Solving issues with CI/CD Pipelines and Composer 2.7.0

Photo by Dayne Topkin on Unsplash

In Deploying to Acquia Cloud with Bitbucket Pipelines, we discussed setting up Bitbucket Pipelines to construct a CI/CD environment that runs composer install and gulp to build the code and then pushes the built code to our client's Acquia Cloud instance.

We recently uncovered an issue with our pipelines caused by changes in Composer 2.7.0 that caused our pipeline process to push incorrectly built code.


If your code is not building correctly and your Drupal dependencies are installing into vendor/drupal/, check the version of Composer being used to build your code. If it is >=2.7.0, add export COMPOSER_ALLOW_SUPERUSER=1 to your build script directly before your composer commands.


Composer-based Drupal sites rely on Composer plugins such as composer/installers and drupal/core-composer-scaffold to ensure that dependencies get installed into a folder structure necessary for the Drupal site to run, usually in docroot/ or web/ depending on your desired web root.

Specifying the web root in the project's composer.json file tells drupal/core-composer-scaffold where in the folder structure to place files that are included as part of the Drupal core package.

A screenshot of the Drupal scaffold section of the Composer JSON file in a Drupal project


Including the composer/installers plugin in your composer.json file and populating the installer-paths section ensures that Drupal core, contributed modules and themes get built in the correct place in the folder structure.

A screenshot of the installer paths section of the Composer JSON file used in a Drupal project.


The issue

If these two plugins are not in use, Drupal core and any contributed modules, libraries or themes get installed into the vendor/drupal/ folder in the repository. When that code gets pushed, Acquia Cloud doesn't see a valid site installed as the necessary files and folders are not where it expects to find them. Instead we get the Install Drupal screen.

Changes to Composer in response to a security vulnerability meant that from version 2.7.0, if you were running composer install "unattended" as a super-user, e.g. in a Bitbucket or GitLab pipeline, then Composer plugins are disabled by default.

The fix

Composer 2.7.1 was quickly released after 2.7.0, adding a warning about this and directing you how to fix the issue. The following warning is output:

Composer plugins have been disabled for safety in this non-interactive session. Set COMPOSER_ALLOW_SUPERUSER=1 if you want to allow plugins to run as root/superuser.

(See the Github issue #11839 Composer 2.7.0 usage with root user leads to plugins not being loaded for more information.)

In our case, we needed to update our file to set the  COMPOSER_ALLOW_SUPERUSER environment variable to  1.

A screenshot of a bash script used as part of the build process for a Bitbucket pipeline on a Drupal site


Once we had done this, Composer used the correct plugins and built the project code correctly, which was then pushed to Acquia Cloud, and the site operated as expected.

A note on caching

We didn't experience this issue on all git branches on projects, just new ones. This was because the Bitbucket and Gitlab CI/CD environments associated with existing branches were still using cached versions of Composer.