This document outlines the process for configuring CircleCI to access multiple private GitHub repositories when building and deploying a project with Silta. This is particularly useful when your project depends on private packages or repositories that require separate authentication.
By default, CircleCI can only authenticate with a single GitHub repository using the default deploy key. When your project depends on multiple private repositories (e.g., through Composer dependencies), additional SSH keys must be configured to allow access to these repositories.
We use CircleCI's SSH key management combined with SSH host aliases to allow Composer to authenticate with multiple private GitHub repositories.
- A CircleCI project connected to your GitHub repository
- Admin access to the GitHub repositories you need to access
- Basic understanding of SSH keys and Composer
For each private repository you need to access, generate a unique SSH key pair:
# Create a key for each private repository
ssh-keygen -t ed25519 -f ~/.ssh/repo1_key -C "circleci-repo1"
ssh-keygen -t ed25519 -f ~/.ssh/repo2_key -C "circleci-repo2"For each key:
- Go to your CircleCI project settings:
https://app.circleci.com/settings/project/github/[org]/[project]/ssh - Click "Add SSH Key"
- Enter a hostname alias (e.g.,
github-repo1,github-repo2) - these will be used in SSH config - Paste the private key content (from
~/.ssh/repo1_key,~/.ssh/repo2_key, etc.) - Save the key
- Note the fingerprint of each added key (displayed in the UI)
For each private repository:
- Go to the repository settings:
https://github.com/[org]/[repo-name]/settings/keys - Click "Add deploy key"
- Give it a descriptive title (e.g., "CircleCI Access")
- Paste the public key content (from
~/.ssh/repo1_key.pub,~/.ssh/repo2_key.pub, etc.) - Enable "Allow write access" if your build needs to push to the repository
- Click "Add key"
Update your .circleci/config.yml to use the SSH keys and configure the SSH client:
jobs:
build:
steps:
# Add all the SSH keys you registered
- add_ssh_keys:
fingerprints:
- "SHA256:fingerprint_for_repo1_key"
- "SHA256:fingerprint_for_repo2_key"
# Configure SSH and update Composer references
- run:
name: Configure SSH for multiple repositories
command: |
# Configure SSH to use the correct keys for each host alias
sed -i '/Host github-repo1/a\ HostName github.com' ~/.ssh/config
sed -i '/Host github-repo2/a\ HostName github.com' ~/.ssh/config
# Update repository URLs in composer files to use the host aliases
sed -i 's|git@github.com:wunderio/repo1.git|git@github-repo1:wunderio/repo1.git|g' composer.json
sed -i 's|git@github.com:wunderio/repo1.git|git@github-repo1:wunderio/repo1.git|g' composer.lock
sed -i 's|git@github.com:wunderio/repo2.git|git@github-repo2:wunderio/repo2.git|g' composer.json
sed -i 's|git@github.com:wunderio/repo2.git|git@github-repo2:wunderio/repo2.git|g' composer.lock
# Continue with your build steps
- run:
name: Install dependencies
command: composer install-
SSH Key Management: CircleCI loads the specified SSH keys into the SSH agent.
-
Host Aliases: By configuring SSH host aliases (
github-repo1,github-repo2), we create separate "virtual hosts" that all point togithub.combut use different SSH keys. -
URL Rewriting: We modify the repository URLs in
composer.jsonandcomposer.lockto use these host aliases instead of the defaultgithub.com. -
Authentication: When Composer tries to access a private repository, it uses the corresponding host alias, which triggers SSH to use the correct key for authentication.
- SSH Key Issues: Verify that the fingerprints in your CircleCI config match the keys added in the CircleCI settings.
- Access Denied: Ensure the public keys are correctly added to each GitHub repository.
- URL Rewriting: Check that all repository URLs are correctly updated in both
composer.jsonandcomposer.lock.
- Generate unique keys for each repository to limit the scope of access if a key is compromised.
- Regularly rotate SSH keys as part of your security practices.
- Only grant write access to repositories when absolutely necessary.