Jebel-Quant · tschm · Feb 7, 2026 · Feb 7, 2026 · Feb 7, 2026 · Feb 7, 2026
diff --git a/.github/actions/configure-git-auth/README.md b/.github/actions/configure-git-auth/README.md
@@ -0,0 +1,80 @@
+# Configure Git Auth for Private Packages
+
+This composite action configures git to use token authentication for private GitHub packages.
+
+## Usage
+
+Add this step before installing dependencies that include private GitHub packages:
+
+```yaml
+- name: Configure git auth for private packages
+  uses: ./.github/actions/configure-git-auth
+  with:
+    token: ${{ secrets.GH_PAT }}
+```
+
+The `GH_PAT` secret should be a Personal Access Token with `repo` scope.
+
+## What It Does
+
+This action runs:
+
+```bash
+git config --global url."https://<token>@github.com/".insteadOf "https://github.com/"
+```
+
+This tells git to automatically inject the token into all HTTPS GitHub URLs, enabling access to private repositories.
+
+## When to Use
+
+Use this action when your project has dependencies defined in `pyproject.toml` like:
+
+```toml
+[tool.uv.sources]
+private-package = { git = "https://github.com/your-org/private-package.git", rev = "v1.0.0" }
+```
+
+## Token Requirements
+
+By default, this action will use the workflow’s built-in `GITHUB_TOKEN` (`github.token`) if no `token` input is provided or if the provided value is empty (it uses `inputs.token || github.token` internally).
+
+The `GITHUB_TOKEN` is usually sufficient when:
+
+- installing dependencies hosted in the **same repository** as the workflow, or
+- accessing **public** repositories.
+
+The default `GITHUB_TOKEN` typically does **not** have permission to read other private repositories, even within the same organization. For that scenario, you should create a Personal Access Token (PAT) with `repo` scope and store it as `secrets.GH_PAT`, then pass it to the action via the `token` input.
+
+If you configure the step as in the example (`token: ${{ secrets.GH_PAT }}`) and `secrets.GH_PAT` is not defined, GitHub Actions passes an empty string to the action. The composite action then falls back to `github.token`, so the configuration step itself still succeeds. However, any subsequent step that tries to access private repositories that are not covered by the permissions of `GITHUB_TOKEN` will fail with an authentication error.
+## Example Workflow
+
+```yaml
+name: CI
+
+on: [push, pull_request]
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
+      - name: Install dependencies
+        run: uv sync --frozen
+
+      - name: Run tests
+        run: uv run pytest
+```
+
+## See Also
+
+- [PRIVATE_PACKAGES.md](../../../.rhiza/docs/PRIVATE_PACKAGES.md) - Complete guide to using private packages
+- [TOKEN_SETUP.md](../../../.rhiza/docs/TOKEN_SETUP.md) - Setting up Personal Access Tokens
diff --git a/.github/actions/configure-git-auth/action.yml b/.github/actions/configure-git-auth/action.yml
@@ -0,0 +1,21 @@
+name: 'Configure Git Auth for Private Packages'
+description: 'Configure git to use token authentication for private GitHub packages'
+
+inputs:
+  token:
+    description: 'GitHub token to use for authentication'
+    required: false
+
+runs:
+  using: composite
+  steps:
+    - name: Configure git authentication
+      shell: bash
+      env:
+        GH_TOKEN: ${{ inputs.token || github.token }}
+      run: |
+        # Configure git to use token authentication for GitHub URLs
+        # This allows uv/pip to install private packages from GitHub
+        git config --global url."https://${GH_TOKEN}@github.com/".insteadOf "https://github.com/"
+
+        echo "✓ Git configured to use token authentication for GitHub"
diff --git a/.github/workflows/rhiza_benchmarks.yml b/.github/workflows/rhiza_benchmarks.yml
diff --git a/.github/workflows/rhiza_book.yml b/.github/workflows/rhiza_book.yml
@@ -45,6 +45,11 @@ jobs:
         with:
           version: "0.10.0"
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: "Sync the virtual environment for ${{ github.repository }}"
         shell: bash
         env:

diff --git a/.github/workflows/rhiza_ci.yml b/.github/workflows/rhiza_ci.yml
@@ -33,6 +33,11 @@ jobs:
         with:
           version: "0.10.0"
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - id: versions
         env:
           UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
@@ -65,6 +70,11 @@ jobs:
           version: "0.10.0"
           python-version: ${{ matrix.python-version }}
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Run tests
         env:
           UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}
@@ -83,6 +93,11 @@ jobs:
         with:
           version: "0.10.0"
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Check docs coverage
         env:
           UV_EXTRA_INDEX_URL: ${{ secrets.UV_EXTRA_INDEX_URL }}

diff --git a/.github/workflows/rhiza_codeql.yml b/.github/workflows/rhiza_codeql.yml
@@ -83,6 +83,10 @@ jobs:
     - name: Checkout repository
       uses: actions/checkout@v6.0.2
 
+    - name: Configure git auth for private packages
+      uses: ./.github/actions/configure-git-auth
+      with:
+        token: ${{ secrets.GH_PAT }}
     # Add any setup steps before running the `github/codeql-action/init` action.
     # This includes steps like installing compilers or runtimes (`actions/setup-node`
     # or others). This is typically only required for manual builds.

diff --git a/.github/workflows/rhiza_deptry.yml b/.github/workflows/rhiza_deptry.yml
@@ -32,6 +32,11 @@ jobs:
     steps:
       - uses: actions/checkout@v6.0.2
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Run deptry
         run: make deptry
         # NOTE: make deptry is good style because it encapsulates the folders to check

diff --git a/.github/workflows/rhiza_marimo.yml b/.github/workflows/rhiza_marimo.yml
diff --git a/.github/workflows/rhiza_mypy.yml b/.github/workflows/rhiza_mypy.yml
@@ -29,6 +29,11 @@ jobs:
     steps:
       - uses: actions/checkout@v6
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       # to brutal for now
       # - name: Run mypy
       #   run: make -f .rhiza/rhiza.mk mypy
diff --git a/.github/workflows/rhiza_pre-commit.yml b/.github/workflows/rhiza_pre-commit.yml
@@ -31,6 +31,11 @@ jobs:
     steps:
       - uses: actions/checkout@v6.0.2
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       # Run pre-commit
       - name: Run pre-commit
         run: |

diff --git a/.github/workflows/rhiza_release.yml b/.github/workflows/rhiza_release.yml
@@ -115,6 +115,11 @@ jobs:
         with:
           version: "0.10.0"
 
+      - name: Configure git auth for private packages
+        uses: ./.github/actions/configure-git-auth
+        with:
+          token: ${{ secrets.GH_PAT }}
+
       - name: Verify version matches tag
         if: hashFiles('pyproject.toml') != ''
         run: |