"i presume i'm not the only one..." <- i finally managed it, this does the trick (in the GH workflow file): ```yaml env: # config needed to allow referencing private git dependencies in `Cargo.toml` CARGO_NET_GIT_FETCH_WITH_CLI: true GIT_CONFIG_COUNT: 2 GIT_CONFIG_KEY_0: "credential.https://github.com/.helper" GIT_CONFIG_VALUE_0: '!f() { test "$1" = get && echo "password=${{ secrets.TOKEN }}"; }; f' GIT_CONFIG_KEY_1: "credential.https://github.com/.username" GIT_CONFIG_VALUE_1: "${{ secrets.TOKEN_USERNAME }}" ``` with that you can then use cargo commands which pick up the token. this is _way_ uglier than anticipated. there's a blog post about how to use private git deps but which doesn't talk about CI systems. that's where i found the trick with the custom credential helper: https://fahn.co/posts/cargo-auth-for-private-git-repos.html