Using private Composer packages in Docker

Published: 10/4/2024

1. Create a new fine-grained GitHub PAT with read-only access to Contents on repositories you want Composer to access.

2. Add GitHub PAT as JSON to your environment variables

# Replace `github_pat_xxx` with your token
COMPOSER_AUTH_JSON='{ "github-oauth": { "github.com": "github_pat_XXXX" } }'

3. Update docker-compose.yaml and Dockerfile

# docker-compose.yaml
services:
  php:
    build:
      secrets:
        - COMPOSER_AUTH_JSON

secrets:
  COMPOSER_AUTH_JSON:
    environment: COMPOSER_AUTH_JSON

# Dockerfile
RUN --mount=type=secret,id=composer_auth_json,dst=/app/auth.json \
    composer install --no-autoloader --no-ansi --no-dev --no-interaction --no-plugins --no-progress --no-scripts

[!IMPORTANT]

Using Coolify? Check out this article on how to use build secrets in Coolify.

Additional information and references

• Managing your personal access tokens - GitHub Docs
• Authentication for privately hosted packages and repositories - Composer
• How to use secrets in Docker Compose | Docker Docs
• dunglas/docker-private-composer-packages: Example: Securely Access Private Composer Packages