Composer "Could not authenticate against github.com" in CI
Composer uses the GitHub API to fetch package metadata and dist archives. Unauthenticated requests share a low hourly rate limit; once exhausted, GitHub returns 403 and Composer reports it could not authenticate. Supplying a token via COMPOSER_AUTH raises the limit and enables private access.
What this error means
composer install fails with "Could not authenticate against github.com" or "Could not fetch ..., enter your GitHub credentials to go over the API rate limit".
Could not fetch https://api.github.com/repos/vendor/pkg/zipball/abc123, please
create a GitHub OAuth token to go over the API rate limit
Could not authenticate against github.comCommon causes
Unauthenticated API requests hit the rate limit
Without a token, Composer shares the anonymous GitHub API limit, which CI exhausts quickly.
No COMPOSER_AUTH or github-oauth token in the job
The job never exposes a token, so Composer cannot authenticate to the GitHub API.
How to fix it
Provide a token via COMPOSER_AUTH
- Expose a token (the built-in GITHUB_TOKEN is enough for public rate limits) to the composer step.
- Set it as a github-oauth entry in
COMPOSER_AUTH. - Re-run so requests are authenticated.
- run: composer install --no-interaction
env:
COMPOSER_AUTH: '{"github-oauth":{"github.com":"${{ secrets.GITHUB_TOKEN }}"}}'Or configure the token with composer config
Set the github-oauth token before install as an alternative to the env var.
composer config --global github-oauth.github.com "$GH_TOKEN"How to prevent it
- Always pass a github-oauth token via COMPOSER_AUTH in CI.
- Use least-privilege tokens scoped to the repos you install from.
- Cache dependencies so fewer API calls are needed per run.