Skip to content
Latchkey

dbt deps git package authentication failed in CI

dbt deps tried to clone a git-based package and the clone failed for lack of credentials. In CI, a private repository needs a token or SSH key the runner does not have by default.

What this error means

dbt deps fails while fetching a git package with "fatal: could not read from remote repository" or "Authentication failed", naming the package repo URL.

dbt
Cloning into '...'...
fatal: could not read from remote repository.
Please make sure you have the correct access rights and the repository exists.
Runtime Error
  Error checking out spec "main" for git package

Common causes

A private git package with no credentials

The packages.yml git URL points at a private repo, but the runner has no token or key to authenticate the clone.

An SSH URL without a configured key

A git@ URL requires an SSH key the CI environment did not load, so the clone is rejected.

How to fix it

Use an HTTPS URL with a token

  1. Store a token with read access to the package repo as a CI secret.
  2. Reference it in the git URL so dbt deps can authenticate.
  3. Run dbt deps to confirm the clone succeeds.
packages.yml
packages:
  - git: "https://x-access-token:{{ env_var('GIT_PACKAGE_TOKEN') }}@github.com/org/dbt-shared.git"
    revision: main

Load an SSH key for git@ URLs

If you use an SSH URL, add the deploy key to the runner before dbt deps.

.github/workflows/ci.yml
env:
  GIT_PACKAGE_TOKEN: ${{ secrets.GIT_PACKAGE_TOKEN }}

How to prevent it

  • Authenticate private git packages with a scoped token from CI secrets.
  • Prefer HTTPS URLs with a token over SSH in ephemeral CI.
  • Commit package-lock.yml so the resolved revision is reproducible.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →