xmlEncode

This works! Thank you! One small tweak: it’s just encode, not xmlEncode.

Hi @clarkbw! Any news regarding allowing public access to Maven packages?

Still in the future column on the roadmap. Hopefully in the fall this year.

Hey @clarkbw, thanks for the update! I’d like to bring to attention that JCenter is being shut down globally on 1st may this year. JCenter is currently one of the biggest maven repositories in the world in amount of artifacts.

There are several projects currently looking for a new home and while github package registry looks awesome, this one particular (missing) feature is preventing several projects I know from choosing github packages over self-hosting.

It’s pretty rare for a developer to have a github PAT on their maven (or gradle) configuration (much less on both) and it’s quite a barrier to entry for new developers (needing to create a github account → learning which of the 40 options to create a PAT → learning how to configure maven (or/and gradle) and their IDE).

It would be very interesting if this could be prioritized before the JCenter sunsetting deadline and could bring several people to use github packages (it’s A LOT easier than central).

Having this available for pretty much everyone to use would be a great option.

• Maven is quite slow according to various developers
• Jcenter is obviously shutting down, as stated by @Fabricio20
• Selfhosting is either not cheap or resource intense and would require extra stuff like domain, server setup, etc.
• Other options may not be free or under heavy restrictions.

I also wanted to use this once, but never got it to work. The publication gave an error with a 4xx code (I believe it was 403) yet (parts of) the package where apparently distributed to the upstream repo.
So because of that did I keep this down for the moment, but if this maven/gradle bug is actually fixed (Support told me it was a bug on your end) AND this allows anyone to download packages without registration and/or a PAT, would I perhaps give it another chance…

I also would love to see this delivered. As of now GitHub packages are useful to provide packages to our clients, but for our open-source work they cannot be used, as I cannot expect users to register to GitHub and set up the CI to obtain a token just for these packages

I wonder if in the meantime one could create a proxy service that access the Maven repo on GitHub and just exposes it without authentication needed. Not ideal and a bit of extra work but it does not seem predictable when we will get this feature from GitHub. Maybe never

@clarkbw Any update on the topic? You mentioned fall last year, was it pushed back?

@clarkbw any news on this?

Yep. It would be great if github solves this.
Public repository with the need of authentication for packages still sounds like a bad april fool…
Please fix this.

As I manage some open source Java projects on Github, I can’t ask people to authenticate before using the repo, so I switched to https://jitpack.io as a Maven repo.

Is there anything we the community can do to help get this feature implemented faster? I won't presume to know the reasoning behind this requirement, but as others have said, it's extremely restrictive.

This also applies to NPM-packages, which does not make any sense for public packages as well, also breaking developer experience and making it nearly impossible to include GitHub packages in any CI/CD pipeline, which essentially defeats the general purpose of packaging a project.

What's even more baffling is the fact, that you can easily include the GitHub repository URL itself verbatim in NPM, accessing a public repo without any auth, but the package based on exactly that repo is not available without auth. WTF? oO

While using the repo itself is feasible, this is just a git clone, excluding the possibility of packaging steps, also resulting in a weird notation in package.json.

Please allow non-authed installations of GitHub packages. Setting up the registry is alright, but providing a PAT completely breaks the functionality.

The fact that public repositories can be read anonymously but public packages cannot makes no sense to me.
Please allow us to read packages without authentication, we are forced to use jitpack or another third party tool to distribute software when Github basically already has this functionality.

I have written a short shell script that deploys to a separate branch in your project that can be read anonymously for anyone looking for a workaround: https://github.com/ThomasOM/MavenRepoTool

Dear github team, Any news on this one after 3 years?

jdsalasca's solution worked perfectly for me. Just created a read-only access token for packages, and included in build.gradle. As it is read-only for a public registry, it can be included cleartext.

I'd love to have anonymous access to public packages too. I just experimented getting a package published and I was very surprised when I couldn't use it anonymously.

This is still a very important feature. not having the public repos really makes using maven repos not worth it.....

Having PAT on public NPM packages makes this feature useless. Not a surprise I wasn't able to find any well known open source web projects using NPM Github Packages (checked angular, react, vuejs, bootstrap etc)

Agree with the common sentiment here, not very useful unless it behaves like all the other large package repos

Seems like Santa is not coming with this gift this year.
In the meantime, I'm using a custom proxy to handle the Github authentication and exposing my packages publicly.
That allows me to import my libraries like this:

repositories {
    mavenCentral()
    maven {
        url = uri("https://urlForYourProxy")
    }
}

dependencies {
    implementation "com.{your-org-id}.{your-package-name}:{your-version}"
}

You can find the source code here. Can't wait to kill this project when Github allows unauthenticated requests to packages.

this is so absurd that it is still not working. are there any plans from github to get that running? @jcansdale and if so? when? :)

This is disappointing to read after having spent significant time getting familiar with and publishing packages to GitHub Packages. We will switch to Maven Central for publishing open source packages.

Got a reply from support:

Hi Roman,
 
I have finally managed to get a definitive answer for this question.
 
GitHub Packages does not have plans to offer anonymous access for package types that have public registries of record supporting the ecosystem. We advise users to publish packages intended for retrieval without authentication to registries like Maven Central.
 
I'm sorry this wasn't the answer you were hoping to hear!

That's one of a questionable moves for sure, as it defeats the purpose of a maven repository and it's a nice 180 degrees turn on their side considering their past statement.