Cargo "failed to authenticate" - Private Git Dependency in CI
A git = "..." dependency points at a private repository and the runner has no credentials for it. Cargo cannot authenticate the clone, so the dependency cannot be fetched even though resolution would otherwise succeed.
What this error means
cargo fails cloning a private git dep with failed to authenticate when downloading repository, often listing the SSH agent / credential helpers it tried. It works locally (where your key exists) but not on the bare runner.
error: failed to authenticate when downloading repository: git@github.com:org/private.git
* attempted ssh-agent but ... no auth available
Caused by:
no authentication availableCommon causes
No SSH key or token on the runner
The private git source needs an SSH deploy key or a token-based credential helper. CI has neither unless you provision it from a secret.
SSH used where only HTTPS+token is configured (or vice versa)
The dependency URL uses git@/SSH but only an HTTPS token is set up (or the reverse), so the available credential does not match the protocol.
How to fix it
Provide an SSH key and use the git CLI fetcher
Load a deploy key into the agent and let cargo shell out to git for auth.
export CARGO_NET_GIT_FETCH_WITH_CLI=true
eval "$(ssh-agent -s)"
ssh-add - <<< "${{ secrets.SSH_DEPLOY_KEY }}"
cargo build --lockedOr rewrite to HTTPS with a token
Use a token-authenticated HTTPS URL instead of SSH.
git config --global url."https://x-access-token:${TOKEN}@github.com/".insteadOf "https://github.com/"
cargo build --lockedHow to prevent it
- Provision an SSH deploy key or HTTPS token for private git deps as a CI secret.
- Set
CARGO_NET_GIT_FETCH_WITH_CLI=trueso cargo uses git's auth handling. - Match the dependency URL protocol (SSH vs HTTPS) to the credential you supply.