Hi @gsmachado,

Sorry about the delay in getting back to you!

However, it also says that there was a bug that prevents to push artifacts with -javadoc and -sources extension, somehow. Is that still an issue?

This issue should now be fixed.

When I go to fetch the maven-metadata.xml file on the URL from above, I get:

error retrieving metadata for snapshot file: compiler-3.0.1-20200527.103236-1-sou

I am able to fetch your maven-metadata.xml using the following command:

$ curl https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/compiler/3.0.1-SNAPSHOT/maven-metadata.xml -u token:${READ_PACKAGES_TOKEN} | xmllint --format -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1661  100  1661    0     0   3831      0 --:--:-- --:--:-- --:--:--  3827
<?xml version="1.0"?>
<metadata modelVersion="">
  <groupId>io.neow3j</groupId>
  <artifactId>compiler</artifactId>
  <version>3.0.1-SNAPSHOT</version>
  <versioning>
    <snapshot>
      <timestamp>20200527.103236</timestamp>
      <buildNumber>1</buildNumber>
    </snapshot>
    <lastUpdated>20200527103248</lastUpdated>
    <snapshotVersions>
      <snapshotVersion>
        <extension>jar</extension>
        <value>3.0.1-20200527.103236-1</value>
        <updated>20200527103237</updated>
      </snapshotVersion>
      <snapshotVersion>
        <extension>pom</extension>
        <value>3.0.1-20200527.103236-1</value>
        <updated>20200527103238</updated>
      </snapshotVersion>

READ_PACKAGES_TOKEN is a PAT with the read:packages scope.

Any chance you could point me to a GitHub Actions workflow that shows this failing?

Hello @jcansdale

Thanks for your reply, even if took a while. No worries! 😉

So… I can confirm that now I can successfully publish 3.0.1-SNAPSHOT – i.e., update/re-upload artifacts using the same version (like an overwrite). That’s fine!

However, I still don’t get it: even if the repo is public (open-source project), users mandatorily need to use a token with read:packages scope, somehow?

I don’t know if you’re familiar with Java/Gradle ecosystem, but, if I set-up a project with the following gradle.build content, it fails:

plugins {
    id 'java'
}
group 'org.example'

version '1.0-SNAPSHOT'
repositories {

mavenCentral()

maven {

url "https://maven.pkg.github.com/neow3j/neow3j/"

}

}
dependencies {

compile 'io.neow3j:contract:3.0.1-SNAPSHOT'

testCompile group: 'junit', name: 'junit', version: '4.12'

}

The output of a simple gradle compileJava on this repository example gives the following output:

> Could not resolve all files for configuration ':compileClasspath'.
   > Could not resolve io.neow3j:contract:3.0.1-SNAPSHOT.
     Required by:
         project :
      > Could not resolve io.neow3j:contract:3.0.1-SNAPSHOT.
         > Unable to load Maven meta-data from https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/contract/3.0.1-SNAPSHOT/maven-metadata.xml.
            > Could not get resource 'https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/contract/3.0.1-SNAPSHOT/maven-metadata.xml'.
               > Could not GET 'https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/contract/3.0.1-SNAPSHOT/maven-metadata.xml'. Received status code 401 from server: Unauthorized

If this is really the case, and I got it right, this is a real problem for the adoption of Maven-related projects! It will certainly bring lots of frustration, and people will not widely use it. ☹️

People (users of libraries) just want to add the repository URL, add the dependency, and then start using libs/artifacts! That’s it. No generation of tokens. No account on GitHub. No addition configuration. Nothing. It’s open-source software anyway, thus, packages and its metadata (maven-metadata.xml) should be widely accessible. :slight_smile:

Let me know if I misinterpreted something… also, maybe there’s a configuration, somewhere, that I missed.

Thanks!

@gsmachado,

However, I still don’t get it: even if the repo is public (open-source project), users mandatorily need to use a token with read:packages scope, somehow?

From what I understand, it’s currently intended more for internal development dependencies than for hosting public packages. Packages can be made accessible to anyone with a GitHub account who is motivated to create a PAT (which isn’t exactly public).

