Private sources

To check for updates and apply them, Codario requires access not only to your "manifest" and "lock" files but and to all sources described there.

Private GIT repositories

For example, if you use the extra repository for your Composer project (see below):

"repositories": [
        "url": "ssh://",
        "type": "git"

And if this repository is private, this means that Codario will not be able to handle your project.

To fix it, just add your personal SSH key from this page to the corresponding git repositories (read-access will be enough) and Codario is able to automatically connect to those resources using this SSH key.

Use this approach for all similar cases for other dependencies managers as well.

For example, npm supports the following definition to get @owner/package package from git+ssh:// repository:

"@owner/package": "git+ssh://"

Just add your personal SSH key from "Access Keys" page to that git repository. That's all!

Important: you need to use namely ssh protocol for all private sources.

Private dependency manager repositories

Sometimes, private packages from dependency manager repositories are used (not from git repositories, like for Composer). As a rule, every dependency manager supports a special "option" to provide access to these resources.

Project configs support this option by the following way:

  "extra": {
    "private_data": { ... }

Every dependency manager has an individual way to provide access to private packages. Read all details on Supported dependency managers page.

We highly recommend don't keep secure data directly in extra.private_data because this approach disrupts the security of your project. Instead, use snippets for it.

In the case if you have the corresponding integration (f.e. the integration for gitlab instance), possible to get host, username and token directly via special tokens.