Evgenii Goryaev
Development, support and optimization

Building a PHP project in Gitlab CI with private dependencies

Poster for the article Building a PHP project in Gitlab CI with private dependencies

Sometimes it is necessary to move some of the functions into a separate library for sharing with other private projects. If it should not be available for public, then its repository should also be private. In order for the php composer package manager while building the project in CI to be able to add it, it must be authorized and have access to this private repository. The best authorization option in this situation is using the token, which is passing from the gitlab settings during the build of the project container.

Create a token

If you need composer to have access to all your private repositories (which can be handy in some cases), then you need to generate a token in your user settings at:


If you need to grant access to one private repository, then you can generate a token only for it. This is done in the section of his project:


Working with token in CI

The generated token must be saved in the environment variables, in the project's CI settings on this page:


I usually store the token as COMPOSER_TOKEN in the project's CI settings in gitlab.

In the .gitlab-ci.yml, where the container build command docker build is called, we need to add our variable as an argument: --build-arg COMPOSER_TOKEN=${COMPOSER_TOKEN} As a result, my build command in the gtalb CI config file looks something like this:

       docker build
       --build-arg VCS_REF=$CI_COMMIT_SHA
       --build-arg VCS_URL=$CI_PROJECT_URL

And in the dockerfile, we need to authorize the composer with our token, having previously accepted from the build command arguments. A snippet of my file looks like this:

FROM registry.gitlab.com/floor12/images:basic81



COPY ./composer.lock ./composer.lock
COPY ./composer.json ./composer.json

RUN composer config gitlab-token.gitlab.com $COMPOSER_TOKEN
RUN composer install --prefer-dist --no-progress --no-scripts --optimize-autoloader

The composer now can be authorized and will be able to access the required private repository. Also, don't forget to add the repository url to your project's composer.json file, since packagist can't know anything about your private projects.

   "name": "floor12/test",
   "minimum stability": "stable",
   "require": {
     "php": ">=8.0.0",
   "repositories": [
       "type": "composer",
       "url": "https://asset-packagist.org"
       "type": "git",
       "url": "https://gitlab.com/floor12/some-private-package"

If you need to access a repository that is not hosted on gitlab, but in some other place, then you can choose one of the built-in composer modules described in the official composer documentation,

More detailed information on gitlab and composer authorization can also be found in the gitalb documentation.

I hope this information was useful to you.