Bundled production dependencies only in the PHAR and pinned Box.

[AlexSkrypnyk]

Summary

The compiled PHAR bundled development and build dependencies because box.json's finder: { in: "./" } pulled the entire vendor/ and vendor-bin/box/ trees - PHPStan, PHPUnit, Rector, and the Box toolchain itself - into the artifact. Separately, the build pulled Box with no version constraint (composer bin box require --dev humbug/box), so builds were not reproducible and the exact build-time dependency tree could not be audited. This scopes the Box finder to production code only and pins Box as a locked, isolated bin dependency. The shipped PHAR drops from 7.28 MB / 4021 files to 1.22 MB / 1005 files. Because the fix lives in the shared build (not the Dockerfile), it applies to both the Docker image and the GitHub release binary.

Changes

box.json - Scoped the Box finder from in: "./" to in: ["src", "vendor"] with exclude: ["bin"]. Combined with Box's exclude-dev-files, the PHAR now contains only the application source and production dependencies - no dev package bodies, no vendor/bin proxy scripts, and no vendor-bin/box build toolchain.

vendor-bin/box/composer.json + composer.lock - Declared and fully locked humbug/box: ^4.7 in an isolated bamarni bin namespace, so the build tool and its entire dependency tree are pinned, reproducible, auditable, and tracked by Renovate, while staying out of the application's own dependency graph (avoiding conflicts with symfony/* ^7.4).

composer.json - The build script now runs @composer bin box install (installing Box from the committed lock) instead of resolving the latest Box unpinned at build time.

.gitignore / .dockerignore - Commit the bin namespace's composer.json and composer.lock (so the pin is tracked and available to the Docker build) while keeping the installed vendor-bin/*/vendor ignored.

Before / After

Before
  PHAR      : ~7.28 MB / 4021 files - production deps + Box toolchain + PHPStan + PHPUnit + Rector + php-scoper
  Box build : "composer bin box require --dev humbug/box" - no version constraint, non-reproducible

After
  PHAR      : ~1.22 MB / 1005 files - production deps only (plus czproject/git-php's own bundled configs)
  Box build : pinned "humbug/box: ^4.7", fully locked in vendor-bin/box, installed from the lock

Summary by CodeRabbit

• Chores
  • Updated build configuration to refine Docker and Git exclusion patterns for dependency management.
  • Modified artifact build settings to explicitly specify included source and vendor files.
  • Reorganized build tool dependencies to use a more explicit installation approach.

[coderabbitai]

📝 Walkthrough

Walkthrough

Migrates the humbug/box build tool from a dynamic composer require --dev invocation to a vendor-bin/box/composer.json manifest pinned at ^4.7. The .gitignore and .dockerignore patterns are narrowed to vendor-bin/*/vendor, and box.json finder paths are updated to explicitly include src/vendor and exclude bin.

vendor-bin Box Dependency Migration

Layer / File(s)	Summary
vendor-bin Box manifest and build script vendor-bin/box/composer.json, composer.json	Introduces vendor-bin/box/composer.json declaring humbug/box ^4.7, and updates the scripts.build entry from @composer bin box (which ran require --dev) to @composer bin box install.
Ignore patterns and box.json finder refinement .gitignore, .dockerignore, box.json	Narrows .gitignore from /vendor-bin to /vendor-bin/*/vendor and .dockerignore from vendor-bin to vendor-bin/*/vendor, keeping tool manifests tracked. Updates box.json finder in from "./" to ["src", "vendor"] and changes exclude from ["php-script", "tests"] to ["bin"].

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• drevops/git-artifact#334: Both PRs modify .dockerignore entries for vendor-bin and vendor paths as part of Docker build context configuration.

Suggested labels

Needs review

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main objective of the PR: bundling only production dependencies into the PHAR and pinning the Box tool version.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/docker-no-dev

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.91%. Comparing base (044824e) to head (953de4a).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #335   +/-   ##
=======================================
  Coverage   96.91%   96.91%           
=======================================
  Files           6        6           
  Lines         421      421           
=======================================
  Hits          408      408           
  Misses         13       13           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.