Issue consuming aar from maven repository

Hey,

I have Android library hosted in a private repo. I’m using github package to host a maven repository (as described in this link ) for this library and the goal is to keep it private. In the consumer side, I use github tokens to authenticate and download the artifact.

Everything works fine, until I release a new version of the library. The token I use to download the previous version is not recognized anymore and I’m unable to build the client app. The current solution is issue a new token for every new release, which is very unpleasant and unreliable for the consumer.

Is it the default behavior? Am I doing something wrong?

In order to consume the library, my gradle script is as follows:


def pluginSettings = new Properties()

file("plugin.properties").withInputStream {
    pluginSettings.load(it)
}


repositories {
    maven {
        url "https://maven.pkg.github.com/<my account>/<my private repo>"
        credentials {
            username pluginSettings["GH_USER"]
            password pluginSettings["GH_TOKEN"]
        }
    }
}

I’m using two different tokens: one to publish and another to read the artificat.

Thanks in advance

Hi @bgpinto,

The token I use to download the previous version is not recognized anymore and I’m unable to build the client app. The current solution is issue a new token for every new release, which is very unpleasant and unreliable for the consumer.

It sounds like the PAT you’re using to download you packages is being pushed to a public repository and being automatically deleted by GitHub. That would explain why you need to generate a new token for every release. :thinking:

This is what I do to prevent my read:packages PATs from being automatically deleted:

  1. Generate a PAT from an account that has access to my private repository with just the read:packages scope (you can use a machine-user account or your own if you don’t have access to any private packages you need to protect).

  2. Execute the following command using Docker docker run jcansdale/gpr encode <PAT>. This will generate an XML encoded token that won’t be automatically deleted by GitHub.

  3. Include server element generated by the command above in your settings.xml file. It will look something like this.

  <server>
    <id>github</id>
    <username>PublicToken</username>
    <password>&#60;&#80;&#65;&#84;&#62;</password>
  </server>

I know your project uses Gradle, but I think settings.xml files can be used with Gradle as well as Maven?

You might also find you can use the string encoded for npm in your credentials element. For example:

        credentials {
            username "token"
            password "\u003c\u0050\u0041\u0054\u003e"
        }

Here is a sample/template repository that uses this technique:

I’d be interested to hear how you get on!

Hi, @jcansdale

Thank you for your answer.

I appreciate your solution, however it does not scale and does not satisfy my use case.

Also, why does github delete PATs ? why is it beeing pushed to a public repository?

I’m really confused. I like Github packages but it seems really limited at the moment.

If this is the default behaviour (deleting tokens) I will consider looking for another package registry solution.

@bgpinto,

Also, why does github delete PATs ?

This is to protect users incase they accidentally expose their token on a public repository. You should have had a notification email about this. Please let me know if you didn’t receive it.

why is it beeing pushed to a public repository?

It looks like your PAT was pushed to a public repository here:

I think you could have done something like this instead:

        credentials {
            username "bgpinto"
            password "\u0062\u0064\u0066\u0034\u0031\u0035\u0066\u0061\u0064\u0031\u0037\u0061\u0063\u0036\u0062\u0038\u0035\u0039\u0033\u0035\u0063\u0033\u0036\u0065\u0066\u0037\u0038\u0038\u0033\u0064\u0033\u0031\u0037\u0065\u0037\u0039\u0033\u0037\u0035\u0064"
        }

This will stop GitHub from recognizing it as a PAT and automatically deleting it.

Here is the command I used:

$ docker run jcansdale/gpr encode bdf415fad17ac6b85935c36ef7883d317e79375d

An encoded token can be included in a public repository without being automatically deleted by GitHub.
These can be used in various package ecosystems like this:

A NuGet `nuget.config` file:
<packageSourceCredentials>
  <github>
    <add key="Username" value="PublicToken" />
    <add key="ClearTextPassword" value="&#98;&#100;&#102;&#52;&#49;&#53;&#102;&#97;&#100;&#49;&#55;&#97;&#99;&#54;&#98;&#56;&#53;&#57;&#51;&#53;&#99;&#51;&#54;&#101;&#102;&#55;&#56;&#56;&#51;&#100;&#51;&#49;&#55;&#101;&#55;&#57;&#51;&#55;&#53;&#100;" />
  </github>
</packageSourceCredentials>

A Maven `settings.xml` file:
<servers>
  <server>
    <id>github</id>
    <username>PublicToken</username>
    <password>&#98;&#100;&#102;&#52;&#49;&#53;&#102;&#97;&#100;&#49;&#55;&#97;&#99;&#54;&#98;&#56;&#53;&#57;&#51;&#53;&#99;&#51;&#54;&#101;&#102;&#55;&#56;&#56;&#51;&#100;&#51;&#49;&#55;&#101;&#55;&#57;&#51;&#55;&#53;&#100;</password>
  </server>
</servers>

An npm `.npmrc` file:
@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken="\u0062\u0064\u0066\u0034\u0031\u0035\u0066\u0061\u0064\u0031\u0037\u0061\u0063\u0036\u0062\u0038\u0035\u0039\u0033\u0035\u0063\u0033\u0036\u0065\u0066\u0037\u0038\u0038\u0033\u0064\u0033\u0031\u0037\u0065\u0037\u0039\u0033\u0037\u0035\u0064"

In this case I used the token from the npm example snippet. You should only need to do this once!

Does that help at all?