1

I want to add a scala Library into my build.sbt dependencies. Here is the sample package, and it publishes in Github registry. This library is not from the official maven repository, I could not find it in Maven repository. I think it could not install in there.

<dependency>
  <groupId>gjuoun</groupId>
  <artifactId>hellopackage_2.13</artifactId>
  <version>0.1.6</version>
</dependency>

And then, I find it should belong to ghcr.io, so I add this line to my build.sbt.

resolvers += "hellopackage" at "http://ghcr.io/gjuoun/hellopackage"

It does not work at all. I could not use it. I am looking for a better to install this package by using resolvers without addSbtPlugin. (I don't want to use pom.xml if possible)

Thanks for any help.

Dmytro Mitin
  • 48,194
  • 3
  • 28
  • 66
JoeYo
  • 59
  • 9
  • 1
    https://stackoverflow.com/questions/74126937/http4s-request-signer-2-13-dependency-is-not-downloaded-from-central-repository – Dmytro Mitin Nov 15 '22 at 03:55
  • 1
    Could you be more specific when you say "it doesn't work"? What are SBT logs? Do you see an attempt to retrieve the artifact from ghcr.io? Any error code/message? – Gaël J Nov 15 '22 at 06:11
  • @GaëlJ The error is about the project can't find the library. It sounds like I did not add the dependency correctly. ```http://ghcr.io/gjuoun/hellopackage``` is wrong, but I don't know how to add this library as my dependency in ```build.sbt``` . – JoeYo Nov 15 '22 at 07:00
  • @DmytroMitin Thank you. so if I want to install the library locally, I have to use my PAT all the time. Is that correct? – JoeYo Nov 15 '22 at 07:01
  • @JoeYo Yes, you have to use a token (see the answer linked). Either the one you usually use or you can create a separate one with necessary minimal permissions for this task. After first successful build the library jar will be cached locally, sbt will use it in the first turn instead of github registry untill something happens to the cache. – Dmytro Mitin Nov 15 '22 at 08:36
  • @JoeYo You can always put a jar to `lib` as well. – Dmytro Mitin Nov 15 '22 at 08:42
  • @JoeYo Why don't you want to use sbt plugin? – Dmytro Mitin Nov 15 '22 at 13:42
  • 2
    @JoeYo it could be helpful for future readers if you copy paste in your message the complete log of error SBT is giving you – Gaël J Nov 15 '22 at 18:05
  • @DmytroMitin Thanks alot for your help, I finally decide to use plugin, I was spending time searching for install packages without passing PAT. Anyway, [this solution](https://stackoverflow.com/questions/74440202/how-to-add-github-maven-registry-into-build-sbt?noredirect=1#comment131427509_74440202) works for me. – JoeYo Nov 15 '22 at 23:05

1 Answers1

3

See details in http4s-request-signer_2.13 dependency is not downloaded from central repository

  • If you don't want to use sbt plugins and you're interested only in building your project but not publishing it (to Github registry) then you can just add to build.sbt
// specifying repo is optional: "_"
resolvers += "Another maven repo" at "https://maven.pkg.github.com/gjuoun/_"

credentials += Credentials(
  "GitHub Package Registry",
  "maven.pkg.github.com",
  "_", // user is ignored
  "ghp_YOUR_GITHUB_TOKEN"
)

libraryDependencies += "gjuoun" %% "hellopackage" % "0.1.6"

That's basically what the plugin does.

For security reasons it's better not to hardcode the token in build.sbt but for example put it into environment variable

credentials += Credentials(
  "GitHub Package Registry",
  "maven.pkg.github.com",
  "_",
  sys.env("GITHUB_TOKEN")
)

You can check that without credentials sbt will not be able to build your project.

The thing is that although manually you can download a JAR from Github in your browser without authentification (and put it into lib), this doesn't mean that Github allow reading, resolving, downloading programmatically via API (sbt, ivy, coursier) without authentification.

You need authentification only the first time. Then JAR will be cached locally in ~/.cache/coursier/v1/https/maven.pkg.github.com/gjuoun/_/gjuoun/hellopackage_2.13/0.1.6/ and will be taken from there further on.

Several quotes:

A valid Github token shouldn't always be mandatory #28

GitHub requires a token even for read-only access to packages.

Credentials should remain optional #34

So the problem I have with this is the fact that resolution from GitHub Packages also requires a token. You can't just download a package unauthenticated, meaning that credentials are necessary at all times regardless of whether or not you're publishing. Honestly, this is a thing that GitHub needs to fix.

Dmytro Mitin
  • 48,194
  • 3
  • 28
  • 66