Have you tried using a global
auth.json that’s outside of your repo but still available to Composer? I do this myself, and have no issues deploying everything with Trellis (in my case to Kinsta).
- I create a personal access token (not an oauth token) in GitLab. I only give it the
- Add it to composer with
composer config --global gitlab-token.gitlab.com <token> (documentation here and here)
composer.json contains vcs-type repositories with normal https:// URLs:
Composer and GitLab also support deploy tokens if you’ve got an automated deploy job that only needs access to a single project or group. I haven’t experimented with those yet, but it’s the same principle.
I imagine the SSH forwarding way would work, too, but personally I like my method because it minimizes the permissions available at every step without having to manage a bunch of SSH keypairs. SSH agent forwarding brings along its own set of security concerns, since anything with root access on the forwarding server has access to your local ssh agent and can authenticate as you. If you’ve got all your server identities saved in the agent, that could be a significant concern.