It is possible to create a read:packages token on behalf of users that might want to build your project. There are however a couple of complications:

1. GitHub will automatically delete tokens that are pushed to public repositories
2. The read:packages scope gives access packages associated with private as well as public packages

I don’t know if you’re familiar with Java/Gradle ecosystem, but, if I set-up a project with the following gradle.build content, it fails:

I’m still experimenting with Gradle configurations, but what you might be able to do is something like the following:

  <a href="https://github.com/jcansdale-test/gradle-java-consume/pull/1" target="_blank" rel="noopener nofollow ugc">github.com/jcansdale-test/gradle-java-consume</a>

<div class="branches">
  <code>jcansdale-test:master</code> ← <code>jcansdale-test:public-token</code>
</div>

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2020-07-20" data-time="08:16:28" data-timezone="UTC">08:16AM - 20 Jul 20 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/jcansdale-test" target="_blank" rel="noopener nofollow ugc">
      <img alt="jcansdale-test" src="https://user-images.githubusercontent.com/11719160/181087729-f2a4ebc3-e72f-469a-a557-5ad08f269881.png" class="onebox-avatar-inline" width="20" height="20">
      jcansdale-test
    </a>
  </div>

  <div class="lines" title="2 commits changed 2 files with 2 additions and 5 deletions">
    <a href="https://github.com/jcansdale-test/gradle-java-consume/pull/1/files" target="_blank" rel="noopener nofollow ugc">
      <span class="added">+2</span>
      <span class="removed">-5</span>
    </a>
  </div>
</div>

