Gitlab CI - composer install on private repo

Question

I'm trying to setup Gitlab CI for a project I'm working on (PHP - Symfony 4 / MySQL). I've got the .gitlab-ci.yml file created with the necessary steps to prepare a Docker image. One of the steps is to run composer install - this should normally install a bunch of linked code, a few of which come from private repositories (also stored on Gitlab).

I'm trying to work out the current best practice for allowing the Gitlab CI runner to clone this code from it's private repo. I see reference in other Stack Overflow posts to the ${CI_JOB_TOKEN} variable, but seem to be missing the connecting bits of information to make it work - for example, do I need to modify the private repos to access this variable as a deploy token somehow, or does this happen automatically as Gitlab is cloning code from it's own servers?

Does anyone have a complete example of a .gitlab-ci.yml file that can clone code from a private repo using composer? If it's relevant, there are 4 private repos I need to clone, and will need to have the same CI setup for many projects that rely on these based libraries.

Answer 1

I managed to resolve this after reading this page a few more times - https://docs.gitlab.com/ee/user/project/new_ci_build_permissions_model.html

It mentions that the user that pushes the code is the user that runs the CI task as. Using this knowledge and the CI_JOB_TOKEN variable that is automatically available, I added the following to my before_script:

git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com/".insteadOf "[email protected]:"

...and then in my composer.json, added the list of repositories I wanted to use (using the "repositories": [] keys, as this allowed me to force them to use https to checkout instead of ssh that I use locally.

This combination now allows me to run the CI tasks and pull code from the private repositories without permissions issues - no need for deploy keys or tokens.