## Problem In https://gitlab.com/gitlab-org/gitlab/-/issues/247531 we added `source` to the composer metadata payload to support the [`--prefer-source` option](https://getcomposer.org/doc/03-cli.md#install-i). The first iteration includes the `https` url for cloning a repository. The problem is composer may prompt for login depending on the visibility of the project. ## Solution Composer also supports [ssh urls](https://getcomposer.org/doc/05-repositories.md#using-private-repositories) for private repositories so users can have an ssh key configured and successfully clone the repo. The source section of the metadata is generated [here](https://gitlab.com/gitlab-org/gitlab/blob/master/lib/gitlab/composer/version_index.rb#L50). ### Considerations If a package is completely public, using the ssh url will require a valid ssh key, so http url is preferred. If a package is private, ssh is preferred. We could look at the visibility of the project when deciding which URL to return.