(Optionally) run `composer validate` as part of the installation

[TimWolla]

My feature title

I'd like to make sure that my composer.lock is in sync with composer.json in CI.

Background/problem

While resolving a merge-conflict with two PRs changing composer.json, resulting in conflicting content-hash in composer.lock, the correct content-hash is neither of the original hashes. This lead to an an accidental bad merge, which composer reported as a warning in CI:

However this warning does not lead to a failed build and thus was missed.

Proposal/solution

composer validate will, amongst other checks, validate that the content-hash in composer.lock matches composer.json, ensuring that the two files are in sync. I'd like this command being run to make the CI fail in those cases.

Alternatives

None.

Additional context

None.

[ramsey]

Apologies for the noise. I converted this to a discussion because I thought I could embed a poll in a comment that way, but I can't. I'll have to create a separate discussion that includes a poll for some options regarding this. 😄

[ramsey]

I've created a poll in the discussions: #267

This is my first time using polls on GitHub, so we'll see how it goes.

[ramsey]

I just recalled that I'm already running composer validate, but the problem is that I use the --no-check-lock option:

composer-install/bin/composer_paths.sh

Lines 12 to 14 in e527794

	function validate_composer {
	"${php_path}" "${composer_path}" validate --no-check-publish --no-check-lock --working-dir "${working_directory}" > /dev/null 2>&1
	}

[Seldaek]

Probably should only add that if there is no lock file or if the command to run is an update because then lock file is also irrelevant.