TL;DR : Trying to use artifacts from GitHub packages on multiple accounts does not work with Maven. The easiest solution would be to give each account their own subdomain on maven.pkg.github.com.
I’ve got two GitHub repositories, let’s call them
bar, on two different GitHub accounts, let’s call them A and B. Both are Maven projects built with GitHub actions that deploy their JAR artifacts to GitHub Packages.
On B I’ve got a third repository, let’s call it
baz, that also contains a Maven project; this one depends on both the
bar JAR files produced from the other two projects. To that end, it has two
<repository> sections in its POM file, one for
foo and one for
bar. In order to not have to add the credentials for these repositories to an external
settings.xml, they are encoded into the URL, e.g.:
<repositories> <repository> <id>github-foo</id> <name>GitHub Packages - foo</name> <url>https://user:PAT_A@maven.pkg.github.com/A/foo</url> </repository> <repository> <id>github-bar</id> <name>GitHub Packages - bar</name> <url>https://user:PAT_B@maven.pkg.github.com/B/bar</url> </repository> </repositories>
This build will fail with an error:
Error: Failed to execute goal on project baz: Could not resolve dependencies for project baz:baz:jar:0.0.1-SNAPSHOT: Could not transfer artifact foo:foo:jar:1.0 from/to github-bar (***maven.pkg.github.com/B/bar): Authentication failed for https://maven.pkg.github.com/B/bar/foo/foo/1.0/foo-1.0.jar 401 Unauthorized -> [Help 1] org.apache.maven.lifecycle.LifecycleExecutionException: Failed to execute goal on project baz: Could not resolve dependencies for project baz:baz:jar:0.0.1-SNAPSHOT: Could not transfer artifact foo:foo:jar:1.0 from/to github-bar (***maven.pkg.github.com/B/bar): Authentication failed for https://maven.pkg.github.com/B/bar/foo/foo/1.0/foo-1.0.jar 401 Unauthorized
I think the error message is a bit confusing because Maven will try fetching all dependencies from all repositories until it gets a hit. So the fact that I have two
<repository>s in my POM means that all dependencies will be tried from up to three repos (the two in my POM plus Maven central). So the error message is from an attempt to fetch foo from the bar repository. But I’ve tried it locally, and that just returns a 404 which should signal to Maven to try a different repository.
The problem is that Maven’s HTTP Wagon provider, which handles the communication between Maven and GitHub packages (or any http-based Maven repository, for that matter) keeps a cache of credentials and this cache is basically keyed by host name and authentication realm. These are identical for both of my repositories, because they’re both hosted in GitHub Packages and GitHub packages makes no distinction in the host name based on the account the package is coming from.
So whichever of the two repositories is used first, that’s the credentials that will be cached and used for the other repository as well (and this will then fail).
I’m not sure if the expectation of Maven’s HTTP wagon that credentials are the same across all paths on a particular host is reasonable. But it obviously doesn’t hold for GitHub packages.
Short of solving this on the Maven side, GitHub Packages could introduce a subdomain for each GitHub account (provided the account names are DNS-valid) and that should work around this issue.
I’m going to look if it’s possible to disable the Maven HTTP Wagon’s credentials caching. But otherwise I hope the GitHub team can consider the subdomain suggestion (don’t know if they follow this community?)