Download from Github Package Registry without authentication

After publish a maven Package on Github Package Registry I can download it as dependency if I my settings.xml filé contains my username and my personal access token.

But how another person can use it without authentication? I thought Github Package Registry was like a maven central repo.

61 Likes

Hi @markenson

Thank you for being here! Currently you need to authenticate to download both public and private packages I’m afraid. We are investigating how, going forwards, beyond the beta we maybe able to offer this functionality, however this could be a way off yet - I’ve added a +1 against this for you, and we’ll let you know as soon as we have an update that we can share surrounding this. Keep an eye on https://github.blog for all updates meanwhile.

27 Likes

Thank you, @andreagriffiths11 !

Knowing that’s only authenticaded operation save (and too much) my time!

I’ll stay tuned about this on blog.

Best regards,

Markenson

4 Likes

You should mention that in the documentation as well. It took me hours to find this thread :frowning:

I think providing a package registry for open source projects that is accessible with authentication only does not make sense. 

34 Likes

Thanks for the feedback @uhafner, I agree and apologies for that. I’ll be sure to pass this feedback to our docs team.

6 Likes

+100

Yes they need something like mavenCentral() to add to the build.gradle/pom.xml.

Otherwise the whole feature is useless IMO.

1 Like

This mandatory authentication is quite strange decision for public NuGet packages. How it’s supposed to work for big decentralized team?

So I want to start using a package from github. And I don’t want to send everyone instructions how to make solution build after it. I can add repository in nuget.config to avoid everyone in team to add github source. What should I use for credentials here - seems keep it empty? But then what? Everyone in team have to create github account and do authentication? So it looks like it’s usable only for personal projects.

6 Likes

That’s unfortunate, but I’m glad to hear you’re looking into the issue. My team also produce Maven artifacts with external consumers, and requiring those consumers to authenticate with a token with our organization’s SSO enabled is stopping us from using GitHub package registry.

7 Likes

It’s not entirely useless, since it’s still convenient for private artifacts, but it’s extremely limiting, for sure.

They’d not only have to use a personal access token, but one that is scoped with “read:packages” on your repo, and SSO enabled, if applicable, so it’s not just a matter convenience. I agree that it’s very unfortunate.

1 Like

I am thinking about the same thing. It says it in the developer docs, but when you navigate to the package itself it says nothing about authentication with GitHub. I think that needs to be in big bright flashing lights since it is deviating from how npm, maven, and other repos work when you just simply pull the public projects. 

6 Likes

Ditto - we will just continue to use other services, like Maven, and NPM. It is difficult enough educating customers on how to use a public SDK, let alone having to teach them how to configure gradle to authenticate with GitHub.  

2 Likes

@AndreaGriffiths11 Is there timeline when this issue will fixed?

5 Likes

So I guess this is only usefull for private artifacts. Very unfortunate indeed  for opensource.

I am very disapointed with it. It took me hours to actually push packages there using all the fragmented documentation that was provided to find out that people won’t be able to use it… Totally wasted my time, I’ll have to move to an other working packaging system, requiring authentication to download from public repositories is pointless.

6 Likes

Requiring github auth for public repo artifacts makes this pretty useless for Open Source projects.

That’s really disappointing to see from GitHub. I hope this gets fixed soon. 

For now, Open Source projects will have to look elsewhere.

4 Likes

Same here. Was almost OK with the extra hassle / need to add repository configs for all different libraries with different repositorioes on github, only to discover that it is actually unusable without authentication. Having a per-user/org repository with the ability to push to it with actions and able to read packages without authentication is something that would be needed for open source.

1 Like

As GH Package regsitry has been officially released, is there any plan on allowing public packages to be downloaded without authentication?

I think it would be useless for open source projects asking users to authenticate to get packages. This is a manditory requirement which is already there in systems like maven central

3 Likes

Thanks for everything

Any news on this matter, considering the fact NPM was just bought by Microsoft (Github)?

Auth for public packages is an absolute no-go and must be resolved asap. 

12 Likes