Using Composer With Private Packages Hosted On Github

Srinath Reddy • January 2, 2021

php composer github

Composer is a great tool to import open source php packages hosted on packagist.org.

If you are creating packages with in your organization and want to keep them private, You cannot host them on packagist.org. Composer provides private package hosting as a paid service on packagist.com.

If you can afford the private packagist hosting, I recommend to use private packagist instead of hosting your private composer packages on github. By purchasing private packagist, You can financially support the development of composer and hosting costs for packagist.org.

If you are a solo developer, or a startup who cannot afford private packagist, Follow this guide to host your private php packages on github for free and import them using composer.

This article will create a simple composer php package, Host it as a private repository on github and import it to a project using composer.

1. Create Composer Package

Creating a composer private package is exactly same as creating a public package. So go ahead and follow the steps from 1 to 4 outlined in the article, creating composer php packages.

Only difference is in step 2, Instead of marking the repository as public, Mark the repository as private.

2. Authorize composer to access private github repository

Now that our package is created and hosted on a private repository on github, We need to authorize composer to access our private github repository. This will allow composer to connect to our private github repository and download our package.

There are two ways of authorizing composer to download our private package from github.

Option 1: Authorizing composer using auth.json file

This method is Recommended only for local development and not for production usage.

If we are trying to download a package from a url which is private, Composer will look for authorization credentials for the private url in a file called auth.json.

We need to create personal access token on github and add it to auth.json file. So, composer can connect to our private repository using the personal access token provided.

Read only permissions are sufficient for this personal access token as it is used by composer to only download the package from our private github repository.

To create a personal access token on github,

Now that we have a github personal access token with read privileges to the private repository, We need to inform composer to connect to our private github repository using this personal access token. This can be done using the auth.json file.

create a new file called auth.json in your project root directory and add the following code to it.

{
    "github-oauth": {
        "github.com": "your-github-token"
    }
}

replace your-github-token with your newly created github personal access token.

You should never commit this file to github. Doing so will give unauthorized users access to your github repositories if the token is compromised.

We have our auth.json file all setup. By default, Composer will try to download packages from packagist.org. Since, Our packages are private packages hosted on github, They won't be available on packagist.org to download. We need to instruct composer about which github repository to look for inorder to find the package it is trying to download.

This can be done using the repositories array in your project composer.json file.

Open composer.json file in your project and add the following code to it.

"repositories": [
    {
        "type": "vcs",
        "url": "https://github.com/your-github-username/your-repository-name"
    }
]

By adding the above code, We are instructing composer to look for the package in our private repository hosted on the specified url.

Option 2: Authorizing composer using SSH key

The most recommended and secure way of authorizing composer with github is using ssh keys. Before authorizing composer using SSH key, We need to create an ssh key on the machine where we are going to run composer.

cd ~/.ssh/ && ssh-keygen -t rsa -b 4096 -C "[email protected]"
sudo nano ~/.ssh/config
Host *
    Hostname github.com
    User git
    IdentityFile ~/.ssh/github_ssh

Make sure to replace github_ssh with the file name you gave while creating the ssh key.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC+HvRnxwPJyUiUO/UCPKrW6mFPgJF8LxsC2l
bBePtn+UDv4Xy+eMJRgG5fbaqy2i0tvP+7T7bjVWCXJGIYunPbH978H4jrebF6Ts+dsgel4+ALf3
z0nb9oaxCQF6V+T75hPgYp+JMOl8yZZMGLN3GPadE2ye2/lskJXzYjlHyjAE6a0g+vrHmMjOULP
UrO+aHEA84f   [email protected]

By adding this SSH key to our github account, Our machine is authorized to make secure ssh connections to github server.

Now all that is left is instructing composer to look for the private package in our private github repository. This can be done by updating the repositories array in project composer.json file.

Open composer.json file in your project and add the following code to it.

"repositories": [
    {
        "type": "vcs",
        "url": "[email protected]:your-github-username/your-repository-name.git"
    }
]

By adding the above code, We are instructing composer to look for the package in our private repository. Since, We already configured SSH access to our private github repository, Composer should be able to download our private packages without any issues.

3. Import Private Package

Now that we have successfully authorized composer to access our github private repository, and also instructed it to where to look for our private package, We can start importing our private packages same way as we normally import composer packages.

Import the private package by running

composer require vendor/package-name

vendor/package-name is the name you added to your composer.json file inside your package.

Example:

composer require srinath/hello-world-package

Troubleshooting

If you are having issues importing your github private packages using composer, Try the following.

Did you enjoy reading the above article? share your thoughts with me on twitter. Also be sure to check out my recent posts.