pip "git+https" install authentication failed in CI
pip ran git clone for a git+https:// requirement, but the repository is private and no credentials are available in the non-interactive CI shell. git cannot prompt, so it fails to read the username.
What this error means
The install fails with "fatal: could not read Username for 'https://github.com': No such device or address" or an HTTP 403 while cloning the dependency.
Collecting internal-lib@ git+https://github.com/acme/internal-lib.git
Cloning https://github.com/acme/internal-lib.git to /tmp/pip-install-x
fatal: could not read Username for 'https://github.com': No such device or address
error: subprocess-exited-with-errorCommon causes
No token in the clone URL or git config
A private git+https dependency needs an injected token; without one, git has no way to authenticate non-interactively.
A transient network or auth-endpoint drop
An intermittent failure reaching the git host can surface as a clone/auth error even when credentials are correct.
How to fix it
Inject a token via git config (not the URL)
- Store a least-privilege token as a CI secret.
- Rewrite https github URLs to include the token with
git config, so it is not committed in requirements. - Re-run the install.
git config --global url."https://x-access-token:${{ secrets.GH_PAT }}@github.com/".insteadOf "https://github.com/"
pip install -r requirements.txtUse SSH for private dependencies
Switch the requirement to git+ssh:// and load a deploy key so no token is embedded.
internal-lib @ git+ssh://git@github.com/acme/internal-lib.git@v1.2.0How to prevent it
- Keep tokens in CI secrets and inject them via git config, never in committed URLs.
- Use least-privilege, short-lived tokens or deploy keys for private deps.
- Pin the dependency to a tag so clones are reproducible.