How to allow unauthorised read access to GitHub packages maven repository?

[mstyura]

Hello,

I have repository with java project and configured GitHub Actions workflow, which publishes jar into GitHub Packages maven repository.

I would like to use the published JAR package in other project, so I need to add it to pom.xml:

<dependency>
  <groupId>my.group</groupId>
  <artifactId>myartifact</artifactId>
  <version>1.0.1</version>
</dependency> 

I also need to add maven repository into pom.xml.

    <repository>
      <id>github-me-my-repo</id>
      <layout>default</layout>
      <name>GitHub Packages Repo</name>
      <releases><enabled>true</enabled></releases>
      <snapshots><enabled>false</enabled></snapshots>
      <url>https://maven.pkg.github.com/me/my-repo</url>
    </repository>

This does not work, because when maven attempt to download artifact it failes, because request is unauthorized.

GitHub Packages help tells that I need to add my user name and token into settings.xml.

This probably fixes an issue.
But there is so much nonsense in this requirement.

For example, if I clone some project which rely on dependencies hosted on GitHub Packages maven repo I’ll fail to compile it. Will have to investigate what the heck is going on. Figure out that I need to register on GitHub. Then generate token. Store in in ~/.m2/settings.xml. And only then the project might compile.

On the other hand the dependency JAR could be downloaded manually via https://github.com/me/my-repo/packages, so why on earth authorization is required when downloaded via maven?

Is there any hidden setting to turn off requirement?

[mstyura]

Found out topic raising exactly the same issue Download from Github Package Registry without authentication

[aSemy]

GitHub has apparently deleted that topic, which is a shame. Here is a web-archive https://web.archive.org/web/20210121141140/https://git.luolix.topmunity/t/download-from-github-package-registry-without-authentication/14407

[clarkbw]

Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.

For Actions you can add a PAT to your secrets store or use the GITHUB_TOKEN to authenticate. In your settings.xml we suggest using the environment variable approach (see setup-java) so you don’t store the tokens in the file.

[nbrugger-tgm]

It is 3 4 years now - is there any timespan / updates / plan or ETA?

[Siedlerchr]

We want to use this to publish an open source library/fork that can be consumed from everyone without a token. So having any kind of auth only makes sense for private packages. I mean container registry public is also without auth

[glelouet]

That literally defeats the role of a maven repository.
The dev who made the code already has the packages installed on his own machine, since "mvn install" does exactly that.

[pmeister]

New plan: not gonna happen.
https://github.com/orgs/community/discussions/26634#discussioncomment-8527086

[jcansdale]

For example, if I clone some project which rely on dependencies hosted on GitHub Packages maven repo I’ll fail to compile it. Will have to investigate what the heck is going on. Figure out that I need to register on GitHub. Then generate token. Store in in ~/.m2/settings.xml . And only then the project might compile.

There are a few thing you can do to make this a little less painful.

1. Create a settings.xml file at the root of your repository
2. Create a .mvn/maven.config file that contains -s settings.xml
3. Generate a PAT with just the read:packages scope

If your repository is private, you can place the PAT directly in your settings.xml file. If your repository is public, you can’t push the raw PAT to your repository because GitHub will automatically delete it. What you can do instead is store an XML encoded version of the PAT (to prevent automatic deletion).

You can find an example of this here:

GitHub

jcansdale-test/maven-consume

An example Maven project that consumes a package. Contribute to jcansdale-test/maven-consume development by creating an account on GitHub.

You can now clone and compile like this:

git clone https://github.com/jcansdale-test/maven-consume
cd maven-consume
mvn compile

If you have Docker installed, you can generate an XML encoded PAT like by doing:

docker run jcansdale/gpr encode TOKEN

I hope that helps!

[pmdevita]

My maven.config file had to be -ssettings.xml but this otherwise worked great, thank you!

[vikulin]

-s settings.xml should be two lines in the latest Maven version

[pmeister]

jcansdale:

xmlEncode

This works! Thank you! One small tweak: it’s just encode, not xmlEncode.

[mrts]

Hi @clarkbw! Any news regarding allowing public access to Maven packages?

[clarkbw]

Still in the future column on the roadmap. Hopefully in the fall this year.

[Fabricio20]

Hey @clarkbw, thanks for the update! I’d like to bring to attention that JCenter is being shut down globally on 1st may this year. JCenter is currently one of the biggest maven repositories in the world in amount of artifacts.

There are several projects currently looking for a new home and while github package registry looks awesome, this one particular (missing) feature is preventing several projects I know from choosing github packages over self-hosting.

It’s pretty rare for a developer to have a github PAT on their maven (or gradle) configuration (much less on both) and it’s quite a barrier to entry for new developers (needing to create a github account → learning which of the 40 options to create a PAT → learning how to configure maven (or/and gradle) and their IDE).

It would be very interesting if this could be prioritized before the JCenter sunsetting deadline and could bring several people to use github packages (it’s A LOT easier than central).

[Andre601]

Having this available for pretty much everyone to use would be a great option.

• Maven is quite slow according to various developers
• Jcenter is obviously shutting down, as stated by @Fabricio20
• Selfhosting is either not cheap or resource intense and would require extra stuff like domain, server setup, etc.
• Other options may not be free or under heavy restrictions.

I also wanted to use this once, but never got it to work. The publication gave an error with a 4xx code (I believe it was 403) yet (parts of) the package where apparently distributed to the upstream repo.
So because of that did I keep this down for the moment, but if this maven/gradle bug is actually fixed (Support told me it was a bug on your end) AND this allows anyone to download packages without registration and/or a PAT, would I perhaps give it another chance…

[ftomassetti]

I also would love to see this delivered. As of now GitHub packages are useful to provide packages to our clients, but for our open-source work they cannot be used, as I cannot expect users to register to GitHub and set up the CI to obtain a token just for these packages

[ftomassetti]

I wonder if in the meantime one could create a proxy service that access the Maven repo on GitHub and just exposes it without authentication needed. Not ideal and a bit of extra work but it does not seem predictable when we will get this feature from GitHub. Maybe never

[AAverin]

@clarkbw Any update on the topic? You mentioned fall last year, was it pushed back?

[daniftodi]

@clarkbw any news on this?

[mkep-dev]

Yep. It would be great if github solves this.
Public repository with the need of authentication for packages still sounds like a bad april fool…
Please fix this.

[mkjsix]

As I manage some open source Java projects on Github, I can’t ask people to authenticate before using the repo, so I switched to https://jitpack.io as a Maven repo.

[exbotanical]

Is there anything we the community can do to help get this feature implemented faster? I won't presume to know the reasoning behind this requirement, but as others have said, it's extremely restrictive.

[firestar]

This is still a very important feature. not having the public repos really makes using maven repos not worth it.....

[40in]

Having PAT on public NPM packages makes this feature useless. Not a surprise I wasn't able to find any well known open source web projects using NPM Github Packages (checked angular, react, vuejs, bootstrap etc)

[supertick]

Agree with the common sentiment here, not very useful unless it behaves like all the other large package repos

[lagergren]

Still nothing after all these years. This is extremely frustrating. I'm curious about the politics behind this, as it can't be that hard, and searching for solutions to this problem just comes up with a very wide range of users expressing the same frustration :-(

[pmeister]

It is very strange. Github keeps improving in many excellent ways, but the package repository seems to get no attention whatsoever. It's still plagued by poor performance and stability too.

[jo-elimu]

Until GitHub removes the auth requirement, here is a good alternative: https://jitpack.io/

[Siedlerchr]

Jitpack is unfortunately very unreliable

[jo-elimu]

Unreliable how?

[tr7zw]

Please never use Jitpack. It's an unmaintained and broken mess. Even as the author you can't opt out or delete old builds jitpack created without permission or asking.

[jo-elimu]

If you are working on an open source project that needs to distribute Maven libraries in a developer-friendly way, isn't Jitpack one of the very few (if not only) options?

Anyway, we have been using Jitpack for a while, and it works well for our purpose (distributing Android .aar libraries to other open source Android apps. It integrates well with the GitHub release system.

