.gitignore for PHP Projects
debt(d7/e3/b5/t5)
Closest to 'only careful code review or runtime testing' (d7). The detection_hints list git and gitleaks — gitleaks can catch committed secrets, and git status/log can reveal committed vendor/ or .env files, but these require deliberate inspection or CI pipeline setup. The violation is not caught by a default linter or compiler; a developer must run a specialist tool like gitleaks or notice during code review that vendor/ or .env is tracked. Slightly better than d9 because gitleaks and git tooling can automate detection if configured.
Closest to 'simple parameterised fix' (e3). The quick_fix is clear: add a GitHub PHP gitignore template. However, if vendor/ or .env has already been committed, the fix requires more than one line — you must add the .gitignore entries AND run `git rm -r --cached vendor/` (or equivalent) to untrack already-committed files, then potentially rotate any exposed secrets. This is a small multi-step fix within one component (the repo root), not a single-line patch, placing it at e3.
Closest to 'persistent productivity tax' (b5). A missing or incomplete .gitignore affects every developer and every PR on the project — noisy diffs from generated files, merge conflicts from vendor/, and risk of secret exposure persist across all work streams. It applies to web and cli contexts broadly. It doesn't reshape the entire architecture (not b7+), but it is a continuous drag on every contributor and CI pipeline, making b5 the right anchor.
Closest to 'notable trap — a documented gotcha most devs eventually learn' (t5). The misconception field explicitly states that developers believe committing vendor/ speeds up CI, when in fact it bloats history and causes conflicts. This is a well-known gotcha in the PHP community (composer.lock vs vendor/) that most developers encounter and learn. It's not a catastrophic or architecture-level trap, but it contradicts a seemingly reasonable intuition about convenience, placing it firmly at t5.
Also Known As
TL;DR
Explanation
A PHP project's .gitignore should exclude: vendor/ (reinstallable via composer install — never commit), .env (contains secrets — commit .env.example instead), .env.local, .env.*.local. Build outputs: /public/build/, /public/hot, /storage/*.key. IDE files: .idea/, .vscode/, *.suo, .DS_Store, Thumbs.db. Cache and logs: /var/cache/, /var/log/, /storage/logs/, /storage/framework/cache/. Test artefacts: .phpunit.result.cache, /coverage/. Generated files: bootstrap/cache/*.php (Laravel), var/ (Symfony). Commit composer.lock (ensures reproducible installs) but not composer.phar. Use a global ~/.gitignore_global for IDE-specific patterns so they don't pollute per-project .gitignore with personal tooling preferences.
Common Misconception
Why It Matters
Common Mistakes
- Not ignoring .env — database passwords and API keys committed to version control.
- Not ignoring vendor/ — bloats the repository; should be installed via composer install.
- Not ignoring IDE files (.idea/, .vscode/) — pollutes the repo with developer-specific settings.
- Not ignoring generated files (storage/, cache/, *.log) that change constantly and produce noisy diffs.
Code Examples
# Missing .gitignore entries — common PHP mistakes:
# .env committed with DB_PASSWORD=secret123
# vendor/ tracked — 50MB of dependencies in git history
# storage/logs/*.log tracked — log files in version control
# Correct .gitignore:
.env
vendor/
storage/
*.log
.idea/
.vscode/
*.cache# .gitignore for PHP projects
# Dependencies
/vendor/
# Environment
.env
.env.local
.env.*.local
# Build artifacts
/public/build/
/public/hot/
*.phar
# Framework caches
/bootstrap/cache/
/storage/
!/storage/.gitkeep
# IDE
.idea/
.vscode/
*.swp
# OS
.DS_Store
Thumbs.db
# Test artifacts
/coverage/
.phpunit.result.cache
# Logs
*.log
# NEVER ignore:
# composer.lock — always commit this
# .env.example — commit template, never the real .env