How to allow unauthorised read access to GitHub packages maven repository?

Hello,

I have repository with java project and configured GitHub Actions workflow, which publishes jar into GitHub Packages maven repository.

I would like to use the published JAR package in other project, so I need to add it to pom.xml:

<dependency>
  <groupId>my.group</groupId>
  <artifactId>myartifact</artifactId>
  <version>1.0.1</version>
</dependency> 

I also need to add maven repository into pom.xml.

    <repository>
      <id>github-me-my-repo</id>
      <layout>default</layout>
      <name>GitHub Packages Repo</name>
      <releases><enabled>true</enabled></releases>
      <snapshots><enabled>false</enabled></snapshots>
      <url>https://maven.pkg.github.com/me/my-repo</url>
    </repository>

This does not work, because when maven attempt to download artifact it failes, because request is unauthorized.

GitHub Packages help tells that I need to add my user name and token into settings.xml.

This probably fixes an issue.
But there is so much nonsense in this requirement.

For example, if I clone some project which rely on dependencies hosted on GitHub Packages maven repo I’ll fail to compile it. Will have to investigate what the heck is going on. Figure out that I need to register on GitHub. Then generate token. Store in in ~/.m2/settings.xml. And only then the project might compile.

On the other hand the dependency JAR could be downloaded manually via https://github.com/me/my-repo/packages, so why on earth authorization is required when downloaded via maven?

Is there any hidden setting to turn off requirement?

1 Like

Found out topic raising exactly the same issue Download from Github Package Registry without authentication

Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.

For Actions you can add a PAT to your secrets store or use the GITHUB_TOKEN to authenticate. In your settings.xml we suggest using the environment variable approach (see setup-java) so you don’t store the tokens in the file.

2 Likes

For example, if I clone some project which rely on dependencies hosted on GitHub Packages maven repo I’ll fail to compile it. Will have to investigate what the heck is going on. Figure out that I need to register on GitHub. Then generate token. Store in in ~/.m2/settings.xml . And only then the project might compile.

There are a few thing you can do to make this a little less painful.

  1. Create a settings.xml file at the root of your repository
  2. Create a .mvn/maven.config file that contains -s settings.xml
  3. Generate a PAT with just the read:packages scope

If your repository is private, you can place the PAT directly in your settings.xml file. If your repository is public, you can’t push the raw PAT to your repository because GitHub will automatically delete it. What you can do instead is store an XML encoded version of the PAT (to prevent automatic deletion).

You can find an example of this here:

You can now clone and compile like this:

git clone https://github.com/jcansdale-test/maven-consume
cd maven-consume
mvn compile

If you have Docker installed, you can generate an XML encoded PAT like by doing:

docker run jcansdale/gpr xmlEncode TOKEN

I hope that helps!