Example here: https://jitpack.io/#elimu-ai/content-provider

[lagergren]

Let's not derail the conversation too much from GitHub packages. It currently does not fit our usage and hosting model. I'm still requesting some info on why the GitHub packages require credentials still, and how hard it would be to potentially fix it? Is it really complex for some reason I can't think of?

Anyway - this is what I want for Christmas, GitHub.

[thiagobarbosa]

Seems like Santa is not coming with this gift this year.
In the meantime, I'm using a custom proxy to handle the Github authentication and exposing my packages publicly.
That allows me to import my libraries like this:

repositories {
    mavenCentral()
    maven {
        url = uri("https://urlForYourProxy")
    }
}

dependencies {
    implementation "com.{your-org-id}.{your-package-name}:{your-version}"
}

You can find the source code here. Can't wait to kill this project when Github allows unauthenticated requests to packages.

[vikulin]

Now you can kill your project:
https://github.com/orgs/community/discussions/26634#discussioncomment-9870811

[bitkid]

this is so absurd that it is still not working. are there any plans from github to get that running? @jcansdale and if so? when? :)

[bantu]

This is disappointing to read after having spent significant time getting familiar with and publishing packages to GitHub Packages. We will switch to Maven Central for publishing open source packages.

[Haarolean]

Got a reply from support:

Hi Roman,
 
I have finally managed to get a definitive answer for this question.
 
GitHub Packages does not have plans to offer anonymous access for package types that have public registries of record supporting the ecosystem. We advise users to publish packages intended for retrieval without authentication to registries like Maven Central.
 
I'm sorry this wasn't the answer you were hoping to hear!

That's one of a questionable moves for sure, as it defeats the purpose of a maven repository and it's a nice 180 degrees turn on their side considering their past statement.

[glelouet]

Yes, that's a problem of your answer.

I don't need to propose something better to explain why it is bad.
More precisely, whether or not I can propose something better does not make your proposal a better one.

Learn humility rather than arrogance.

[vikulin]

Yes, that's a problem of your answer.

I don't need to propose something better to explain why it is bad. More precisely, whether or not I can propose something better does not make your proposal a better one.

Learn humility rather than arrogance.

My proposal works well for me and anyone else who builds my app. This is all I need.

[vikulin]

Yes, that's a problem of your answer.

I don't need to propose something better to explain why it is bad. More precisely, whether or not I can propose something better does not make your proposal a better one.

Learn humility rather than arrogance.

As I promised there is a final solution: make a GitHub repo to act as a Maven repo. No sensitive info in scripts!

This working script to publish artifacts into separate repo:

name: Java CI

on: 
  workflow_dispatch:

permissions:                    # Global permissions configuration starts here
  contents: write
  pull-requests: write

jobs:
  build:

    runs-on: ubuntu-latest

    steps:
    - name: Checkout this repo
      uses: actions/checkout@v4

    - name: Set up JDK 1.8
      uses: actions/setup-java@v4
      with:
        distribution: 'adopt'
        java-version: '8'
    
    - name: Extract latest commit message and hash
      run: |
        GIT_MESSAGE=$(git log -1 --pretty=format:"%s")
        GIT_HASH=$(git log --pretty=format:'%h' -n 1)
        echo "GIT_MESSAGE=$GIT_MESSAGE" >> $GITHUB_ENV
        echo "GIT_HASH=$GIT_HASH" >> $GITHUB_ENV

    - name: Install xmlstarlet
      run: sudo apt-get install -y xmlstarlet

    - name: Build with Gradle
      run: |
        bash ./gradlew build
        bash ./gradlew publishToMavenLocal

    - name: Extract artifactId, groupId, version from generated POM file
      id: extract_version
      run: |
        xml_file=$(find ~/.m2/repository -type f -name "*.pom" -print -quit)
        VERSION=$(xmlstarlet sel -N xmlns="http://maven.apache.org/POM/4.0.0" -t -v "//xmlns:project/xmlns:version" "$xml_file")
        GROUPID=$(xmlstarlet sel -N xmlns="http://maven.apache.org/POM/4.0.0" -t -v "//xmlns:project/xmlns:groupId" "$xml_file" | sed 's/\./\//g')
        ARTIFACTID=$(xmlstarlet sel -N xmlns="http://maven.apache.org/POM/4.0.0" -t -v "//xmlns:project/xmlns:artifactId" "$xml_file")       
        echo "VERSION=$VERSION" >> $GITHUB_ENV
        echo "GROUPID=$GROUPID" >> $GITHUB_ENV
        echo "ARTIFACTID=$ARTIFACTID" >> $GITHUB_ENV

    - name: Checkout artifact repo
      uses: actions/checkout@v4
      with:
        repository: 'RiV-chain/artifact'
        ref: ${{ github.head_ref }}
        fetch-depth: 0
        token: ${{ secrets.MAVEN_PAT }}

    - name: Create package directories
      run: |
        mkdir -p ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}

    - name: Copy JAR, POM, SHA-1, and MD5 files
      run: |
        FIRST_TERM=$(echo "${{ env.GROUPID }}" | cut -d'/' -f1)
        cp -r ~/.m2/repository/$FIRST_TERM .
        mv ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/maven-metadata-local.xml ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/maven-metadata.xml
        sha1sum ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}/${{ env.ARTIFACTID }}-${{ env.VERSION }}.jar > ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}/${{ env.ARTIFACTID }}-${{ env.VERSION }}.jar.sha1
        md5sum ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}/${{ env.ARTIFACTID }}-${{ env.VERSION }}.jar > ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}/${{ env.ARTIFACTID }}-${{ env.VERSION }}.jar.md5
        sha1sum ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}/${{ env.ARTIFACTID }}-${{ env.VERSION }}.pom > ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}/${{ env.ARTIFACTID }}-${{ env.VERSION }}.pom.sha1
        md5sum ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}/${{ env.ARTIFACTID }}-${{ env.VERSION }}.pom > ${{ env.GROUPID }}/${{ env.ARTIFACTID }}/${{ env.VERSION }}/${{ env.ARTIFACTID }}-${{ env.VERSION }}.pom.md5

    - name: Commit and push files
      run: |
        git config user.name "${{ github.actor }}"
        git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
        git add .
        git commit -m "${{ env.GIT_MESSAGE }} https://github.com/${{ github.event.repository.full_name }}/commit/${{ env.GIT_HASH }}. Version: ${{ env.VERSION }}"

    - name: Push changes
      uses: ad-m/github-push-action@master
      with:
        github_token: ${{ secrets.MAVEN_PAT }}
        repository: RiV-chain/artifact
        force_with_lease: true

https://github.com/RiV-chain/rlp/blob/master/.github/workflows/gradle.yml

This is result in target repo acting as a Maven repo:
https://github.com/RiV-chain/artifact

[Andre601]

And this really works? It seems like a overcomplicated system to setup. Especially if in such a case you could just use jitpack for more or less the same result with much less work.

Also, a little tip: Maybe don't publicly share your e-mail used in your example, to avoid copy-pasters from using it without thinking first. Just a thought.

[vikulin]

And this really works? It seems like a overcomplicated system to setup. Especially if in such a case you could just use jitpack for more or less the same result with much less work.

Also, a little tip: Maybe don't publicly share your e-mail used in your example, to avoid copy-pasters from using it without thinking first. Just a thought.

Yes, it works. I have already correct email hard coded issue and added auto comments with latest commit hash link. Here is much more advanced setup but in other hand there is totally most flexible way:

• Comments for each artifact release with links to latest commit hash
• Git branches give you set of repos such as main, develop, stg and whatever you desire
• The repo or a particular artifact can be rolled back to any previous state
• Can be converted to a GitHub Action
• Everyone may create a fork for the repo and publish new artifacts with convenient GitHub approval workflow

I think this is not the end of the list of advantages over jitpack.

[nbrugger-tgm]

Yes update is basically: won't happen. Source: #26634 (comment)

[vikulin]

An another example for Gradle was even simpler: put your repo link with such code and replace the base64 encoded string with a data encoding your login:token.

maven {
            url "https://${new String("dmlrdWxpbjpnaHBfNVJ4QkwzZENSa2lET3ZjRUtpZzk0ZkpIcW5OQm9HMjhCSm51".decodeBase64())}@maven.pkg.github.com/RiV-chain/rlp"
        }

[nbrugger-tgm]

While yes this is a nice hack in gradle, sadly it doesn't solve the underlying issue of GitHub not allowing unauthorized downloads.

Asking every "customer" of your lib to add this hack to their gradle scripts is not a good selling point. They would need that for every GitHub lib. Adding 3 lines of bizzare code is not user friendly

[vikulin]

While yes this is a nice hack in gradle, sadly it doesn't solve the underlying issue of GitHub not allowing unauthorized downloads.

Asking every "customer" of your lib to add this hack to their gradle scripts is not a good selling point. They would need that for every GitHub lib. Adding 3 lines of bizzare code is not user friendly

I will check this out https://docs.github.com/en/contributing/writing-for-github-docs/configuring-redirects which would redirect to a project artifacts with pom.xml and related jars removing middle group ID from URLs.

[vikulin]

See: https://github.com/orgs/community/discussions/26634#discussioncomment-9864757

[vikulin]

Created Maven publish action https://github.com/RiV-chain/github-publish-maven-action

Example of usage:

name: Build and Publish

on:
  workflow_dispatch:

jobs:
  build-and-publish:
    runs-on: ubuntu-latest
    steps:
      - name: Use Maven publish action
        uses: RiV-chain/github-publish-maven-action@main
        with:
          gh_pat: ${{ secrets.PAT }}
          artifact_repo: 'RiV-chain/artifact'
          gradle_file_path: './gradlew'
          java_version: '8'
          distribution: 'adopt'

1. Add following lines in build.gradle build script:

publishing {
    repositories {
        mavenLocal()
    }
    publications {
        gpr(MavenPublication) {
            from(components.java)
        }
    }
}

2. Register secret.PAT with permission for your Maven repo and replace the path it in artifact_repo parameter.

3. Add your repo URL in build.gradle. Your Maven repo will have path https://github.com/<username>/<repo>/raw/<branch>. Example repo.

    repositories {
        maven {
            url "https://github.com/RiV-chain/artifact/raw/main"
        }
    }

[nort3x]

Microsoft Vendor Locking

if you think we ask or can convince community to join github and generate a PAT to download a jar file you are wrong, it's unnecessary.
I'm using central now and I'm transferring my projects to gitlab

[vikulin]

This is exactly what my answer solved. There is no need to generate PAT to download files from repos. It's necessary only for a publisher that is obviously acceptable. See my example above:
https://github.com/orgs/community/discussions/26634#discussioncomment-9870811

[nort3x]

nice solution i can use this for my passion projects but i'm blaming whoever made this decision that this should be a problem in first place

[vikulin]

I created a GitHub Action which receives artifact URL, artifact id, group id, destination repo and PAT.

Example of usage:

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:

      - name: Run custom GitHub Action to download and publish artifact
        uses: RiV-chain/copy-remote-file-maven-action@main
        with:
          artifact_repo: ${{ inputs.artifact_repo }}
          gh_pat: ${{ secrets.MAVEN_PAT }}
          artifact_url: ${{ inputs.artifact_url }}
          artifact_id: ${{ inputs.artifact_id }}
          group_id: ${{ inputs.group_id }}
          version: ${{ inputs.version }}

[vikulin]

I created a GitHub Action which receives artifact local path, artifact sources local path(optional), artifact id, group id, destination repo and PAT

Example of usage:

    - name: Publish aar library to Maven repo
      uses: RiV-chain/copy-local-file-maven-action@main
      with:
        artifact_repo: RiV-chain/artifact
        artifact_path: mesh.aar
        artifact_source_path: mesh-sources.jar
        gh_pat: ${{ secrets.MAVEN_PAT }}
        artifact_id: mesh
        group_id: org.rivchain
        version: 0.4.7.8