Skip to content
Latchkey

Composer VCS Repository Auth Failed - Private Git Source in CI

A repositories entry of type: vcs points at a private Git host, and the CI runner has no credentials to clone it. Composer falls through to an interactive prompt that cannot be answered in CI, so the install fails.

What this error means

Composer reaches a private VCS package and fails with "Failed to clone … could not read Username for 'https://…'" or an SSH permission-denied. The same install works locally where your Git credentials or SSH agent are present.

composer output
  - Installing acme/internal (1.2.0): Cloning from https://github.com/acme/internal
Failed to clone https://github.com/acme/internal via https, ssh protocols,
aborting.

  - https://github.com/acme/internal
    fatal: could not read Username for 'https://github.com': No such device or address

Common causes

No credentials for the private host in CI

The runner has no Git token or SSH key for the private VCS, so the clone has nothing to authenticate with and Composer cannot prompt interactively.

Wrong protocol for the available credential

The url uses HTTPS but only an SSH deploy key is configured (or vice versa). Composer cannot use a credential that does not match the URL scheme.

How to fix it

Provide an OAuth/Git token for HTTPS clones

Configure a token Composer can use for the host before installing.

Terminal
composer config --global --auth github-oauth.github.com "$GH_TOKEN"
# GitLab / Bitbucket have gitlab-token / bitbucket-oauth equivalents
composer install --no-interaction

Use an SSH deploy key and an ssh URL

Add the key to the agent and point the repository at the ssh form.

Terminal + composer.json
eval "$(ssh-agent -s)"
ssh-add - <<< "$DEPLOY_KEY"
# composer.json
"repositories": [
  { "type": "vcs", "url": "git@github.com:acme/internal.git" }
]

Verify Composer sees the credential

Terminal
composer config --global --list | grep -i auth
git ls-remote https://github.com/acme/internal   # proves the token works

How to prevent it

  • Inject a least-privilege token or deploy key into CI for private VCS packages.
  • Match the repository url scheme (https vs ssh) to the credential you provide.
  • Prefer a private Composer registry over many per-repo VCS auth setups.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →