GITHUB_TOKEN for use with composer

Actions

liepumartins December 14, 2023, 11:48am 1

We are creating CI/CD pipeline for PHP.

Step composer install goes on forever and fails with messages like these

Failed to download phpstan/phpstan from dist: Could not authenticate against github.com
    Now trying to download from source

Internet says that github is rate-limiting requests and oauth token is required. We created a secret COMPOSER_GITHUB_TOKEN and added GITHUB_TOKEN: ${{ secrets.COMPOSER_GITHUB_TOKEN }}. This did not help.

After this error, we added composer diagnose as suggested at composer repository issues.

Checking github.com oauth access: The oauth token for github.com seems invalid, run "composer config --global --unset github-oauth.github.com" to remove it

Did some more debugging, it seems that GITHUB_TOKEN is generated and cannot be set. Here is what we tried.

name: ci

on:
  push:
    branches:
      - "trunk"
env:
  GITHUB_TOKEN: ${{ secrets.COMPOSER_GITHUB_TOKEN }}
jobs:
  build:
    runs-on: ubuntu-latest
    container: catthehacker/ubuntu:act-latest
    steps:
      - name: Debug Print token GITHUB_TOKEN base64 before shivammathur
        run: echo $GITHUB_TOKEN|base64 # this prints base64 of random string, each time different
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: 8.2
      - name: Debug Print secret
        run: echo ${{ secrets.COMPOSER_GITHUB_TOKEN }} # this prints correct token
      - name: Debug Print secret
        run: echo ${{ secrets.COMPOSER_GITHUB_TOKEN }}|base64 # this prints base64 of correct token
      - name: Debug Print token GITHUB_TOKEN base64 # since we cannot print it directly
        run: echo $GITHUB_TOKEN|base64 # this prints base64 of *the* random string
      - name: Debug print env
        run: env # this prints env variables, GITHUB_TOKEN is represented with ***
      # tried also to unset & set token manually
      - name: Register Github oauth
        run: composer config --global --unset github-oauth.github.com && composer config -g github-oauth.github.com ${{ secrets.COMPOSER_GITHUB_TOKEN }}
      - name: Debug print composer settings
        run: composer config --list
      - name: Debug print composer setting
        run: composer config github-oauth.github.com|base64  # this prints base64 of *the* random string
      - name: Diagnose composer
        run: composer diagnose # fails with message about invalid oauth token
      - name: Install dependencies
        run: composer install --prefer-dist # this is not reached; or if diagnose step is removed 

Question is how to use composer with GITHUB_TOKEN on gitea actions?

lunny December 18, 2023, 2:49pm 2

GITHUB_TOKEN is generated and used by gitea server side. It cannot be used for a github repository.
And I don’t think cloning from github has a rate limitation. It should only be applied on APIs. And of course, the action shivammathur/setup-php will download artifacts from github releases? I’m not familiar with that action.

liepumartins December 18, 2023, 7:19pm 3

Action shivammathur/setup-php creates PHP environment with tools, fine grained modules etc. It was suggested by Laravel Vapor docs
Maybe there is a better alternative available?

Downloading from github happens using composer install there are multiple github issues and stackoveflow discussions about rate-limited downloads from github for the unauthenticated (without token).

Seems problem lies with the fact, that composer takes the GITHUB_TOKEN env variable over other token configuration methods and since gitea uses GITHUB_TOKEN for other purposes this is a dead end.

lunny December 19, 2023, 1:46am 4

Maybe you can try to use step sepical secrets like below

- name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: 8.2
          github_token: ${{ secrets.COMPOSER_GITHUB_TOKEN }}

liepumartins December 19, 2023, 9:52am 5

Already tried that, before starting this thread.

Found out another option to pass token without GITHUB_TOKEN use.
There is COMPOSER_AUTH_JSON that should contain the auth.json like so:

{
  "github-oauth": {
    "github.com": "ghp_XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
  }
}

jobs:
  build:
    runs-on: ubuntu-latest
    env:
      COMPOSER_AUTH_JSON: ${{ secrets.COMPOSER_AUTH_JSON }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup PHP
        uses: shivammathur/setup-php@v2
        with:
          php-version: 8.2
          extensions: json, mbstring, pdo, pdo_sqlsrv, simplexml
          tools: composer:v2, phpunit, phpstan
          coverage: none     
      - name: debug auth.json file content
        run: cat /root/.composer/auth.json
      - name: Diagnose composer
        run: composer diagnose

I checked the contents of auth.json using cat /root/.composer/auth.json

However the error is still the same and this now looks like either composer or shivammathur/setup-php bug.

Thank You!

liepumartins December 21, 2023, 7:28am 6

It appears that composer is not reading the auth.json file, it relies on env variable COMPOSER_AUTH which shivammathur/setup-php overwrites installing GITHUB_TOKEN as token value.

Workaround is to pass for each step using composer

      - name: Install dependencies 
        run: composer install # will not work       
      - name: Install dependencies
        env:
          COMPOSER_AUTH: ${{ secrets.COMPOSER_AUTH_JSON }} # only this works
        run: composer install # will work