4 comments

[ 3.1 ms ] story [ 23.6 ms ] thread
Composer makes it hard [0] to offer an artifact service for it because it authenticates per-domain, not per-package. For example, if you required 2 private packages from GitHub from php.pkg.github.com, you wouldn't be able to authenticate with both separately. You can only authenticate with php.pkg.github.com, not php.pkg.github.com/org-1/package and php.pkg.github.com/org-2/package.

It's not ideal, but the workaround for this is to use subdomains:

- org-1.php.pkg.github.com/package

- org-2.php.pkg.github.com/package

I wonder if that had any impact on their decision.

[0]: https://github.com/keygen-sh/keygen-api/issues/490

You can authorize SSO for both orgs for the same personal access token. But I guess if you are using two different github accounts for the two orgs, that won't work.
Not just PHP, looks like they have the same token comment on PyPi, Helm and generic package support