We use CircleCI to build our PHP app prior to deployment. One of the requirements in composer is a module stored in a private repository on Bitbucket.
Currently we store the credentials inside composer.json which is far from ideal.
The problem is that I can find no better solution for managing these credentials for repo access during the build. I'm assuming I can use an environment variable or similar.
The environment variable COMPOSER_AUTH is available to pass any number of authentication methods to composer and allows any keys or secrets to be managed outside of the repo.
In my example, to authenticate with bitbucket, the var looked like this:
export COMPOSER_AUTH='{"bitbucket-oauth": {"bitbucket.org": {"consumer-key": "xxxxxx","consumer-secret": "xxxxxx"}}}' (see: documentation)
CircleCi (and I'd assume most CI apps) has an environment variable settings page. Add the variable and value there and then you can remove the entire "bitbucket-oauth" block from composer.json.