I came across the no-api flag in a related thread and was very happy to see it speed up our composer updates by 3x. From what I can see in the generated composer.json it still uses the GitHub API to generate a dist url.
My question regards how exactly Composer handles this internally and if we can be 100% sure that the dist file will use git GitHub API URL in the future, since we only have GitHub OAuth token set up on our deployment machines and no SSH keys.
"time": "2016-04-20 14:49:24"
I find the topic and issue a bit conflicting. What exactly is your question?
@alcohol By specifying "no-api": true, I assume this turns off any connection to the GitHub API in Composer.
That's why I'm surprised to find this in the lockfile:
Why exactly does it refer to api.github.com if I specified "no-api": true ?
Hope that makes it clearer.
no-api means that it will clone the repo to extract metadata from the git metadata instead of using the github API (using the github API can be faster than cloning the repo, especially when the repo is huge).
This does not change the fact that dist archives provided by github are shipped through an endpoint on api.github.com.
@stof Thanks for your answer. What is the mechanism in which GitHub specifies the dist archives? (ie, how is it calculated?)
I don't understand what you mean
@stof How does Composer know that the dist is located at api.github.com?
If we see the repo is a github URL, and it uses the GitHubDriver to collect metadata, then it knows how to build dist archive URLs that point to the API. It sounds fairly safe to me to rely on this behavior. For safety though you should make sure that deployment aborts if composer install fails, because even if the URLs remain valid, the github API might be down.