How to add private github repository as Composer dependency
I have the following in my Laravel 5.1 projects composer.json to add a public github repository as a dependency.
...
"repositories": [
{
"type": "package",
"package": {
"name": "myVendorName/my_private_repo",
"version": "1.2.3",
"source": {
"type" : "git",
"url" : "git://github.com/myVendorName/my_private_repo.git",
"reference" : "master"
},
"dist": {
"url": "https://github.com/myVendorName/my_private_repo/archive/master.zip",
"type": "zip"
}
}
}
],
"require": {
....
"myVendorName/my_private_repo": "*",
},
...
This works as long as the repository is public. Now I've set this repository to private. The git credentials I use for pulling/pushing to 'my_private_repo' are the one of a colaborator of the project. How can I achieve that composer pulls from that private repository when I run composer update or composer install?
Solution 1:
Work with private repositories at GitHub and BitBucket:
JSON
{
"require": {
"vendor/my-private-repo": "dev-master"
},
"repositories": [
{
"type": "vcs",
"url": "[email protected]:vendor/my-private-repo.git"
}
]
}
The only requirement is the installation of SSH keys for a git client.
Docs
Solution 2:
I hope my answer does not come too late as i just learned this my self.
Generating a ssh key
You can generate n+1 ssh keys with ssh-keygen command. Make sure you do this in the server!
➜ ~ cd ~/.ssh
➜ .ssh ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): repo1
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in repo1.
Your public key has been saved in repo1.pub.
The key fingerprint is:
SHA256:EPc79FoaidfN0/PAsjSAZdomex2J1b/4zUR6Oj7IV2o user@laptop
The key's randomart image is:
+---[RSA 2048]----+
| . . o .. |
| o B o .. |
| . + B o . |
| . * B = .o|
| S B O B+o|
| o B =.+*|
| o....Bo|
| o E.o|
| +.o |
+----[SHA256]-----+
After using the ssh-keygen command you will be prompted for the filename and passphrase. You need a key for each private repository you're going to use as composer dependency. In this example the repo1 is the filename.
Make sure you leave the passphrase and confirmation empty.
Configuring the ssh to pick up the correct key
In servers ~/.ssh/config file you can assign an alias for each GitHub repository. Otherwise composer tries to use the default id_rsa.
Host repo1
HostName github.com
User git
IdentityFile ~/.ssh/repo1
IdentitiesOnly yes
Host repo2
HostName github.com
User git
IdentityFile ~/.ssh/repo2
IdentitiesOnly yes
Configuring Composer
In projects composer.json file you need to add the repositories you want as dependencies:
"repositories": [
{
"type": "vcs",
"url": "repo1:YourAccount/repo1.git"
},
{
"type": "vcs",
"url": "repo2:YourAccount/repo2.git"
}
],
repo1 and repo2 are the aliases you created in ~/ssh/config file. The full GitHub ssh url for repo1 would be:
[email protected]:YourAccount/repo1.git
And now you should be set for good. You can now require your dependencies:
composer require youraccount/repo1 -n
composer require youraccount/repo2 -n
NB! When using GitHub repositories as composer dependencies you always need to add -n to each composer command.
Solution 3:
1. Point to the Git repository
Update composer.json and add a repository:
"repositories":[
{
"type": "vcs",
"url": "[email protected]:vendor/secret.git"
}
]
2. Create an SSH key
Create an SSH Key on the machine on which you want to install the package.
If you are working on a development machine, you probably want to add the SSH key to your GitHub/BitBucket/GitLab account. This gives access to all private repositories that your account has access to.
For more information on how to add Github, Bitbucket or Gitlab SSH keys, see this excellent article
In case you are configuring a deployment server, it would be better to configure an access key or deploy key. An access key only provides access to a single repository and thus allows for more specific access management.
3. Run composer
Now just composer require or composer install
the package as usual.