composer/packagist

SSH source URLs being used for github.com

oschwald opened this issue · 2 comments

Starting in 2022, our packages switched from URLs like https://github.com/maxmind/GeoIP2-php.git to git@github.com:maxmind/GeoIP2-php.git in the JSON provided by Packagist:

Release from 2021-11-30

            "name": "geoip2/geoip2",
            "version": "v2.12.2",
            "source": {
                "type": "git",
                "url": "https://github.com/maxmind/GeoIP2-php.git",
                "reference": "83adb44ac4b9553d36b579a14673ed124583082f"
            },

Release from 2022-08-05

            "name": "geoip2/geoip2",
            "version": "v2.13.0",
            "source": {
                "type": "git",
                "url": "git@github.com:maxmind/GeoIP2-php.git",
                "reference": "6a41d8fbd6b90052bc34dff3b4252d0f88067b23"
            },

This has resulted in issues for some users.

We did not intentionally make any changes, and I have looked at both the package configuration on packagist.org as well as our composer.json file. I have not been able to determine the root cause of this. We are seeing it on geoip2/geoip2, maxmind/minfraud, and maxmind-db/reader.

I am sure we are doing something wrong or unusual. I have looked at a number of other packages hosted on GitHub and I haven't seen any that are using SSH source URLs. I don't think we changed anything on packagist.org. The repo changes between the two releases look unrelated, except maybe that we switched our Git submodule from git://github.com/maxmind/MaxMind-DB.git to https://github.com/maxmind/MaxMind-DB (which is used in tests) due to new requirements from GitHub. However, it is my understanding that Packagist and Composer ignore submodules, and I would have assumed this would not cause the issue above.

Interesting, the cause is shown in the update log:

GitHub API token requires SSO authorization. Authorize this token at https://github.com/enterprises/maxmind/sso?authorization_request=...

Updated from https://github.com/maxmind/GeoIP2-php using Composer\Repository\Vcs\GitHubDriver (via GitDriver fallback instance)

So due to your organization requiring SSO that broke our update process and it reverted to updating via git clone as the github API token was not usable.

I have now fixed it to detect those invalid tokens and bypass them instead, and have force-updated all URLs for the package so it should be all good now.

Thank you! I would have never guessed that was the cause.