Download from Github Package Registry without authentication

Can at least the help pages be corrected…
to mention that you also need auth for downloads.

1 Like

+1 releasing open source npm packages on GitHub packages is great until a user has to install it. The poorly documented need for authentication for public repositories has caused nothing but porblems. It makes packages inaccessible and is a useless and time consuming requirement.


Can somebody from Github provide ETA to when the auth requirement is removed on public repos?
Once I move my libraries to Sonatype, it is very unlikely I will ever come back to Github packages.


I’m surprised to know that who ever is using the packages also require authentication?
That makes the feature useless. I switched back to NuGet.
At least anonymous package downloads need to support for public repos for public access.

As this is a lengthy discussion with many discussion points, I’m not sure if this is viable but.

Would it be possible to “push a build jar” into the project repo in a defined location (i.e. release or dist) and then pull direct from that location? Maybe similar to “release” artifacts?

And then pull that direct (without token) in some way similar to if one was looking at a file in the repo?

Not sure that could fully be treated as a “repository” in the same way is used in build tools, but thought I would ask.

That’s exactly what I do. I generate local Maven files, including jars, in the docs part of the repository, which is used for GitHub pages. The URL of the GitHub pages site serves as Maven repository, with no need for authentication. I agree that it feels like a misuse of GitHub pages, but it works.


This solution works with a huge flaw. I gave users instructions to add the encoded PAT in the repository URL of their settings.xml, so they can download artifacts from my repo when building their stuff. They don’t necessarily have a GitHub account, nor should need one for this, as long as they use the PAT I made for them.

But now this can be effortlessly broken at will by anybody! They just need to copy the un-encoded PAT (which is just one letter away) and uploading a .txt file with it to any random repo… BAM! GitHub will revoke the PAT for everybody.


So GitHub just want to waste time of developers ? Why ? Cannot they just write it clearly that it’s just for private use.

1 Like