repositories {
    maven {
        name = "remote"
        // Adapt the URL for your remote repository
        url = uri("https://maven.pkg.github.com/jcansdale-test/gradle-java-publish")
        credentials { 
            // Use this if the repo requires auth 
            // see https://docs.gradle.org/6.4/userguide/declaring_repositories.html#sec:supported_transport_protocols
            username = "token"
            password = "\u003c\u0050\u0041\u0054\u003e...................................................."
        }
    }
}
```</span></p>
  </div>

  </article>

  <div class="onebox-metadata">
    
    
  </div>

  <div style="clear: both"></div>
</aside>

<ol>
<li>Create a PAT with the <code>read:packages</code> scope from a safe account (e.g. a <a href="https://developer.github.com/v3/guides/managing-deploy-keys/#machine-users" rel="noopener nofollow ugc">machine user</a> account)</li>
<li>Use <code>docker run jcansdale/gpr encode &lt;PAT&gt;</code> to encode the token (see <a href="https://github.com/jcansdale/gpr" rel="noopener nofollow ugc">here</a>)</li>
<li>Add a <code>credentials</code> element to the maven details with <code>username</code> and <code>password</code>
</li>
<li>
<code>username</code> can be anything and <code>password</code> the encoded string from example <code>.npmrc</code> file</li>
</ol>
<p>For example:</p>
<pre><code class="lang-auto">repositories {
    maven {
        name = "remote"
        // Adapt the URL for your remote repository
        url = uri("https://maven.pkg.github.com/jcansdale-test/gradle-java-publish")
        credentials { 
            // Use this if the repo requires auth 
            // see https://docs.gradle.org/6.4/userguide/declaring_repositories.html#sec:supported_transport_protocols
            username = "token"
            password = "\u003c\u0050\u0041\u0054\u003e...................................................."
        }
    }
}
</code></pre>
<p>I’d be interested to know if something like this would work for you.</p>

Hey @jcansdale

Thanks for the fast reply! Much appreciated! :slight_smile:

From what I understand, it’s currently intended more for internal development dependencies than for hosting public packages. Packages can be made accessible to anyone with a GitHub account who is motivated to create a PAT (which isn’t exactly public).

Oh, ok. This is exactly what I meant.
So, it means that GitHub packages feature is not intended for hosting (real) public packages. Gotcha.

However, this is a use case that is interesting for tons of open source projects out there, including neow3j. The advantages of publishing to GitHub Packages instead of JFrog/SonaType/etc are obvious: everything in a single platform, GitHub. It’s faster, and there’s a bunch of opportunities to explore there (including metrics of download, etc) in the entire software delivery lifecycle: development, release, distribution, measure.

At the moment, what you propose is not really suitable for widely public packages – because of the necessity of creating a PAT.

Where can I submit a Feature Request for this?

At the moment, what you propose is not really suitable for widely public packages – because of the necessity of creating a PAT.

What if you create a read:packages PAT that is distributed with the project? Is the solution proposed in the PR above not an option?

Where can I submit a Feature Request for this?

This is a known issue and being worked on for the next version of GitHub Packages. I’m afraid I can’t give you a timeline though.

What if you create a read:packages PAT that is distributed with the project? Is the solution proposed in the PR above not an option?

Unfortunately, that’s not an option… because I would need to make that read:packages PAT public on the README.md of our project – developers/users should want to copy and paste the details to configure their gradle.build to import our library and start using it. So, since you mentioned that GitHub removes/deletes tokens that are publicly distributed, then, I conclude that’s not a viable option.

This is a known issue and being worked on for the next version of GitHub Packages. I’m afraid I can’t give you a timeline though.

Great! We really want this feature. Let us know once it comes out.

If there’s any link or GitHub issue that I can subscribe to follow the progress of such a feature, let me know!

Thanks a lot for your help and directions. 😄

If there’s any link or GitHub issue that I can subscribe to follow the progress of such a feature, let me know!

There isn’t I’m afraid. It would be nice it there was a public repository where we could track this kind of thing. What do you think @whitneyimura?

Hey @jcansdale and @whitneyimura
Any news on this matter (unauthenticated packages)?

Any news on this matter (unauthenticated packages)?

This was discussed just yesterday. I’m cautiously optimistic. 🤔

Hey @jcansdale
Hope you’re doing fine! :slight_smile:

Any more optimistic news about downloading unauthenticated packages? @devhawk would be also interested in this.

Maybe, should we create another post specific to this? Or can you point us to where the discussion is happening?

Hi @gsmachado 👋

Any more optimistic news about downloading unauthenticated packages? @devhawk would be also interested in this.

No official news I’m afraid. Say hi to @devhawk from me. :grinning_face_with_smiling_eyes:

I’ve just created an example Maven project that depends on a public package. You can simply clone the following repository:

jcansdale-test/maven-install-public

Install public Maven package. Contribute to jcansdale-test/maven-install-public development by creating an account on GitHub.

Then install and execute the project like this:

# install public packages
mvn install
execute example app
mvn exec:java -D exec.mainClass=com.octokat.app.InstallApp

If all goes to plan, it should output:

Hello from github-packages-examples/maven-publish, commit ed957aa2f450708a0ba42ac901f90bac48ebf012, run number 34!

The trick is adding a repository entry to the pom.xml like this:

<repository>
  <id>github-public</id>
  <url>https://public:&#56;538964239ca66dda0ba60738699571d1688c709@maven.pkg.github.com/github-packages-examples/*</url>
</repository>

• github-public is a unique repository ID. I’m deliberately not using github because the PAT would be overwritten by the actions/setup-java@v1 action.
• public is a dummy username (it can be anything).
• 8538964239ca66dda0ba60738699571d1688c709 is a PAT with the read:packages scope. The first letter is XML encoded to evade auto-deletion of scoped PATs. 😉

Would something like that work for you?

I’m sure you know more about Maven than me, so please let me know how the example could be improved!

Cool, @jcansdale! Yes, @devhawk and I are working in the same community/project (everything is open source). 🚀 We already talked about you being involved in this thread the other day. :grinning_face_with_smiling_eyes:

Thanks for the example! I’m actually using Gradle, but it’s the same logic/structure, yes.

What bothers me a bit here is to release the PAT publicly (even if it’s just read-only). So, a couple of questions:

• This PATH is associated with an account, and maybe it gets abused, e.g., to widely crawl GitHub things. This could lead to an account suspension, right?
• Is there a way to generate a PAT from an organization? Then I would feel a bit more comfortable – since I don’t have to generate from my own individual account.

Let me know!

I really appreciate your time and discussing things around here. Really helpful! Keep up the great work.

related: gradle/gradle#13330