Download from Github Package Registry without authentication

+1, GitHub packages are useless atm.

2 Likes

Please allow public access to packages in public repositories! Until this changes, GitHub Packages are too much hassle for many open source projects.

1 Like

I believe github packages from public repos should be publicly accessible as simple dependencies in maven projects as well, really hope it is implemented as such!

1 Like

i spent so much time trying to publish my package to then find out about this…

1 Like

Hello,
I would like to ask support why the decision to allow only authenticated users to download packages?

It is necessary to offer public access options, even though the package feature is still under the experimental stage. That is so frustrating and I spend two days to publish an opensource package but doesnot work in public, ridiculous…

6 Likes

Since 2019, the github team hasn’t even bothered to mention this limitation in their documentation… WTF?

3 Likes

Requiring token to access to public artifacts in Github Packages kinda disqualifies them as Open Source artifact storage.

It’s really sad since I really enjoyed the idea of having everything in one place.

+1, GitHub packages are useless atm.

2 Likes

+1, I created the packages but now I can’t download them from another anonymous client.

2 Likes

Jcenter/Bintray will shut down on 1st May
Github packages are an excellent alternative, but they suck for this useless (imo) “requirement”
Is it really necessary to use an access token only to fetch packages? Can we remove this limitation by the 1st May?

13 Likes

Fyi, you can also have this right inside a pom.xml, by adding such a “public access token” right into the repo URL:

<repository>
	<id>github</id>
	<!-- Basic auth via access token with `read:packages` scope -->
	<url>https://anon:&#82;&#69;&#65;&#68;&#95;&#80;&#65;&#67;&#75;&#65;&#71;&#69;&#83;&#95;&#84;&#79;&#75;&#69;&#78;@maven.pkg.github.com/example/*</url>
</repository>

Edit: Well, while it works locally, apparently the token is still redacted on GitHub Actions.

1 Like

I don’t suppose this could be as simple as Github providing an official global token to reflect “anonymous” read only access and set by default in some context.

3 Likes

I too have spent days trying to make Github packages work for my project only to discover that it is not possible to pull them without a PAT authentication. It would be ideal to keep everything on Github but this limitation is making this very difficult.

Let me confirm that @jcansdale solution using an encoded generated by gpr CLI is working. Here is the setup I am currently using to grab the packages with Gradle:

Gradle script on Gist:

repositories {
    maven {
        name = 'GitHubPackages'
        url = uri("https://maven.pkg.github.com/<organization>/${orgRepo}")
        credentials {
            username = 'token'
            password = '\u0033\u0036\u0038\u0033\u0030\u0034\u0038...'
        }
    }
}

Project Gradle script:

// Github Packages repository credentials
project.ext.orgRepo = '<repo_name>'
apply from: `<link_to_gist>`

dependencies {
    implementation '<organization_namespace>'
}

For now this is working and is not too much of a hassle for users to setup.

If you got this far, give up ya’ll.

Heaps of package feeds on the web you can push your public packages too for free.

It’s a bit unfortunate (and maybe a little impolite, sorry) to endorse a GitHub competitor here, but the workaround for me was to use GitLab for publishing publicly available packages. See instructions here: Maven packages in the Package Repository | GitLab.

Here’s a short summary:

  1. Create a new project in GitLab (unless it already exists)
  2. Make sure Packages is enabled under Settings > General > Visibility, project features, permissions
  3. Create a new deploy token under Settings > Repository > Deploy tokens with write_package_registry scope, pick any name you like
  4. Add a new GITLAB_DEPLOY_TOKEN repository secret in your GitHub project settings and paste the token value from GitLab into Value.
  5. Create .github/gitlab-mvn-settings.xml file in the GitHub repository with the following content:
<settings>
  <servers>
    <server>
      <id>gitlab</id>
      <configuration>
        <httpHeaders>
          <property>
            <name>Deploy-Token</name>
            <value>${env.GITLAB_DEPLOY_TOKEN}</value>
          </property>
        </httpHeaders>
      </configuration>
    </server>
  </servers>
</settings>
  1. Add the GitLab Package Repository to your pom.xml:
    <distributionManagement>
        <repository>
            <id>gitlab</id>
            <url>https://gitlab.com/api/v4/projects/<YOUR GITLAB PROJECT ID>/packages/maven</url>
        </repository>
        <snapshotRepository>
            <id>gitlab</id>
            <url>https://gitlab.com/api/v4/projects/<YOUR GITLAB PROJECT ID>/packages/maven</url>
        </snapshotRepository>
    </distributionManagement>
  1. Add deployment to the GitLab Package Repository to your GitHub Actions job with
mvn deploy -s .github/gitlab-mvn-settings.xml
4 Likes

I’ve also got this working by creating a personal access token that has the fewest privileges. To make this journey easier for others, I published a tutorial on how to do this on developerlife.com.

Cheers
Naz

Hi Naz! Thanks for the great article! Regarding the section Import this dependency into another gradle project - try pushing the other Gradle project to GitHub and you will see that your GITHUB_PACKAGES_IMPORT_TOKEN token will be revoked. This is documented here: Keeping GitHub OAuth Tokens Safe - The GitHub Blog, quoting:

We will email you if you push one of your OAuth Access Tokens to any public repository with a git push command. As an extra bonus, we’ll also revoke your token so it can’t be used to perform any unauthorized actions on your behalf.

Hi Mart,

Thank you for your reply. I think that documentation might be out of date (it was published in February 5, 2015) :slightly_frowning_face:

I am currently using this repo color-console as a gradle dependency in other projects (eg: idea-plugin-example) successfully.

Based on the behavior I’ve observed, it does not seem like the GITHUB_PACKAGES_IMPORT_TOKEN has been revoked by GitHub :thinking:

Take care
Naz