Github actions cause 400 Bad Request for maven builds using Github package releases

I have released a maven package [1] for Github resgitry using Github actions. Then i am going to use that as an dependency in another maven project (dependency type is zip). As Github packages requires credentials to get dependencies [2], i have added a settings.xml file and provided username and passwords as environment variables as below

<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                      http://maven.apache.org/xsd/settings-1.0.0.xsd">

  <activeProfiles>
    <activeProfile>github</activeProfile>
  </activeProfiles>

  <profiles>
    <profile>
      <id>github</id>
      <repositories>
        <repository>
          <id>github</id>
          <name>GitHub OWNER Apache Maven Packages</name>
          <url>https://maven.pkg.github.com/ballerina-platform/ballerina-update-tool</url>
        </repository>
      </repositories>
    </profile>
  </profiles>

  <servers>
    <server>
      <id>github</id>
      <username>${env.packageUser}</username>
      <password>${env.packagePAT}</password>
    </server>
  </servers>
</settings>

Then set env variables in the workflow as below

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout
      uses: actions/checkout@v2
    - name: Set credentials
      run: echo "Set environments"
      env:
        packagePAT: ${{ secrets.TOKEN }}
        packageUser: ${{ secrets.USER }}
    - name: Build Ballerina Distribution
      env:
        GITHUB_TOKEN: ${{ secrets.TOKEN }}
      run: mvn -s settings.xml clean install -B -V

This settings.xml works locally (by setting env variables manally). When i try to run the same in the Github Actions it will cause 400 bad request.

[1] https://github.com/ballerina-platform/ballerina-update-tool/packages/136624

[2] https://github.community/t5/GitHub-API-Development-and/Download-from-Github-Package-Registry-without-authentication/m-p/47803#M4159

Hey,
I had the same issue.
I changed my config somewhat similar to yours,
like this.

settings.xml:

    <profiles>
        <profile>
            <id>github</id>
            <repositories>
                <repository>
                    <id>github</id>
                    <name>Github package.</name>
                    <url>https://maven.pkg.github.com/open-schnick/somepackage</url>
                    <releases><enabled>true</enabled></releases>
                    <snapshots><enabled>true</enabled></snapshots>
                </repository>
                <repository>
                    <id>central</id>
                    <url>https://repo1.maven.org/maven2</url>
                    <releases><enabled>true</enabled></releases>
                    <snapshots><enabled>true</enabled></snapshots>
                </repository>
            </repositories>
        </profile>
    </profiles>

    <servers>
        <server>
            <id>github</id>
            <username>open-schnick</username>
            <password>${env.token}</password>
        </server>
    </servers>

then i just went ahead and set token as Github token. (this should be a non visible token generated by github.)

tests.yml

name: Tests

on: [push,workflow_dispatch]

jobs:
  run-all-tests:
    runs-on: ubuntu-latest

    steps:
    - uses: actions/checkout@v2
    - name: Set up JDK
      uses: actions/setup-java@v1
      with:
        java-version: '14.0.1'
        architecture: x64
    - name: Run tests with maven.
      env:
        token: ${{ secrets.GITHUB_TOKEN }}
      run: mvn -s settings.xml -V clean test

I also tried using a custom access token, and it worked.
this token needs the scopes: read:packages
You can create one here: https://github.com/settings/tokens

Things to check:
Check whether the token you are using is qualified. The Default secrets.GITHUB_TOKEN should always work. You can do that by looking at the logs and finding the url to the pom of the package you need. In the browser you should stumble upon an auth. Use your account name and token. -> Read what ever comes back.