Skip to content
Latchkey

Cargo "failed to authenticate" - Private Git Dependency in CI

A git = "..." dependency points at a private repository and the runner has no credentials for it. Cargo cannot authenticate the clone, so the dependency cannot be fetched even though resolution would otherwise succeed.

What this error means

cargo fails cloning a private git dep with failed to authenticate when downloading repository, often listing the SSH agent / credential helpers it tried. It works locally (where your key exists) but not on the bare runner.

cargo
error: failed to authenticate when downloading repository: git@github.com:org/private.git

  * attempted ssh-agent but ... no auth available
Caused by:
  no authentication available

Common causes

No SSH key or token on the runner

The private git source needs an SSH deploy key or a token-based credential helper. CI has neither unless you provision it from a secret.

SSH used where only HTTPS+token is configured (or vice versa)

The dependency URL uses git@/SSH but only an HTTPS token is set up (or the reverse), so the available credential does not match the protocol.

How to fix it

Provide an SSH key and use the git CLI fetcher

Load a deploy key into the agent and let cargo shell out to git for auth.

.github/workflows/ci.yml
export CARGO_NET_GIT_FETCH_WITH_CLI=true
eval "$(ssh-agent -s)"
ssh-add - <<< "${{ secrets.SSH_DEPLOY_KEY }}"
cargo build --locked

Or rewrite to HTTPS with a token

Use a token-authenticated HTTPS URL instead of SSH.

Terminal
git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/"
cargo build --locked

How to prevent it

  • Provision an SSH deploy key or HTTPS token for private git deps as a CI secret.
  • Set CARGO_NET_GIT_FETCH_WITH_CLI=true so cargo uses git's auth handling.
  • Match the dependency URL protocol (SSH vs HTTPS) to the credential you supply.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →