Login/Register
401 Unauthorized downloading a public package from GitHub Packages using Gradle
Asked Answered
mavengradlegithub-package-registry
B

3

13

I am the maintainer of a public GitHub repo. I have set up GitHub Actions to build a publish to GitHub Packages. You can see the package has been created here:

https://github.com/paulschwarz/spring-dotenv/packages/135114

The first thing I notice is that GitHub only gives a Maven installation snippet. I used this code to add the dependency to another project and it appeared to work.

Now I want to import this package into a Gradle project. I added 

dependencies {
  implementation ('me.paulschwarz:spring-dotenv:0.0.3')
}

and gradle tells me

Could not find me.paulschwarz:spring-dotenv:0.0.3.
     Searched in the following locations:
       - https://jcenter.bintray.com/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom
       - https://repo.maven.apache.org/maven2/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom

This is already strange because my Maven project appeared to have no problem resolving the dependency. I must say I'm curious how that worked? Surely GitHub Packages isn't integrated with JCenter or Maven Central?

Anyway, next step, add the repository

repositories {
    jcenter()
    mavenCentral()
    maven { url = uri('https://maven.pkg.github.com/paulschwarz/spring-dotenv') }
}

At this point, Gradle should understand where to find the package. However, I get this

      > Could not resolve me.paulschwarz:spring-dotenv:0.0.3.
         > Could not get resource 'https://maven.pkg.github.com/paulschwarz/spring-dotenv/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom'.
            > Could not GET 'https://maven.pkg.github.com/paulschwarz/spring-dotenv/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom'. Received status code 401 from server: Unauthorized

Is this really a 401 unauthorized? or is the URL wrong and it's trying to hit an authorized endpoint?

If it's genuine, then why? This is a public repo with public packages. I can download the package directly from the GitHub page anonymously. What am I doing wrong in Gradle?

Buckinghamshire answered 25/2, 2020 at 17:57 Comment(3)
I read on the github documentation page that in fact authentication appears to be necessary even for installing the package. This seems a little odd to me. What's the point of having public packages then? I don't need to authenticate against Maven Central.Buckinghamshire
Hi, GH registry is still young, and there are some issues with some authentication use cases. Keep in mind though, that being a public repository is not the goal of GH registry, since those already exist and are set by default in the various package managers (npmjs.org, Docker Hub, Maven Central ...). The primary use case is for the private packages, for which you will have to do some configuration in any case.Report
I thought using GitHub packages would be an easy way to make libraries I've written publicly accessible. Looks like I might have to publish then on maven central, which is a pain to do from what I've read.Ancell
H
6

As you have observed, GitHub doesn't support unauthorized package access right now (but planned in future) as explained by one of their staff (May 27 '20):

Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.

For Actions you can add a PAT to your secrets store or use the GITHUB_TOKEN to authenticate. In your settings.xml we suggest using the environment variable approach (see setup-java 4) so you don’t store the tokens in the file.

Holly answered 17/8, 2020 at 8:17 Comment(1)
Another thread with many people requesting the same on Github Community: Download from Github Package Registry without authenticationHolly
K
2

As mentioned above you need to authenticate to GitHub Packages.

ext {
  GITHUB_TOKEN = System.getenv("GITHUB_TOKEN")
}

maven {
  url "https://maven.pkg.github.com/paulschwarz/spring-dotenv"
  credentials {
    username GITHUB_USER
    password GITHUB_TOKEN
  }
}

Where GITHUB_USER is defined in your gradle.properties and GITHUB_TOKEN is defined as an environment variable. GITHUB_TOKEN is available inside your GitHub Actions workflow file as ${{ secrets.GITHUB_TOKEN }}

You will have to define it yourself when running locally.

Kagera answered 15/5, 2021 at 21:38 Comment(0)
L
0

In my case, I'm using Maven. After researching around, ended up that I need to generate a GitHub token instead of using the plain GitHub user login password one.

Luger answered 29/10, 2021 at 16:25 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.