Cache build process based on the lock file instead of dependencies

This is part of the Semicolon&Sons Code Diary - consisting of lessons learned on the job. You're in the testing category.

Last Updated: 2024-03-02

My circleCI build passed when I changed the version of laravel/contentful, a critical package even thought the code wasn't working. This meant that somehow the wrong version of the package was available to it (via caching) whereas it should not have been. Here was my code for circleCI:

- restore_cache:
    keys:
      - php-dependencies-{{ checksum "composer.json" }}
- run: composer install --no-interaction --prefer-dist
- save_cache:
    paths:
      - ./vendor
    key: php-dependencies-{{ checksum "composer.json" }}

The issue was my cache was based on composer.json which, at least in this codebase, only specified version number constraints loosely. I wanted to cache based on the .lock file instead:

- restore_cache:
    keys:
      - php-dependencies-{{ checksum "composer.lock" }}
- run: composer install --no-interaction --prefer-dist
- save_cache:
    paths:
      - ./vendor
    key: php-dependencies-{{ checksum "composer.lock" }}

Lesson

Cache based on lock files, not based on looser version specifications for dependencies.