Error: Could not authenticate against github.com (on GitHub Action)

[griase94]

When I run this command:

I'm want to install my dependencies using composer install --no-interaction --no-suggest on one stage of my GitHub Action. Unfortunately all installs fail with a Could not authenticate against github.com error.

I get the following output:

Loading composer repositories with package information Installing dependencies (including require-dev) from lock file Package operations: 158 installs, 0 updates, 0 removals

• Installing ocramius/package-versions (1.5.1): Downloading (connecting...)Downloading (0%)  Failed to download ocramius/package-versions from dist: Could not authenticate against github.com Now trying to download from source
• Installing ocramius/package-versions (1.5.1): Cloning 1d32342b8c from cache
• Installing clue/stream-filter (v1.4.1): Downloading (connecting...)Downloading (0%)  Failed to download clue/stream-filter from dist: Could not authenticate against github.com Now trying to download from source
• Installing clue/stream-filter (v1.4.1): Cloning 5a58cc30a8 from cache
• Installing symfony/polyfill-ctype (v1.14.0): Downloading (connecting...)Downloading (0%)  Failed to download symfony/polyfill-ctype from dist: Could not authenticate against github.com

[edgreenberg]

I had to enter an oauth token "once" before I could do certain composer actions against github. Try getting a token and going through it without --no-interaction and enter your token. Composer should keep it. Of course, if you are using multiple machines, this becomes onerous "real quick".

[Seldaek]

See https://github.com/shivammathur/setup-php#composer-github-oauth which might help.

[ktomk]

Adding the composer token to the environment (setup-php action) solved it for me:

      - uses: shivammathur/setup-php@v2
        with:
          php-version: '7.4'
          extensions: xdebug
        env:
          COMPOSER_TOKEN: ${{ secrets.GITHUB_TOKEN }}

This resolves an authentication error that came unexpected using a different repository than packagist: VCS on Github itself for a public repository of mine:

      - run: |
          composer config repositories.bugfix vcs https://github.com/ktomk/rector
          composer require rector/rector:dev-patch-resolve-classname --no-progress --update-with-dependencies
          vendor/rector/rector/bin/rector process --dry-run lib/Collaborator.php 2>&1

[mvorisek]

I am getting this message time by time, I belive it has to do something with API rate limitting.

Can composer display a better/more relevant message?

[sushilcoder504]

this type error ocure how can solve it

[Composer\Downloader\TransportException]
Could not authenticate against github.com

[github-actions[bot]]

This issue has been automatically marked Stale and will be closed in 15 days if no further activity happens.

[jdavidbakr]

This suddenly started happening to me this morning in my CI/CD pipeline. Did something break again?

[lukavavetic]

@jdavidbakr For me as well. Started this morning. I am using Bitbucket Pipelines and composer install stopped with:

Failed to download *package* from dist: Could not authenticate against [github.com](http://github.com/)

[chriischambers]

@jdavidbakr - me too. I'm wondering if something is down. This has been causing me issues on various repos which had previously passed in pipelines where I have literally just hit re-run and now the issue occurs.

[RLHawk1]

I'm having this happen also on bitbucket pipelines.

[SudoInterno]

same problem here, I'm also using bitbucket pipelines and it started suddenly last night and continues this morning

[j-fulbright]

Seeing this across multiple pipelines and repos. Adding a token seemed to fix it, but this wasn't previously a change that was required.

Would appreciate communication updates

[nik-afa]

same problem in github action and the token has never been used before

[roerjo]

This might work as a temp workaround: https://github.com/composer/composer/issues/8710#issuecomment-604111726

Seems to be working for our setup (much slower though).

[ktomk]

Could anyone of those who have the problem please clarify about which token they are talking about and how they provided it to resolve the issue? Where did you obtain the token? Is it just that what was reported last in February?

I'm just asking because providing the token seems legit to me and well documented in case of the authentication failure message or better to prevent it in the first place for remote git receive hooks that spin new build environments (Microsoft Gitub Actions, Atlassian Bitbucket Cloud Pipelines Plugin etc.). Compare for example with the documentation of the Setup PHP Github Action that also installs Composer and has a note extactly on the token about it.

With the exception of major versions of composer, if you specify only the major version or the version in major.minor format for a tool you can get rate limited by GitHub's API. To avoid this, it is recommended to provide a GitHub OAuth token. You can do that by setting GITHUB_TOKEN environment variable. (ref)

And more specifically: (ref)

GitHub Composer Authentication If you have a number of workflows which set up multiple tools or have many composer dependencies, you might hit the GitHub's rate limit for composer. Also, if you specify only the major version or the version in major.minor format, you can hit the rate limit. To avoid this you can specify an OAuth token by setting GITHUB_TOKEN environment variable. You can use GITHUB_TOKEN secret for this purpose.

Despite this is related to Gihub Actions, the rate-limiting mentioned is independent and applies both locally as well as remotely, e.g. in Pipelines. Hope this helps to clarify and show that this likely is the case and perhaps the rate limiting got sharper.

Back a couple of years ago it also worked for me without a token. But then one day the internet broke down (Github had a rate-limit misconfiguration IIRC) and since then I'm using the token.

Next to that there were some changes on Github in regard to logins recently, maybe this is related? Has anyone of you contacted Github as it seems they now require the token for yours while they didn't beforehand and therefore why not also ask them as they run the service Composer is authenticating against (if even). If they report an important change back to you, please share here all the clarifications so that it can be done in a good way and everyone can benefit from the information and further improvements.

[jdavidbakr]

I have always provided a token in my CI/CD, injecting it as a variable and have this step in the Jenkinsfile before the composer install call:

php composer.phar config -g github-oauth.github.com $GITHUB_KEY

I rotated my key to see if that was the issue but am still getting the error and am unable to install the composer packages in Jenkins. My composer install is this:

php composer.phar install --no-interaction --no-progress --prefer-dist

[anthony-munozm]

Having issue on my side too:

Failed to download yajra/laravel-datatables-oracle from dist: Could not authenticate against github.com

Step #0 - "Build": Now trying to download from source Step #0 - "Build": 159/164 [===========================>] 96% Failed to download yajra/laravel-datatables-oracle from dist: Could not authenticate against github.com Step #0 - "Build": Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download tymon/jwt-auth from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download lcobucci/jwt from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download namshi/jose from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download superbalist/laravel-google-cloud-storage from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download league/flysystem-cached-adapter from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download superbalist/flysystem-google-storage from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download simplehtmldom/simplehtmldom from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download sentry/sentry-laravel from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download sentry/sentry from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download symfony/http-client from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source Step #0 - "Build": Failed to download symfony/http-client-contracts from dist: Could not authenticate against github.com Step #0 - "Build": Now trying to download from source

Many repos and libraries are down.

[ktomk]

@anthony-munozm: Are you using a token, did you use a token previously? and where did you obtain the token?

[j-fulbright]

I am absolutely okay with needing to add a token, but would like this communicated, since it caused all of our processes to fail overnight. Not the kind of early morning phone calls I like to get..

[stof]

Well, composer did not changer anything to require a token. But maybe github change the rate limiting rules.

[ktomk]

@j-fulbright: Yes when this happens unplanned and it affects distributed automated systems, and then perhaps quite some of it, it can be very cumbersome. So thanks for communicating with others. What I wonder a bit about is whether or not a token was in use as what jdavidbakr commented 21 minutes ago seems to suggest that the issue is currently also appearing with a token. [not the case, it looks like that is was a problem to configure the token, the token does work]

In the past it helped to contact Github support and it then took ca. three hours.

[anthony-munozm]

@anthony-munozm: Are you using a token, did you use a token previously? and where did you obtain the token?

no sir @ktomk , i did not use a token for github because my pipelines are using bitbucket, so having a token for libraries that are just dependencies on another git provider makes not sense, but if that is the only solution we would explore it.

I would say this is an issue that would be probably fixed soon by composer devs

[ktomk]

@anthony-munozm: This is for Composer downloading from Github.com, this is not a git provider. Git providers you would need to integrate with Bitbucket directly, this is just Composer sending network requests. Compare you're using file_get_contents(https://...) and it returns false because the HTTP code is 403 and by default this turns into false. Would you then sit there and say: Well the PHP core devs will fix file_get_contents() soon? I rather guess not... . So perhaps it's better you try with the token at least in one pipeline to see if it works instead of waiting for "the composer devs" whoever that is.

[anthony-munozm]

@anthony-munozm: This is for Composer downloading from Github.com, this is not a git provider. Git providers you would need to integrate with Bitbucket directly, this is just Composer sending network requests. Compare you're using file_get_contents(https://...) and it returns false because the HTTP code is 403 and by default this turns into false. Would you then sit there and say: Well the PHP core devs will fix file_get_contents() soon? I rather guess not... . So perhaps it's better you try with the token at least in one pipeline to see if it works instead of waiting for "the composer devs" whoever that is.

Well, passing a token for a third party that my project is not requiring directly is not a good solution neither and add extra layer of issues for future. This is something that should not happen. If this is not on composer side, then it is on github side. But hundreds of users are affected, you cannot just say... "hey guys, add tokens"

[jdavidbakr]

I was able to get it to run with the GitHub token by adding su docker to the commands ... so either it's been resolved, or I was unsuccessfully attaching the token previously and it just didn't ever complain.

