How to pull from private repo in a bitbucket pipeline?

I have a bitbucket pipeline that works well but now on a project I need to pull from a private repository which contains a package that is required in my composer.json.

When I do a composer install in the pipeline, it stops with this error

Failed to execute git clone --no-checkout 'git@bitbucket.org:company/package.git' [...]
  Cloning into '/opt/atlassian/pipelines/agent/build/vendor/company/package'...                                                                                                                                                                                                                                                                                 
  Permission denied (publickey).                                                                                                                                                                                                                                                                                                                                                
  fatal: Could not read from remote repository.                                                                                                                                                                                                                                                                                                                                 
  Please make sure you have the correct access rights                                                                                                                                                                                                                                                                                                                           
  and the repository exists. 

The pipeline do not have any SSH key defined so it's not allowed to pull, but how could I define one since it's ephemeral?

Or maybe I should define the requirement otherwise?

• Add a deployment key (public SSH key) to the private repository
• Add that key’s corresponding private key (Base64-encoded) as environment variable in the repo that has the Pipeline. Ideally, this should be marked as protected, which will hide it.
• Use the environment variable (Base64-decoded) in the Pipeline. Ususally, that means something like writing it to the user’s .ssh directory.

That should be enough to get it running.

Moreover, I’ve just seen that there is now (maybe this is new, but I’m not sure) a new page “Settings” > “Pipelines” > “SSH keys” for managing pipelines SSH keys. This way, you wouldn’t even need to add the private key to the docker image you are using. But I haven’t used that so far, so I can’t say anything about it.