"Blocked mirror for repositories" error even though using HTTPS URL in repository settings

Question

Because one of my test playground projects needs a few dependencies from a repository other than Maven Central, I added this to my POM:

<repository>
  <id>jenkins-releases</id>
  <name>Jenkins Releases</name>
  <url>https://repo.jenkins-ci.org/releases/</url>
  <releases>
    <updatePolicy>never</updatePolicy>
  </releases>
  <snapshots>
    <enabled>false</enabled>
  </snapshots>
</repository>

This works locally, but not in GitHub workflows, see e.g. this build log. In each of the build matrix logs, there is the same error:

org.eclipse.aether.transfer.NoRepositoryConnectorException:
  Blocked mirror for repositories:
    [repo.jenkins-ci.org (http://repo.jenkins-ci.org/public/, default, releases+snapshots)]

I am puzzled, not because HTTP URLs are being blocked by Maven 3.8.1+, which is a known fact, but because I configured https://, not http://. So why is Maven still trying to resolve an unencrypted URL? Is there some kind of redirection on the server that I am unaware of? A curl -v -L call did not reveal anything suspisious, and I can also browse the repository URL normally under HTTPS in a web browser.

I am aware of this question, but the answers are not helping me to understand the problem at hand. So do not quickly judge this one as a duplicate, because it is not about how to disable HTTP blocking in Maven 3.8.1+, but about why I am running into this problem when not even using an HTTP repository.

As it only happens on GitHub Actions, is that a GitHub-specific problem? Do they block anything which my local workstation does not block?

Answer 1

I found out the reason after I understood this log line better:

Failed to collect dependencies at
  org.jenkins-ci.main:jenkins-core:jar:2.102
    -> org.jenkins-ci:trilead-ssh2:jar:build-217-jenkins-11
    -> org.connectbot.jbcrypt:jbcrypt:jar:1.0.0:
  Failed to read artifact descriptor for org.connectbot.jbcrypt:jbcrypt:jar:1.0.0:
    Could not transfer artifact org.connectbot.jbcrypt:jbcrypt:pom:1.0.0
    from/to maven-default-http-blocker (http://0.0.0.0/):
      Blocked mirror for repositories:
      [repo.jenkins-ci.org (http://repo.jenkins-ci.org/public/, default, releases+snapshots)]

I followed the dependency trail, inspecting the corresponding POMs, and indeed in the POM of trilead-ssh2 I saw a plain HTTP repository configuration. So it was not my own configuration, which was wrong, but that of a dependency.

Probably, defining a dummy mirror suppressing the default blockade would have helped, but in my case I could upgrade jenkins-core to a more recent version that no longer depends on libraries with HTTP repositories in their POMs.