The Challenge of Managing Multiple Client Projects
Managing dozens of Pimcore installations across clients makes tracking version updates a
significant operational challenge, especially when each project lives in its own repository across
multiple organizations. Manually checking composer.json files to identify outdated Pimcore
versions is tedious, error-prone, and doesn’t scale.
We found ourselves in situations where client projects were running versions several releases
behind, potentially missing critical security patches and performance improvements. In a
recent scan, we discovered 9 out of 10 projects needed updates, with some running entire major
versions behind the latest release.
The Cost of Falling Behind
Outdated dependencies aren’t just a technical debt problem, they’re a risk management issue.
Security vulnerabilities discovered in older versions of Pimcore could expose our clients to
threats. Performance improvements and new features in recent releases mean our clients aren’t
getting the full value of the platform. Most importantly, the longer you wait to update, the more
complex and risky the upgrade becomes. Small, incremental updates are far easier to test and
deploy than jumping across multiple major versions.
Automating Version Tracking with Azure Functions
We built the Pimcore Version Tracker to solve this problem through automation. It’s a
lightweight Azure Functions application written in C# that runs every Monday morning. The
function uses GitHub App authentication to scan all repositories we have access to across
multiple organizations. For each repository, it examines the composer.json file to identify Pimcore
installations and extract the current version number.
The application then queries Packagist (PHP’s package registry) to determine the latest stable
version of Pimcore. By comparing the current version in each project against the latest stable
release, we can instantly identify which projects need attention.
Actionable Slack Reports Every Week
Rather than storing this information in a database or generating static reports, we send the
results directly to Slack, where our development team already collaborates. The weekly report
includes a summary showing total projects scanned, how many are up to date, and crucially,
which ones need updates. Each project is listed with its current version, update status, and a
direct link to the GitHub repository.
This Slack integration means the right information reaches the right people at the right time.
Our project managers can quickly see which clients need to schedule maintenance windows.
Developers can prioritize upgrade work, and because it’s automated and recurring, nobody has
to remember to run the check—it just happens. The report clearly distinguishes between
projects forked from our internal skeleton repository versus custom implementations, helping
us prioritize upgrade strategies.
The Power of GitHub Apps for Enterprise Automation
GitHub Apps are essential to making this solution reliable and scalable. Unlike personal access
tokens tied to individual accounts, GitHub Apps provide organization-level authentication that
persists regardless of employee changes. The authentication is resilient; no more broken
automation when someone leaves the company or their token expires.
GitHub Apps offer fine-grained, scoped permissions, so our tracker only requests the minimal
read access it needs to repositories, following security best practices. Installation is
straightforward: deploy the app once, and it automatically gains access to new repositories as
they’re created across multiple organizations. This “set it and forget it” approach means the
monitoring system scales effortlessly as your project portfolio grows.
Beyond Pimcore: A Pattern for Dependency Management
While we built this specifically for Pimcore, the pattern applies to any dependency
management scenario where you’re tracking versions across multiple projects. The core
components are straightforward: source code scanning via GitHub API, version comparison
against a package registry (Packagist, npm, NuGet, etc.), and notification via Slack. The
architecture is simple enough that teams can adapt it to track other frameworks or libraries
they need to keep updated across their project portfolio.
Technical Details
The solution is built with:
• .NET 8.0 Isolated Worker for Azure Functions
• Octokit for GitHub API integration
• GitHub App authentication for secure, scalable access
• Packagist API for Pimcore version checking
• Slack Block Kit for rich, formatted notifications
• Timer trigger scheduled via cron expression (weekly on Monday mornings)
The tracker also identifies whether projects are forked from our internal Pimcore skeleton
repository by examining docker-compose files for specific init container patterns. This
classification helps us understand which projects follow our standardized architecture versus
custom implementations that may require different upgrade approaches.
Results: Proactive Instead of Reactive
Since deploying the Pimcore Version Tracker, we’ve shifted from reactive to proactive project
maintenance, giving both our team and our clients complete visibility and confidence. We no
longer discover during a client call that a project is running an outdated version. Security
updates are applied faster because we know exactly which projects are affected. Upgrade
planning is easier because we have centralized visibility into our entire project portfolio. Most
importantly, our clients benefit from more secure, performant, and feature-rich Pimcore
installations.
The entire solution runs in Azure Functions on a consumption plan, costing just pennies per
month. The development effort was minimal—under a day to build the initial version. But the
operational value has been significant, giving us confidence that we’re staying on top of our
technical responsibilities to our clients.
At TORQ, we don’t just build Pimcore solutions; we actively manage and evolve them, because staying current is how you stay ahead.
If you’re struggling to keep up with updates, don’t hesitate to contact TORQ.
