[SOLVED] Composer is using https instead of ssh (for GitLab)

Issue

When using a composer.json like this to install a private package:

{
    "require": {
        "foobar/example-package": "dev-master"
    },
    "repositories": [{
        "type": "vcs",
        "url": "[email protected]:foobar/example-package.git"
    }]
}

Composer tries to use https instead of ssh for some reason:

$ composer update
Loading composer repositories with package information
Failed to download foobar/example-package:The "https://gitlab.com/api/v4/projects/foobar%2Fexample-package" file could not be downloaded (HTTP/1.1 404 Not Found)      
Your credentials are required to fetch private repository metadata ([email protected]:foobar/example-package.git)
A token will be created and stored in "…\composer\home/auth.json", your password will never be stored
To revoke access to this token you can visit https://gitlab.com/profile/applications
Username:

Even when using -vvv there is no indication why Composer would need to access the repository via https - while it is perfectly possible to push and pull code to the private repository via ssh (using the private key stored in the SSH agent).

This happens with Composer 1.x and 2.x. Is there no way to only use ssh for operations like this? This problem also seems specific to GitLab as I have never encountered it with GitHub repositories for example.

Solution

Double check "Install composer packages from private repository from GitLab" from Syed Sirajul Islam Anik

So, to install a package from GitLab which is not a public repository will need a Personal Access Token.
You can issue your PAT by going to Profile Icon > Settings > Access Token. Then to issue a new PAT, write a name and select a scope api/read_api, read_api is a minimum. api will work too. If you want to set an expiry, can put value in that. Then press the Create personal access token Button.

Next, from the terminal. Run the following command.

composer config --global --auth gitlab-token.gitlab.com PAT_TOKEN

Replace the PAT_TOKEN with the token you found from the above process. And if you’re using a self-hosted GitLab, then you’ll need to change the URL gitlab.com to your self-hosted URL.

Then, in your composer.json file, add the following snippet.

"repositories": [
   {
       "type": "vcs",
       "url": "[email protected]:namespace/repo-name.git"
   }
]

If your composer.json file already contains the repository key, then add the object to it.

Finally,

composer require vendor-name/package-name

In other words, even though the URL is SSH, you still need a PAT (token) to use the HTTPS GitLab API invoked by composer.

Answered By - VonC