13

I am the maintainer of a public GitHub repo. I have set up GitHub Actions to build a publish to GitHub Packages. You can see the package has been created here:

https://github.com/paulschwarz/spring-dotenv/packages/135114

The first thing I notice is that GitHub only gives a Maven installation snippet. I used this code to add the dependency to another project and it appeared to work.

Now I want to import this package into a Gradle project. I added 

dependencies {
  implementation ('me.paulschwarz:spring-dotenv:0.0.3')
}

and gradle tells me

Could not find me.paulschwarz:spring-dotenv:0.0.3.
     Searched in the following locations:
       - https://jcenter.bintray.com/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom
       - https://repo.maven.apache.org/maven2/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom

This is already strange because my Maven project appeared to have no problem resolving the dependency. I must say I'm curious how that worked? Surely GitHub Packages isn't integrated with JCenter or Maven Central?

Anyway, next step, add the repository

repositories {
    jcenter()
    mavenCentral()
    maven { url = uri('https://maven.pkg.github.com/paulschwarz/spring-dotenv') }
}

At this point, Gradle should understand where to find the package. However, I get this

      > Could not resolve me.paulschwarz:spring-dotenv:0.0.3.
         > Could not get resource 'https://maven.pkg.github.com/paulschwarz/spring-dotenv/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom'.
            > Could not GET 'https://maven.pkg.github.com/paulschwarz/spring-dotenv/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom'. Received status code 401 from server: Unauthorized

Is this really a 401 unauthorized? or is the URL wrong and it's trying to hit an authorized endpoint?

If it's genuine, then why? This is a public repo with public packages. I can download the package directly from the GitHub page anonymously. What am I doing wrong in Gradle?

Paul Schwarz
  • 1,828
  • 1
  • 15
  • 24
  • 1
    I read on the github documentation page that in fact authentication appears to be necessary even for installing the package. This seems a little odd to me. What's the point of having public packages then? I don't need to authenticate against Maven Central. – Paul Schwarz Feb 25 '20 at 18:27
  • 1
    Hi, GH registry is still young, and there are some issues with some authentication use cases. Keep in mind though, that being a public repository is not the goal of GH registry, since those already exist and are set by default in the various package managers (npmjs.org, Docker Hub, Maven Central ...). The primary use case is for the private packages, for which you will have to do some configuration in any case. – Romain Prévost Apr 15 '20 at 13:53
  • 1
    I thought using GitHub packages would be an easy way to make libraries I've written publicly accessible. Looks like I might have to publish then on maven central, which is a pain to do from what I've read. – Andrew Kelly Aug 13 '20 at 05:09

3 Answers3

6

As you have observed, GitHub doesn't support unauthorized package access right now (but planned in future) as explained by one of their staff (May 27 '20):

Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.

For Actions you can add a PAT to your secrets store or use the GITHUB_TOKEN to authenticate. In your settings.xml we suggest using the environment variable approach (see setup-java 4) so you don’t store the tokens in the file.

Steven Jeuris
  • 18,274
  • 9
  • 70
  • 161
  • 2
    Another thread with many people requesting the same on Github Community: [Download from Github Package Registry without authentication](https://github.community/t/download-from-github-package-registry-without-authentication/14407) – Steven Jeuris Aug 17 '20 at 08:23
2

As mentioned above you need to authenticate to GitHub Packages.

ext {
  GITHUB_TOKEN = System.getenv("GITHUB_TOKEN")
}

maven {
  url "https://maven.pkg.github.com/paulschwarz/spring-dotenv"
  credentials {
    username GITHUB_USER
    password GITHUB_TOKEN
  }
}

Where GITHUB_USER is defined in your gradle.properties and GITHUB_TOKEN is defined as an environment variable. GITHUB_TOKEN is available inside your GitHub Actions workflow file as ${{ secrets.GITHUB_TOKEN }}

You will have to define it yourself when running locally.

Delta George
  • 2,560
  • 2
  • 17
  • 11
0

In my case, I'm using Maven. After researching around, ended up that I need to generate a GitHub token instead of using the plain GitHub user login password one.

Alex
  • 601
  • 8
  • 22