6

I have a GitHub repo with a library published to its own GitHub packages maven repository. And I also have another project where I want to reference this library as a dependency.

When I add the following configuration to the POM file of my project it just doesn't work.

<repositories>
 <repository>
  <id>github</id>
  <name>GitHub Packages</name>
  <url>https://maven.pkg.github.com/test-account/test-lib</url>
 </repository>
</repositories>

It requires me to authenticate. I understand that this is pretty logical as it is basically not a sources repo but an underlying maven repo. But is there a way to have normal maven access to this dependency? My library is in the public repo.

P.S. Please, do not suggest using Jitpack as I would like to have clean solution without any additional resources.

Alexey Anufriev
  • 415
  • 6
  • 19

4 Answers4

11

The answer seems to be "you can't". See this comment from a GitHub staff member:

Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.

For now the simplest option seems to be to create a personal access token with read access and include it in the URL of the <repository> section in your pom.xml, like this:

<repository>
  <id>github</id>
  <name>GitHub Packages</name>
  <url>https://my-user:b96e7de7514e45c5@maven.pkg.github.com/my-user/my-repo</url>
</repository>

Otherwise, options are probably:

  • Create a personal access token with read access and just share it with the whole world.
  • Use the workaround described here
  • Publish to Maven Central (but that's a whole world of pain)
Frans
  • 3,670
  • 1
  • 31
  • 29
  • In the end I have published to Bintray. – Alexey Anufriev Oct 20 '20 at 15:03
  • 4
    @AlexeyAnufriev I found out you can just include the access token in the URL. That might be the way to go for now. I've updated my answer. But for anything but a very trivial setup, I don't think GitHub Packages is the best way to go if you're using Maven. It also sucks that you need a separate repository declaration for each dependency since you can't just do https://maven.pkg.github.com/my-user to get access to all artifacts from all projects in your GitHub org. – Frans Oct 20 '20 at 15:09
  • That is nice, just do not want to expose any credentials. But for the completeness of the answer it is very useful. – Alexey Anufriev Oct 20 '20 at 19:15
  • 2
    small update: Creating a personal access token with read only access to package and including in the pom.xml triggers GitGuardian - automatically revoking the key. So this is not a solution unless GitGuardian is disabled for the repo. – Prometheus Mar 31 '21 at 15:40
3

Currently, you cannot. There is an ongoing discussion here with this feature request. You can find multiple workarounds in that discussion thread and also voice your opinion.

mrts
  • 16,697
  • 8
  • 89
  • 72
1

The accepted answer no longer works.

Currently GitGuardian automatically revokes the Personal Access Token (PAT) if that method is applied in public repositories. As recommended by GitHub staff, the work-around solution is the following:

  1. Create a PAT with just the read:packages scope
  2. Execute docker run ghcr.io/jcansdale/gpr encode

This will output the following:

$ docker run ghcr.io/jcansdale/gpr encode 0123456789abcsef
An encoded token can be included in a public repository without being automatically deleted by GitHub.

These can be used in various package ecosystems like this:

A NuGet `nuget.config` file:
<packageSourceCredentials>
  <github>
    <add key="Username" value="PublicToken" />
    <add key="ClearTextPassword" value="&#48;123456789abcsef" />
  </github>
</packageSourceCredentials>

A Maven `pom.xml` file:
<repositories>
  <repository>
    <id>github-public</id>
    <url>https://public:&#48;123456789abcsef@maven.pkg.github.com/<OWNER>/*</url>
  </repository>
</repositories>

An npm `.npmrc` file:
@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken="\u0030123456789abcsef"
You can use this snippet in you project’s configuration file.

Note, you shouldn’t include your own read:packages PAT if you have access to any private packages you need to protect. In this case it is best to create a machine-user.

Prometheus
  • 523
  • 7
  • 19
0

If you don't consider as additional resource a Gradle plugin, then I'd suggest you mine

I was exactly in your shoes, you can either:

  • have a Github repository acting as a Maven repository
  • or publish on Github Packages and easier the consumption for Gradle clients
elect
  • 6,765
  • 10
  • 53
  • 119