Tinkerwell 4 is out now! Get the most popular PHP Scratchpad application. Learn more

Go back to Blog

Using GitHub actions with private composer dependencies

Marcel Pociot

Using GitHub actions with private composer dependencies like Laravel Spark

In a project we're currently working on, we are running our tests within GitHub Actions. This is work workflow YML that we are using:

name: Laravel

    branches: [ main ]
    branches: [ main ]


    runs-on: ubuntu-latest

    - uses: shivammathur/setup-php@15c43e89cdef867065b0213be354c2841860869e
        php-version: '8.0'
    - uses: actions/checkout@v2
    - name: Copy .env
      run: php -r "file_exists('.env') || copy('.env.example', '.env');"auth.json
    - name: Install Dependencies
      run: composer install -q --no-ansi --no-interaction --no-scripts --no-progress --prefer-dist
    - name: Generate key
      run: php artisan key:generate
    - name: Directory Permissions
      run: chmod -R 777 storage bootstrap/cache
    - name: Create Database
      run: |
        mkdir -p database
        touch database/database.sqlite
    - name: Execute tests (Unit and Feature tests) via PHPUnit
        DB_CONNECTION: sqlite
        DB_DATABASE: database/database.sqlite
      run: vendor/bin/pest

This all worked great, until we installed a private repository into our application. In our case it was Laravel Spark. As this is a private repository, our GitHub Actions workflow was unable to install the composer dependencies, as it does not know about the correct credentials.

Here's how you can fix this:

When authenticating with a private repository through Composer, you will have a local file called auth.json. This file is either in your repository folder itself, or within your home directory.

The file looks something like this (using Laravel Spark as an example):

    "http-basic": {
        "spark.laravel.com": {
            "username": "[email protected]",
            "password": "my-spark-api-key"

Of course, we could just add this auth.json file to version control, but this would be a security risk - as anyone that has read access to your repository, can see your credentials.

Instead, we can modify our GitHub Actions workflow to use a GitHub secret, containing the auth JSON string. Just add this snippet before the composer install command:

- name: Add HTTP basic auth credentials
  run: echo '${{ secrets.COMPOSER_AUTH_JSON }}' > $GITHUB_WORKSPACE/auth.json

Now all we need to do, is create a GitHub encrypted secret for our repository, called COMPOSER_AUTH_JSON and paste the content of your local auth.json file.

This secret will then be stored encrypted at GitHub and once our GitHub Action is running, it simply writes the content of this secret to a auth.json file.

And that's it - our GitHub Action is working again.

Hopefully this blog post saved you some time, figuring out how to use private composer repositories within GitHub Actions