Use of multiple GitHubGitLab tokens in a single composer.json without token duplication - Stack Overflow

admin管理员组

文章数量:1125599

If I want to reference packages from a private repository, I need a GitHub/GitLab access token. The specificity of composer.json is that it can only handle a single OAuth access. Therefore, if I use multiple tokens, I would have to list the "git" type "url" values in the repositories section of every composer.json file, embedding the token in each URL.

Previously, I asked a question about how I could store the tokens in a separate file, see here:

• Using external variables in the composer.json file when running the global composer command

Composer does not provide an option to use external "variables", as mentioned by yivi.

The Composer team does not plan to support multiple access tokens globally.

• composer/composer #11204 issue - GitHub

How can I manage to use multiple tokens (or an alternative to using multiple tokens) that I can set globally for Composer?

If I want to reference packages from a private repository, I need a GitHub/GitLab access token. The specificity of composer.json is that it can only handle a single OAuth access. Therefore, if I use multiple tokens, I would have to list the "git" type "url" values in the repositories section of every composer.json file, embedding the token in each URL.

Previously, I asked a question about how I could store the tokens in a separate file, see here:

• Using external variables in the composer.json file when running the global composer command

Composer does not provide an option to use external "variables", as mentioned by yivi.

The Composer team does not plan to support multiple access tokens globally.

• composer/composer #11204 issue - GitHub

How can I manage to use multiple tokens (or an alternative to using multiple tokens) that I can set globally for Composer?

• composer-php

Share Improve this question Follow edited 2 days ago yivi 47.1k1818 gold badges130130 silver badges153153 bronze badges asked 2 days ago rozsazoltanrozsazoltan 6,46155 gold badges1414 silver badges3333 bronze badges 1

• I don't want to store the PAT key in the composer.json file because that would prevent me from uploading the file to version control since it contains sensitive data. Composer does not allow me to use "variables" in the composer.json file to separate the keys. Instead, I have to use Composer's global config.json file to register the repositories (so the PAT keys are not in the composer.json). However, this means every contributor must add the appropriate repositories to their config.json, which becomes cumbersome over time, especially when the PAT token needs to be updated. – rozsazoltan Commented yesterday

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 0

Since GitHub does not allow pulling multiple accounts' repositories with one token, and composer can only handle one token per domain, we need to find a solution where we can manage all our private repositories under a single token.

By using an external service, we can create a set of repositories accessible under different tokens. For this, we can create one access token for the external service, which can be set globally for Composer. With self-hosted solutions, you can assemble this locally for free, but there are also online services available.

Self-hosted mirror repositories

There are several options, and for me, the Gitea solution has worked the best. You can run it on your own machine or server, assign tokens to mirrored repositories, and schedule the mirroring to occur at specified intervals to keep your repository up to date. This way, you can mirror repositories accessible under multiple GitHub/GitLab tokens under a single common token, and then you only need to configure this single shared login token in Composer.

Use a self-hosted Git service. For example, with Gitea, you can gather repository mirrors using multiple GitHub tokens (which you can later keep up to date, similar to GitHub forks).

• What is Gitea? - Gitea Docs
• Repository Mirror - Gitea Docs
• Mirroring a GitLab or GitHub repository to a self-hosted Gitea server - Stack Overflow

With Gitea, you can either publish the packages using their API and configure HTTP access as well.

• Configuring the package registry - Gitea Docs

Alternative solution with Private Packagist

Seldaek's comment: composer/composer #10483 - GitHub

TBH that's a special use case due to poor repository construction which I am not so keen on supporting in composer. Private Packagist does support this though, as you can add the same repo as a third party mirror multiple times, configuring each with a different set of credentials, and mirroring a different set of packages from each. So I'd suggest you maybe have a look at using that, or try and get your vendors to use it as a paid package repository, which is also something we offer and we then handle credentials correctly for customers.

Duplicate of #8724 BTW if you want to read more about this.

(emphasis added)

本文标签： Use of multiple GitHubGitLab tokens in a single composerjson without token duplicationStack Overflow