[ktomk]

@jdavidbakr That sounds that the config command couldn't store it. You can verify that in config.json / composer.json within COMPOSER_HOME (composer config --global home) and also verify everything is in order for a non-su workflow (or consider docker secrets, don't know how you run your build pipeline there). /E: And thanks for the update.

[stof]

@anthony-munozm your project downloads packages from github because many packages available on packagist.org are hosted on github. And adding an authentication token is actually the solution due to the way the github rate-limiting works: authenticated calls have a per-user rate limit. Unauthenticated calls have a per-IP rate limit that is hundred times lower.

[monelgordillo]

I'm getting the same issue.

[anthony-munozm]

@anthony-munozm your project downloads packages from github because many packages available on packagist.org are hosted on github. And adding an authentication token is actually the solution due to the way the github rate-limiting works: authenticated calls have a per-user rate limit. Unauthenticated calls have a per-IP rate limit that is hundred times lower.

Allright sir @stof, i will wait few more hours, i am not on a rush. If you suggest that is the best and only solution on short term (1-7 days) i will follow it. Appreciate all your help guys and team.

[anthony-munozm]

Btw, this is working now and i did nothing more than just retry, so that confirmed it is rate limit issue on github. :)

[cwillhelm-roofr]

This still isn't working through CircleCI.

[qboot]

As said in some previous comments, it's possible to increase the GitHub rate limiting during composer install by authenticating with a personal access token:

1. Create a personal access token in your GitHub Settings > Developer Settings > Personal access tokens (classic) without any particular scopes
2. Add it to your CI env vars: GITHUB_TOKEN=your_token
3. Set it in your CI, before launching composer install. For instance: composer config --global github-oauth.github.com $GITHUB_TOKEN
4. Then run composer install and it should not hit any rate limits.

Note: Before this morning we were not using any token in our CI for composer / GitHub auth, it seems like the rate limit has been lowered by GitHub or something else has been changed but we never had to be authenticate before today for performing a composer install.

[ktomk]

@qboot Thanks for sharing and the detailed explanation. IIRC there is also the COMPOSER_AUTH environment variable.

[mreduar]

Same problem here started today morning. Thank you @qboot

[Seldaek]

I hope some of you have notified GitHub support of this instead of just ranting here, because there is literally nothing we can do to help fix this.

[chriischambers]

I've had 2 repos pass this morning that were failing. I've not made any changes so maybe the issue is fixed?

[fredden]

@cwillhelm-roofr

That's why it would have been nice to have some communication around this.

Please raise this with GitHub support.

Additionally, if it's an intermittent issue or misconfiguration of the rate-limiting on the Github side, and it "fixes itself" -- all of our work and setbacks regarding updating our pipelines would have been pointless.

No, it won't have been pointless. You'll be subject to a different (higher, unaffected by other users) rate limit - thus safeguarding you against any future changes to the unauthenticated (lower, per-IP) rate-limit.

[barryvdh]

I got this reply, should be fixed now?

GitHub (GitHub Support) Oct 6, 2023, 9:45 AM UTC

Hi Barry,

Thank you for reaching out!

We received some reports earlier and a fix was implemented. If you are still seeing an error, can you share with us the IP address where those requests are coming from, so we can have a closer look?

Regards,

Oluwaseun GitHub Support

[ktomk]

Thanks to everyone involved. In case this happens again:

1. Contact Github Support (e.g. GitHub Support > How can we help?) and tell them about the issue and provide the IP address as Github sees it. Check your builds service support for outbound IPs and how to obtain them, often there are multiple and the better the report, the better the results (exemplary: Atlassian Bitbucket Docs). Thankfully @barryvdh did last time!
2. Understand the issue. Does your pipeline runs composer diagnose? If not, add it in front to fail fast. It tells you if the environment is affected by Github Rate-Limiting or not (and other things you want to have in your build logs). Let me repeat: Run composer diagnose. And spread the word about it.
3. Review the five general points in troubleshooting Composer (and the rest of the list). To run composer diagnose is part of it as well as the Composer troubleshooting guidelines have the API rate limit and OAuth tokens section, too.

It's your own decision whether you want to make use of tokens, and your own obligation how to handle failures of remote systems. My pipelines run offline (Shameless self-plug.)

