Globally installed tools are not added to the allow-plugins option in composer.json

[ste93cry]

Describe the bug
Since version 2.2, any Composer plugin that needs to run must be listed in the allow-plugins config of the composer.json. I added the symfony/flex plugin to such list in the composer.json of my project, but it doesn't work because the tool is installed globally. To solve the problem, the composer global config --no-plugins allow-plugins.symfony/flex true command should be ran as part of the setup step.

Version

• I have checked releases, and the bug exists in the latest patch version of v1 or v2.
• v2
• v1

Runners

• GitHub Hosted
• Self Hosted

Operating systems
ubuntu-latest

PHP versions
8.1

To Reproduce

jobs:
  name: php
  on: [push]
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: shivammathur/setup-php@v2
         with:
           php-version: 8.1
           tools: flex

Expected behavior
The symfony/flex plugin is installed and allowed to run thanks to it being added to allow-plugins in composer.json. There should be no warning about the plugin being blocked.

Screenshots/Logs

symfony/flex (installed globally) contains a Composer plugin which is blocked by your allow-plugins config. You may add it to the list if you consider it safe. See 
https://getcomposer.org/allow-plugins
You can run "composer global config --no-plugins allow-plugins.symfony/flex [true|false]" to enable it (true) or keep it disabled and suppress this warning (false)

Additional context
None

Are you willing to submit a PR?
I'm not familiar with how this action works under the hood, but I can try

[shivammathur]

Fixed in a863ab6

[ste93cry]

Just asking, is there any ETA for the release?

[shivammathur]

Done 2.20.0

[Seldaek]

Btw maybe flex as tool should be deprecated? I'm not sure what the use case is, but if it's about perf it does not bring any value anymore with composer 2 at least

[ste93cry]

Flex is not only about performance improvements, it's about a lot of other features like forcing the installation of the same version for all symfony/* packages and managing the so-called Symfony recipes 😄

[shivammathur]

@Seldaek I will keep flex for the above reason.

Also, While plugin authentication is great for security in local environments, in CI the default in my opinion would be to allow the plugins.
Can we have an environment variable like COMPOSER_ALLOW_ALL_PLUGINS for this in non-tty environments?

[Seldaek]

Flex is not only about performance improvements, it's about a lot of other features like forcing the installation of the same version for all symfony/* packages and managing the so-called Symfony recipes 😄

I'm well aware of that part but I don't understand the point of having it globally installed then. For those use cases, the project itself should really require symfony/flex in composer.json to ensure it's always present.

[Seldaek]

Also, While plugin authentication is great for security in local environments, in CI the default in my opinion would be to allow the plugins.
Can we have an environment variable like COMPOSER_ALLOW_ALL_PLUGINS for this in non-tty environments?

You can set "composer global config allow-plugins true" to allow all global plug-ins that'd simplify/speed up your fix. That only applies to the globally installed ones tho.

"composer config -g allow-plugins true" should allow all plug-ins to run always, but IMO this isn't a decision you should make for users. There are security implications in CI as well, you may have sensitive tokens in env etc.

[eliashaeussler]

Hi @shivammathur, I still have the problem that the allow-plugins option is not properly configured when installing the composer-unused tool in version 0.7.x. A verbose output can be seen here:

https://github.com/eliashaeussler/cache-warmup/runs/7429040918?check_suite_focus=true#step:3:159

It says:

Error: icanhazstring/composer-unused contains a Composer plugin which is blocked by your allow-plugins config. You may add it to the list if you consider it safe.

Edit: Tested with v2 and master, output is generated by using the verbose tag.

[shivammathur]

@eliashaeussler
Fixed in 66f2447, it is in develop right now. I will create a patch release later this week.

[eliashaeussler]

@eliashaeussler Fixed in 66f2447, it is in develop right now. I will create a patch release later this week.

@shivammathur Thanks for the quick fix! Works like a charm 🎉

[eliashaeussler]

@eliashaeussler Fixed in 66f2447, it is in develop right now. I will create a patch release later this week.

Hi @shivammathur, can you already say when there will be a new release?

[shivammathur]

@eliashaeussler Sorry for the delay, released 2.21.1 with the fix.

[eliashaeussler]

@shivammathur Thanks!