<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Nick Harin</title>
    <description>The latest articles on DEV Community by Nick Harin (@k2gl).</description>
    <link>https://dev.to/k2gl</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3981443%2F101c460d-91af-441e-abea-de27955e2dc0.jpeg</url>
      <title>DEV Community: Nick Harin</title>
      <link>https://dev.to/k2gl</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/k2gl"/>
    <language>en</language>
    <item>
      <title>Verify your Composer dependencies' provenance</title>
      <dc:creator>Nick Harin</dc:creator>
      <pubDate>Sun, 05 Jul 2026 19:11:25 +0000</pubDate>
      <link>https://dev.to/k2gl/verify-your-composer-dependencies-provenance-45je</link>
      <guid>https://dev.to/k2gl/verify-your-composer-dependencies-provenance-45je</guid>
      <description>&lt;p&gt;When the xz backdoor landed in 2024, it was a wake-up call for every package&lt;br&gt;
ecosystem: the code you install is only as trustworthy as the pipeline that built&lt;br&gt;
it. PHP is no exception. Run &lt;code&gt;composer install&lt;/code&gt; and you pull down code from dozens&lt;br&gt;
of repositories — but nothing checks &lt;em&gt;who&lt;/em&gt; built each package, or whether the&lt;br&gt;
archive you received is the one its maintainer actually published.&lt;/p&gt;

&lt;p&gt;&lt;code&gt;composer.lock&lt;/code&gt; doesn't solve this. It pins a &lt;code&gt;dist&lt;/code&gt; hash, so it verifies you got&lt;br&gt;
the &lt;em&gt;same bytes&lt;/em&gt; every time — but it says nothing about &lt;em&gt;where those bytes came&lt;br&gt;
from&lt;/em&gt;. If an attacker publishes a malicious release, the lock file faithfully pins&lt;br&gt;
the malicious hash. Integrity is not provenance.&lt;/p&gt;

&lt;p&gt;The rest of the software world has an answer to this now: &lt;strong&gt;Sigstore&lt;/strong&gt; and&lt;br&gt;
&lt;strong&gt;build-provenance attestations&lt;/strong&gt;. npm ships Sigstore-signed provenance. GitHub&lt;br&gt;
Actions can attest any build artifact, recording a signed statement — "this&lt;br&gt;
artifact was built by &lt;em&gt;this workflow&lt;/em&gt; in &lt;em&gt;this repository&lt;/em&gt;" — in a public&lt;br&gt;
transparency log. Until recently, PHP had no way to produce or consume any of it.&lt;/p&gt;

&lt;p&gt;This post shows the whole loop working end to end, on real packages.&lt;/p&gt;
&lt;h2&gt;
  
  
  The one subtlety that matters: attest the zipball
&lt;/h2&gt;

&lt;p&gt;Here's the trap that makes naïve provenance for Composer &lt;em&gt;silently useless&lt;/em&gt;.&lt;/p&gt;

&lt;p&gt;Most "sign your release" setups attest a &lt;strong&gt;release tarball&lt;/strong&gt; — the output of&lt;br&gt;
&lt;code&gt;git archive&lt;/code&gt;, uploaded as a GitHub release asset. But Composer doesn't install&lt;br&gt;
that. It installs the &lt;strong&gt;dist zipball&lt;/strong&gt;: &lt;code&gt;api.github.com/repos/{owner}/{repo}/zipball/{commit}&lt;/code&gt;&lt;br&gt;
— a different artifact with a different digest. Attest the tarball and your&lt;br&gt;
attestation covers a file &lt;em&gt;nobody installs&lt;/em&gt;. A verifier checking what Composer&lt;br&gt;
actually downloaded finds nothing.&lt;/p&gt;

&lt;p&gt;The fix is to attest the exact zipball Composer fetches. Its digest is&lt;br&gt;
reproducible for a given commit, and — crucially — the commit is the same&lt;br&gt;
reference Packagist records as the package's &lt;code&gt;dist&lt;/code&gt;. Attest &lt;em&gt;that&lt;/em&gt;, and the&lt;br&gt;
attestation covers the bytes that land in &lt;code&gt;vendor/&lt;/code&gt;.&lt;/p&gt;
&lt;h2&gt;
  
