Add a Package from a Private Repository

Learn how to add a package from a private repository.

Discuss in our Forum Discuss in Slack

This section provides information on how to add a package from a private repository using Integrated Composer.

 Note

Pantheons Secrets Manager is currently in Early Access (EA). You can also use the Terminus plugin to manage your secrets for private repositories in Integrated Composer builds without committing your credentials to the repository. If you use it, follow the instructions in the Terminus plugin README instead of the steps presented on this page.

Add a Package from a Private Repository

The steps below outline a method for adding a package from a private GitHub, GitLab, or Bitbucket repository. Refer to the official Composer documentation for additional information on handling private packages.

A token will be added to your code repository for this procedure. This allows anyone with the token to read and write to private repositories associated with the issuing account. You can explore workarounds to limit the scope of the token access. For example, you can create a new GitHub user and restrict that user's permission to only the private repositories needed for your Composer packages. This ensures your site repository code is not published publicly.

Your repository should contain a composer.json file that declares a package name in its name field. If it is a WordPress plugin or a Drupal module, it should specify a type of wordpress-plugin or drupal-module respectively. For these instructions, we will assume your package name is mycompany/my-private-repo.

  1. Generate a GitHub Personal Access Tokens page. The Github token must have all repo permissions selected.

  2. Add the private repository to composer.json, replacing <token> with your newly generated token.

    composer.json
    "repositories": [
         {
             "type": "vcs",
             "url": "https://<token>@github.com/mycompany/my-private-repo"
         }
     ],
  3. Run the command below to require the package (you may specify any needed version constraint in this step):

    composer require mycompany/my-private-repo
  4. Run the commands below to commit the updated Composer files and add them to your environment only if the above command update works locally.

    git add composer.json composer.lock
    git commit -m "Adding private package <your-package>"
    git push
  1. Generate a GitLab token. Ensure that read_repository scope is selected for the token.

  2. Add the private repository to composer.json, replacing <token> with your newly generated token.

    composer.json
    "repositories": [
        {
            "type": "vcs",
            "url": "https://oauth2:<token>@gitlab.com/mycompany/my-private-repo.git"
        }
    ],
  3. Run the command below to require the package (you may specify any needed version constraint in this step):

    composer require mycompany/my-private-repo
  4. Run the commands below to commit the updated Composer files and add them to your environment only if the above command update works locally.

    git add composer.json composer.lock
    git commit -m "Adding private package <your-package>"
    git push
  1. Generate a Bitbucket oauth consumer. Ensure that Read repositories permission is selected for the consumer. Also, set the consumer as private and put a (dummy) callback URL.

  2. Use the consumer key and consumer secret to create an auth.json file in your repo root like this:

    composer config bitbucket-oauth.bitbucket.org consumer-key consumer-secret
  3. Add your private repository to the repositories section of composer.json:

    composer.json
    "repositories": [
        {
            "type": "vcs",
            "url": "https://bitbucket.org/vendor/package-name.git"
        }
    ],
  4. Run the command below to require the package (you may specify any needed version constraint in this step):

    composer require mycompany/my-private-repo
  5. Run the commands below to commit the updated Composer files and add them to your environment only if the above command update works locally.

    git add auth.json composer.json composer.lock
    git commit -m "Adding private package <your-package>"
    git push

More Resources