AUTH with the Composer authentication configuration as described here to access Private Packagist.
We recommend to create a dedicated authentication token with update access. You can copy and paste the contents for the secret from the "Environment variable" tab in the Private Packagist UI while creating the token in "Settings" -> "Authentication Tokens". Remove the single quotes around the value.

The contents of the variable should look like

{"http-basic": {"repo.packagist.com": {"username": "token", "password": "packagist_out_73a81c..." }}}

Conductor needs to verify your CI setup before you can start receiving pull requests.

Verify your CI setup

Right now all tasks are waiting for the CI verification task on top of the list. Conductor will not start with the regular schedule until this verification task was successful. The verification task will only execute composer update nothing and will not result in a PR to be sent to your code hosting platform.

• Click on the task "Verify the continuous integration setup"
• Use the "Schedule now" button to test your setup

You can see the state of your task and the last events for the task. Once the task is executed, watch your CI platform: You should see a run for the just added workflow. Examine the run to see if it succeeded.

If it was successful your CI configuration is verified and complete. Conductor will trigger your workflow with the next task in the list. This time it will send a pull request.

When you run into errors, troubleshoot and fix them. You can trigger the workflow again by restarting the CI verification task. The restart button is available after the first execution.

How scheduling works

• Navigate to the "Updates" tab in your Private Packagist organization
• Click on the name of your package

The list shows groups of all available updates to be scheduled. Each group of updates is called a task. Conductor will schedule only one task at a time. All others are waiting for the task on top of the list to be successful or paused.
Once Conductor schedules a task it sends a payload to your CI platform that triggers the workflow you just added. The payload contains the commands Composer will run to update a group of dependencies from your package.

The workflow consists of several steps:

1. Checkout the code from your repository
2. Set up PHP
3. Run composer install
4. Run Composer update commands
5. Commit changed files (composer.lock, ...)
6. Push commits to a new branch (or force push an existing branch)
7. Send the status of the workflow to Private Packagist

If all these steps succeeded, Private Packagist creates a pull request for the newly pushed branch. The PR description will contain details about the update and changelogs from your dependencies. Conductor integrates with Update Review to present a reviewable list of all updated dependencies.

Once you reviewed the changes and merged the PR, Conductor will schedule the next task.
If you close the PR, the task will be paused and Conductor will schedule the next task. This is the same effect as using the "Pause" button in the UI. Conductor won't attempt to update the dependency to this exact version again but will schedule updates with newer versions.

If you want to schedule any other task in the list, click on its name and use the button "Schedule now to create a PR".

Tasks fixing security issues have a higher priority. They will be moved to the top of the list and scheduled right away even if there already is a PR for another task open.