  
  Signing: one line in your release workflow
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://github.com/k2gl/composer-attest-action" rel="noopener noreferrer"&gt;&lt;code&gt;k2gl/composer-attest-action&lt;/code&gt;&lt;/a&gt; is&lt;br&gt;
a GitHub Action that does exactly this — it attests both the tarball and the dist&lt;br&gt;
zipball. Drop it into a workflow that runs on version tags:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;name&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Attest&lt;/span&gt;
&lt;span class="na"&gt;on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;push&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;tags&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[&lt;/span&gt;&lt;span class="s1"&gt;'&lt;/span&gt;&lt;span class="s"&gt;[0-9]*.[0-9]*.[0-9]*'&lt;/span&gt;&lt;span class="pi"&gt;]&lt;/span&gt;
&lt;span class="na"&gt;permissions&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;id-token&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;write&lt;/span&gt;        &lt;span class="c1"&gt;# request the Sigstore signing certificate&lt;/span&gt;
  &lt;span class="na"&gt;attestations&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;write&lt;/span&gt;    &lt;span class="c1"&gt;# record the attestation&lt;/span&gt;
  &lt;span class="na"&gt;contents&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;write&lt;/span&gt;        &lt;span class="c1"&gt;# attach signed assets to the release&lt;/span&gt;
&lt;span class="na"&gt;jobs&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="na"&gt;attest&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
    &lt;span class="na"&gt;runs-on&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;ubuntu-latest&lt;/span&gt;
    &lt;span class="na"&gt;steps&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;actions/checkout@v4&lt;/span&gt;
        &lt;span class="na"&gt;with&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;{&lt;/span&gt; &lt;span class="nv"&gt;persist-credentials&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="nv"&gt;false&lt;/span&gt; &lt;span class="pi"&gt;}&lt;/span&gt;
      &lt;span class="pi"&gt;-&lt;/span&gt; &lt;span class="na"&gt;uses&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;k2gl/composer-attest-action@v1&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;On every version tag it builds and attests the tarball, fetches and attests the&lt;br&gt;
Composer dist zipball, and records both in Sigstore's public transparency log —&lt;br&gt;
bound to your repository's GitHub Actions identity. No keys to manage; the signing&lt;br&gt;
certificate is short-lived and issued against your workflow's OIDC token.&lt;/p&gt;
&lt;h2&gt;
  
  
  Verifying: at install time
&lt;/h2&gt;

&lt;p&gt;&lt;a href="https://github.com/k2gl/composer-attest" rel="noopener noreferrer"&gt;&lt;code&gt;k2gl/composer-attest&lt;/code&gt;&lt;/a&gt; is a Composer&lt;br&gt;
plugin that verifies these attestations as packages are downloaded:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;composer require &lt;span class="nt"&gt;--dev&lt;/span&gt; k2gl/composer-attest
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;As Composer downloads each package, the plugin hashes the dist, asks GitHub for an&lt;br&gt;
attestation bound to that digest, and verifies the Sigstore bundle — checking the&lt;br&gt;
certificate chain, the transparency-log inclusion, and that the signing identity is&lt;br&gt;
a GitHub Actions workflow of the package's own repository. Configure how strict it&lt;br&gt;
is in &lt;code&gt;composer.json&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight json"&gt;&lt;code&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="nl"&gt;"extra"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="nl"&gt;"k2gl-attest"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="p"&gt;{&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"mode"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="s2"&gt;"enforce"&lt;/span&gt;&lt;span class="p"&gt;,&lt;/span&gt;&lt;span class="w"&gt;
      &lt;/span&gt;&lt;span class="nl"&gt;"require-attestation"&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;&lt;span class="kc"&gt;false&lt;/span&gt;&lt;span class="w"&gt;
    &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
  &lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;span class="p"&gt;}&lt;/span&gt;&lt;span class="w"&gt;
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;In &lt;code&gt;warn&lt;/code&gt; mode it reports and continues; in &lt;code&gt;enforce&lt;/code&gt; it fails the install on a&lt;br&gt;
bad attestation. Under the hood it reuses&lt;br&gt;
&lt;a href="https://github.com/k2gl/sigstore-verify" rel="noopener noreferrer"&gt;&lt;code&gt;k2gl/sigstore-verify&lt;/code&gt;&lt;/a&gt;, a pure-PHP&lt;br&gt;
Sigstore verifier that passes the official sigstore-conformance suite.&lt;/p&gt;
&lt;h2&gt;
  
  
  Does it work? Here's the proof
&lt;/h2&gt;