Bitbucket Pipelines Composer Example

On other platforms things may look different, especially in the details, the pipelines YAML should be easy to grasp anyway. There is no magic in here. ~~~yaml pipelines: custom: example: - step: image: docker.io/composer:2.6.5 # <1> script: - php -r 'readfile($argv[1]) && print("\n");' "https://api.ipify.org/" # <2> - composer diagnose # <3> # - ... # - step: ... ~~~ 1. The composer version as a build dependency is _pinned_.¹ 2. Show the IP as Github sees it (nb. non-failing).² 3. Run `composer diagnose`, here early in the pipeline, to check preconditions, it exits non-zero (cf. _[fail-fast](https://en.wikipedia.org/wiki/Fail-fast)_). Excerpt from the pipelines log ([gist]): ~~~text ... + php -r 'readfile($argv[1]) && print("\n");' "https://api.ipify.org/" 34.216.18.129 + composer diagnose Checking composer.json: OK Checking platform settings: OK Checking git settings: OK git version 2.40.1 Checking http connectivity to packagist: OK Checking https connectivity to packagist: OK Checking github.com rate limit: OK Checking disk free space: OK Checking pubkeys: Tags Public Key Fingerprint: 57815BA2 7E54DC31 7ECC7CC5 573090D0 87719BA6 8F3BB723 4E5D42D0 84A14642 Dev Public Key Fingerprint: 4AC45767 E5EC2265 2F0C1167 CBBB8A2B 0C708369 153E328C AD90147D AFE50952 OK Checking composer version: OK Composer version: 2.6.5 PHP version: 8.2.11 PHP binary path: /usr/local/bin/php OpenSSL version: OpenSSL 3.1.3 19 Sep 2023 cURL version: 8.3.0 libz 1.2.13 ssl OpenSSL/3.1.3 zip: extension present, unzip present, 7-Zip present (7z) ... ~~~ 1. The outgoing IP is `34.216.18.129`, [documented Bitbucket Outbound IPv4 (is `34.216.18.129/32`)][Atlassian Bitbucket Docs]. 2. `composer diagnose` _"Checking github.com rate limit: OK"_, that is [`DiagnoseCommand::getGithubRateLimit()`][CCDCGGRL] (now supports offline mode, it pays to contribute to Composer.) [Github Rate Limit API documentation](https://docs.github.com/en/free-pro-team@latest/rest/rate-limit/rate-limit?apiVersion=2022-11-28). What this example does not show is how to make use of your Microsoft Github Token. Bitbucket allows to configure project (repository), team (org-wide) variables, e.g. you can set the token for all repositories at once with [the `COMPOSER_AUTH` environment variable](https://getcomposer.org/doc/articles/authentication-for-private-packages.md#authentication-using-the-composer-auth-environment-variable). If you have more troubleshooting requirements you can make use of [Tunshell] to open a remote shell and quickly inspect each environment, e.g. test manually first if the token makes a difference and how you can get it to work. @qboot [commented with more details how to obtain and setup the token](https://github.com/composer/composer/issues/9084#issuecomment-1749470761). [CCDCGGRL]: https://github.com/composer/composer/blob/db53c65986cc9f4f1437cee965f4e5e576362d7a/src/Composer/Command/DiagnoseCommand.php#L344-L364 "Composer\Command\DiagnoseCommand::getGithubRateLimit()" [Tunshell]: https://tunshell.com/ [gist]: https://gist.github.com/ktomk/9887d5503909ff12cb909f64da3283f5 --- ¹ Compare [`composer self-update 2.6.5`](https://getcomposer.org/doc/03-cli.md#self-update-selfupdate) or bare clone and fetch & reset to tag (all shallow) at place of use. Scripted composer install or the many other options. Important is to pin the version. ² I'm not affiliated with that API service nor do I want to recommend it specifically. It is a proof of concept and allowed me to confirm against the pipelines services providers technical documentation. Better check with your CI service if they provide a dedicated endpoint to obtain the outbound IP for the environment your concrete build run is running in or if it is not already part of the logs. Double check before creating a support request with Github.

To Token Or Not To Token?

Without Token: > For unauthenticated requests, the rate limit allows for up to 60 requests per hour. Unauthenticated requests are associated with the originating IP address, and not the person making requests. ([ref][limit]) With Token: > User access token requests are limited to 5,000 requests per hour and per authenticated user. ([ebd][limit]) [limit]: https://docs.github.com/en/rest/overview/resources-in-the-rest-api?apiVersion=2022-11-28#rate-limits-for-requests-from-personal-accounts "Rate limits for requests from personal accounts - Resources in the REST API - Github Docs"

---

• Run composer diagnose.
• Contact Github Support with your outbound IP address.

[raphaelokon]

@ktomk I am specifying a fine-grained PAT to install a composer package from private repo and I am hitting the Could not authenticate against github.com nevertheless. I tried to expose the token via COMPOSER_AUTH and via setting the token in the CLI, but no luck. Do I need to use a fully fledged personal access token? Have someone got this working with fine-grained personal access tokens?

[kumarh123]

See https://github.com/shivammathur/setup-php#composer-github-oauth which might help. @Seldaek How do i authenticate depencdency packages to download defined in composer.json using ssh keys instead of github auth classic pats please ?