How to install private Composer packages in GitHub Actions

Handle authentication for Composer packages in GitHub Actions using secrets.

Ralph J. Smit Laravel Software Engineer

As a Laravel developer, I'm using GitHub Actions in almost every project. Recently I installed the self-hosted version of Mailcoach in a Laravel app. Mailcoach is a premium app created by Spatie, that can be installed as a package in a Laravel app. This is the same for my premium Laravel Filament packages.

For paid packages, they cannot be installed directly from Packagist, so we need to do a little more work. For this tutorial I'll assume you already installed a paid package in your project locally, but in most cases that comes down to adding the following to your composer.json:

"repositories": [
"type": "composer",
"url": ""

If you then run composer install locally, you will be prompted for an email address and a password. Enter the credentials and your package will be installed! Composer will store the credentials and you won't be prompted for it the next time.

However, on GitHub Actions, this is more difficult to achieve, since you don't have an interactive console. Luckily, there's a good way around it by using GitHub Action secrets.

1. Update GitHub Action workflow file

First, open your GitHub Action workflow file(s). Add the following line just before the line where you do composer install or composer update:


Replace with the correct URL. Replace my email with the email/username that's necessary for the private package you have. Rename the name of the GitHub Action secret to something more suitable for the package you are installing.

If you prefer, you could even make the email address/username a separate GitHub Action secret. In my case, I find it a bit over-kill, but in larger organizations, you might find it useful.

2. Create a GitHub Action Secret

Next, go to your GitHub repo on Click Settings. > Secrets and variables > Actions. Click "New Repository Secret" and enter the name of the secret. It should be the same name in capital lettersas in the line you added to the workflow file.

Confirm by clicking "Add secret".


As you've seen, installing private packages with Composer is really easy if you know the right trick. There are others who wrote about a similar solution, these solutions involved storing a whole JSON file in GitHub Action Secrets. I don't like that, because that doesn't work well if you ever need to add a new dependency (then you'd have to find the password again, create a new JSON file, delete the old secret and create a new secret).

Published by Ralph J. Smit on in Github .