&lt;p&gt;The entire k2gl package family attests its dist zipball on every release. Verifying&lt;br&gt;
one against the live GitHub attestations API:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;dsse zipball — hasAttestation: yes, verified: YES (k2gl/dsse)
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The plugin even verifies &lt;em&gt;itself&lt;/em&gt;: &lt;code&gt;composer-attest&lt;/code&gt;'s own release is attested by&lt;br&gt;
&lt;code&gt;composer-attest-action&lt;/code&gt;, and the plugin confirms its own provenance. The loop is&lt;br&gt;
closed — sign with the Action, verify with the plugin, on real published packages.&lt;/p&gt;

&lt;h2&gt;
  
  
  The honest caveat
&lt;/h2&gt;

&lt;p&gt;The verification is real, but adoption is a chicken-and-egg problem worth stating&lt;br&gt;
plainly. Today almost no package on Packagist attests its dist zipball, so for a&lt;br&gt;
typical project the plugin will mostly report "no attestation." That's not a bug in&lt;br&gt;
the plugin — it's the state of the ecosystem. The plugin verifies whatever &lt;em&gt;is&lt;/em&gt;&lt;br&gt;
attested; the more maintainers add the Action, the more it can check.&lt;/p&gt;

&lt;p&gt;That's why the Action matters as much as the plugin: it makes attesting a one-line&lt;br&gt;
change, so the pool of verifiable packages can grow. The endgame is registry-level&lt;br&gt;
support — if Packagist hosts attestations directly, client-side verification&lt;br&gt;
becomes the default for the whole registry, and these tools verify it with no&lt;br&gt;
changes.&lt;/p&gt;

&lt;h2&gt;
  
  
  Links
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;Sign your package: &lt;a href="https://github.com/k2gl/composer-attest-action" rel="noopener noreferrer"&gt;&lt;code&gt;k2gl/composer-attest-action&lt;/code&gt;&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;Verify what you install: &lt;a href="https://github.com/k2gl/composer-attest" rel="noopener noreferrer"&gt;&lt;code&gt;k2gl/composer-attest&lt;/code&gt;&lt;/a&gt;
&lt;/li&gt;
&lt;li&gt;The verifier underneath: &lt;a href="https://github.com/k2gl/sigstore-verify" rel="noopener noreferrer"&gt;&lt;code&gt;k2gl/sigstore-verify&lt;/code&gt;&lt;/a&gt;
&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>php</category>
      <category>security</category>
      <category>devops</category>
      <category>opensource</category>
    </item>
    <item>
      <title>A PHP starter where the promises are CI jobs, not README adjectives</title>
      <dc:creator>Nick Harin</dc:creator>
      <pubDate>Fri, 12 Jun 2026 14:40:08 +0000</pubDate>
      <link>https://dev.to/k2gl/a-php-starter-where-the-promises-are-ci-jobs-not-readme-adjectives-4820</link>
      <guid>https://dev.to/k2gl/a-php-starter-where-the-promises-are-ci-jobs-not-readme-adjectives-4820</guid>
      <description>&lt;p&gt;Most project skeletons are demos: they run &lt;code&gt;composer install&lt;/code&gt;, serve a hello&lt;br&gt;
page, and stop where your actual work begins. We took the opposite route —&lt;br&gt;
&lt;strong&gt;Pragmatic FrankenPHP&lt;/strong&gt; is the template real production projects actually&lt;br&gt;
grew out of, with the lessons ported back. About 25 of the first 40 commits&lt;br&gt;
of the first product built on it were infrastructure repair; every one of&lt;br&gt;
those commits is now pre-paid in the template.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;&lt;a href="https://github.com/k2gl/pragmatic-franken" rel="noopener noreferrer"&gt;github.com/k2gl/pragmatic-franken&lt;/a&gt;&lt;/strong&gt; — PHP 8.5, Symfony 8, FrankenPHP worker&lt;br&gt;
mode, PostgreSQL 17, Vertical Slices + CQRS over Messenger, MIT.&lt;/p&gt;

&lt;h2&gt;
  
  
  Claims you can check, not believe
&lt;/h2&gt;

