Skip to content
Latchkey

pip "git+https" install authentication failed in CI

pip ran git clone for a git+https:// requirement, but the repository is private and no credentials are available in the non-interactive CI shell. git cannot prompt, so it fails to read the username.

What this error means

The install fails with "fatal: could not read Username for 'https://github.com': No such device or address" or an HTTP 403 while cloning the dependency.

pip
Collecting internal-lib@ git+https://github.com/acme/internal-lib.git
  Cloning https://github.com/acme/internal-lib.git to /tmp/pip-install-x
  fatal: could not read Username for 'https://github.com': No such device or address
error: subprocess-exited-with-error

Common causes

No token in the clone URL or git config

A private git+https dependency needs an injected token; without one, git has no way to authenticate non-interactively.

A transient network or auth-endpoint drop

An intermittent failure reaching the git host can surface as a clone/auth error even when credentials are correct.

How to fix it

Inject a token via git config (not the URL)

  1. Store a least-privilege token as a CI secret.
  2. Rewrite https github URLs to include the token with git config, so it is not committed in requirements.
  3. Re-run the install.
.github/workflows/ci.yml
git config --global url."https://x-access-token:${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"
pip install -r requirements.txt

Use SSH for private dependencies

Switch the requirement to git+ssh:// and load a deploy key so no token is embedded.

requirements.txt
internal-lib @ git+ssh://git@github.com/acme/internal-lib.git@v1.2.0

How to prevent it

  • Keep tokens in CI secrets and inject them via git config, never in committed URLs.
  • Use least-privilege, short-lived tokens or deploy keys for private deps.
  • Pin the dependency to a tag so clones are reproducible.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →