How to access github package registry from one repo to other under same organization?

Question

I'm working under organization Org which has two different repositories repo-1 and repo-2.
I had uploaded some 50 odd Maven dependencies to GitHub Packages registry of repo-1 and now we're migrating to repo-2. pom.xml and all the GitHub Actions workflows are being copied over as is. So I need to access the same set of dependencies in repo-2 for the Maven build workflows. However, repo-2 is unable to download the dependencies from repo-1 Packages registry.

Workflow snippet:

- name: build
  run: mvn clean package '-Dmaven.test.skip=true' '-Dmaven.wagon.http.pool=false' --file pom.xml -B -X
  env:
    GITHUB_TOKEN: ${{ github.token }}
    MAVEN_OPTS: -Xmx3072M -Xss128M -XX:MetaspaceSize=512M -XX:MaxMetaspaceSize=2048M -XX:+CMSClassUnloadingEnabled

Repository config snippet from pom.xml:

<repositories>
    <repository>
        <id>central</id>
        <url>https://repo1.maven.org/maven2</url>
        <releases>
            <enabled>true</enabled>
        </releases>
        <snapshots>
            <enabled>true</enabled>
        </snapshots>
    </repository>
    <repository>
        <id>1_maven.apache.org</id>
        <releases>
            <enabled>true</enabled>
        </releases>
        <snapshots>
            <enabled>false</enabled>
        </snapshots>
        <url>https://repo.maven.apache.org/maven2</url>
        <layout>default</layout>
    </repository>
    <repository>
        <id>github</id>
        <url>https://maven.pkg.github.com/Org/repo-1</url>
        <snapshots>
            <enabled>true</enabled>
        </snapshots>
        <releases>
            <enabled>true</enabled>
        </releases>
    </repository>
    <repository>
        <id>jasper</id>
        <url>https://jaspersoft.jfrog.io/jaspersoft/third-party-ce-artifacts/</url>
        <releases>
            <enabled>true</enabled>
        </releases>
        <snapshots>
            <enabled>true</enabled>
        </snapshots>
    </repository>
</repositories>

I've admin access to both the repos and here're a few things that I tried:

1. Some access control settings from the official documentation, especially this - Connecting a repository to an organization-owned package on GitHub. Connect Repository button doesn't appear in my case.
2. Used default GitHub token as well as my PAT. (PAT has required access to packages and SSO authorized)
3. Used -X switch. Surprisingly debug logs don't show why exactly the dependencies couldn't be fetched.
4. 2nd and 3rd accessibility options on repo-1 as shown in this snap -

However, nothing worked so far.

Answer 1

You should be able to follow this post: https://www.schakko.de/2020/12/19/using-github-workflow-with-maven-dependencies-from-a-private-github-package-registry/

It is important to note that the GITHUB_TOKEN will only work for uploads. And for downloads within the same repository.

If you want to access a package from another repository, you have to create a personal access token and use username/token as authentication.

So basically your step 2. including your username should work.

Answer 2

As of December 2022 there is a solution.

In your organization, go to packages and select the packages you want access to. Under Package settings on the right you can add other repositories under "Manage Actions access". The other repositories only need read access.

In your YAML workflow file, add permissions for the workflow like so: Permissions example The workflow needs read access to contents and packages

Now you can use GITHUB_TOKEN to download packages in other private repositories

Workflow permissions: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

Repository access: https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#github-actions-access-for-organization-owned-container-images