&lt;p&gt;Every marketing sentence in the README is backed by a required CI job:&lt;/p&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;"The production image boots."&lt;/strong&gt; The &lt;code&gt;prod-image&lt;/code&gt; job builds the real
&lt;code&gt;php_prod&lt;/code&gt; target on every PR, runs it against Postgres+Redis and asserts
&lt;code&gt;/ready&lt;/code&gt; returns &lt;code&gt;{"ok":true,"db":true,"redis":true}&lt;/code&gt;. (When we added this
job, it immediately found three independent reasons the previous image
could never start. That's the point.)&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;"AI agents land green here."&lt;/strong&gt; The &lt;code&gt;agent-smoke&lt;/code&gt; job scaffolds a vertical
slice with the same generator agents use (&lt;code&gt;make slice&lt;/code&gt;) and requires it to
pass Pint + PHPStan level 10 + tests with zero manual edits. On its very
first run it caught a code-style drift in the scaffolder.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;"You can verify what you deploy."&lt;/strong&gt; Release images carry SLSA build
provenance (GitHub Artifact Attestations, keyless). The deploy script can
refuse unverified images, and &lt;code&gt;bin/console app:verify-attestation&lt;/code&gt; verifies
any artifact &lt;strong&gt;offline in pure PHP&lt;/strong&gt; (k2gl/sigstore-verify — passes the
official sigstore-conformance suite). The test suite commits a real signed
artifact and proves fail-closed behavior: one tampered byte → rejected.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;"Docs don't lie."&lt;/strong&gt; &lt;code&gt;make docs-check&lt;/code&gt; is a CI gate that greps every
claimed route, make target and ADR reference against the codebase. The
agent-facing context file (AGENTS.md, ≤2000 tokens, budget-linted) cannot
silently drift from reality.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  What's actually inside
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;A &lt;strong&gt;real example vertical&lt;/strong&gt;: Task entity → migration → typed repository →
Foundry factory → validated 422 problem+json → e2e tests → async
&lt;code&gt;TaskCompleted&lt;/code&gt; event → Mercure publish to the &lt;code&gt;/tasks&lt;/code&gt; topic. Delete it with one
flag when you start your own domain (&lt;code&gt;make init name=my-app prune=1&lt;/code&gt;).&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;SharedKernel&lt;/strong&gt; ported from production: typed &lt;code&gt;DoctrineRepository&amp;lt;T&amp;gt;&lt;/code&gt;
(PHPStan level 10, zero magic), RFC 9457 problem+json listeners, worker
heartbeat for container healthchecks.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;A deploy story that ends in production&lt;/strong&gt;: blue-green rollout gated on
&lt;code&gt;/ready&lt;/code&gt; (a failing container never replaces the old one), pre-migration
dumps, encrypted off-site backups with a documented restore drill, front
Caddy with dynamic upstreams — all on one cheap VDS.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Parallel agent sessions&lt;/strong&gt;: &lt;code&gt;dev/worktree.sh&lt;/code&gt; spins isolated stacks (own
branch, own docker project, own port slot) so several Claude/Codex sessions
work without colliding.&lt;/li&gt;
&lt;li&gt;Opt-in recipes instead of bloat: JWT auth (production-proven configs),
feature flags, SPA frontend, PR preview environments.&lt;/li&gt;
&lt;/ul&gt;

&lt;h2&gt;
  
  
  Non-goals (on purpose)
&lt;/h2&gt;

&lt;p&gt;No auth in core (it's a product decision — recipe included), no bundled SPA,&lt;br&gt;
no Kubernetes, no multi-DB. A template that won't say "no" accretes&lt;br&gt;
everything and dies.&lt;/p&gt;

&lt;h2&gt;
  
  
  Try it
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;gh repo create my-app &lt;span class="nt"&gt;--template&lt;/span&gt; k2gl/pragmatic-franken &lt;span class="nt"&gt;--clone&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; &lt;span class="nb"&gt;cd &lt;/span&gt;my-app
make &lt;span class="nb"&gt;install&lt;/span&gt; &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; make init &lt;span class="nv"&gt;name&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;my-app &lt;span class="o"&gt;&amp;amp;&amp;amp;&lt;/span&gt; make smoke
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;





&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="c"&gt;# or straight from Packagist:&lt;/span&gt;
composer create-project k2gl/pragmatic-franken my-app
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;Feedback welcome — especially the critical kind. All 17 architecture&lt;br&gt;
decision records are in the repo.&lt;/p&gt;

</description>
      <category>php</category>
      <category>symfony</category>
      <category>devops</category>
      <category>ai</category>
    </item>
  </channel>
</rss>
