I am the maintainer of a public GitHub repo. I have set up GitHub Actions to build a publish to GitHub Packages. You can see the package has been created here:
https://github.com/paulschwarz/spring-dotenv/packages/135114
The first thing I notice is that GitHub only gives a Maven installation snippet. I used this code to add the dependency to another project and it appeared to work.
Now I want to import this package into a Gradle project. I added
dependencies {
implementation ('me.paulschwarz:spring-dotenv:0.0.3')
}
and gradle tells me
Could not find me.paulschwarz:spring-dotenv:0.0.3.
Searched in the following locations:
- https://jcenter.bintray.com/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom
- https://repo.maven.apache.org/maven2/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom
This is already strange because my Maven project appeared to have no problem resolving the dependency. I must say I'm curious how that worked? Surely GitHub Packages isn't integrated with JCenter or Maven Central?
Anyway, next step, add the repository
repositories {
jcenter()
mavenCentral()
maven { url = uri('https://maven.pkg.github.com/paulschwarz/spring-dotenv') }
}
At this point, Gradle should understand where to find the package. However, I get this
> Could not resolve me.paulschwarz:spring-dotenv:0.0.3.
> Could not get resource 'https://maven.pkg.github.com/paulschwarz/spring-dotenv/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom'.
> Could not GET 'https://maven.pkg.github.com/paulschwarz/spring-dotenv/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom'. Received status code 401 from server: Unauthorized
Is this really a 401 unauthorized? or is the URL wrong and it's trying to hit an authorized endpoint?
If it's genuine, then why? This is a public repo with public packages. I can download the package directly from the GitHub page anonymously. What am I doing wrong in Gradle?
As you have observed, GitHub doesn't support unauthorized package access right now (but planned in future) as explained by one of their staff (May 27 '20):
Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.
For Actions you can add a PAT to your secrets store or use the GITHUB_TOKEN to authenticate. In your settings.xml we suggest using the environment variable approach (see setup-java 4) so you don’t store the tokens in the file.
As mentioned above you need to authenticate to GitHub Packages.
ext {
GITHUB_TOKEN = System.getenv("GITHUB_TOKEN")
}
maven {
url "https://maven.pkg.github.com/paulschwarz/spring-dotenv"
credentials {
username GITHUB_USER
password GITHUB_TOKEN
}
}
Where GITHUB_USER is defined in your gradle.properties and GITHUB_TOKEN is defined as an environment variable. GITHUB_TOKEN is available inside your GitHub Actions workflow file as ${{ secrets.GITHUB_TOKEN }}
You will have to define it yourself when running locally.
In my case, I'm using Maven. After researching around, ended up that I need to generate a GitHub token instead of using the plain GitHub user login password one.
Related
Has anybody a working example of how to push a container image into a ghcr using the jib gradle plugin from within a github actions workflow?
I've tried the whole day but whatever combination of password or tokens I try I always end with the jib plugin complaining about an invalid authentication. Although I can push to the ghcr from my local computer with gradlew jib.
Really, I would be very thankful for any help.
> com.google.cloud.tools.jib.plugins.common.BuildStepsExecutionException: Build image failed, perhaps you should make sure you have permissions for ghcr.io/tobias-neubert/eclipse-temurin and set correct credentials. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-forbidden-or-denied for help
You have to
allow your repository access to the package (github profile page -> Packages -> Package Settings)
Set the write permission for the GITHUB_TOKEN in your workflow (permissions.packages: write)
In the logs:
Could not get resource 'https://<locally hosted artifactory>/<virtual repo>/org/springframework/boot/org.springframework.boot.gradle.plugin/2.2.13.RELEASE/org.springframework.boot.gradle.plugin-2.2.13.RELEASE.jar'.
<virtual repo> is a group that, amongst others, contains: https://jcenter.bintray.com and https://repo1.maven.org/maven2/
i do find, in Artifactory UI, the pom of the requested jar
jcenter-cache/org/springframework/boot/org.springframework.boot.gradle.plugin/2.2.13.RELEASE/org.springframework.boot.gradle.plugin-2.2.13.RELEASE.pom
also, there is a permission on the virtual repo that grants to my user rights: READ, Deploy/Cache
when i look into the effective permissions of the pom, in Artifactory UI, my user is there with the mentioned rights
i try to download dependencies with Gradle as the build system for my project, and it is configured with the virtual repo
repositories {
maven {
url "${artifactoryUrl}/<virtual repo>"
credentials {
username "${artifactoryUser}"
password "${artifactoryApiKey}"
}
}
}
this is configured both in settings.gradle under pluginManagement and also in root of build.gradle
(anyway, i think the credentials part works); something else is broken.
the permission in place used to work 2 days before: 2021-05-26 (at some point, it just stoped working)
does this have anything to do with https://jfrog.com/blog/into-the-sunset-bintray-jcenter-gocenter-and-chartcenter/ ?
what should i try to debug this? are there any logs where i can see the request being denied (i do have admin access to Artifactory, but i cannot find anything so far in the logs under System Logs Viewer)
I want to use Go Remote repository proxying Github. I have created Go remote repo github proxying https://github.com/ and I have created a Go virtual repository as well. Credentials added as mentioned in https://www.jfrog.com/confluence/display/RTF/Go+Registry#GoRegistry-RemoteRepositories.
I did everything explained on the link above but when I tried to get the modules I get that:
go env -w GONOSUMDB="*github.com/xxx/*"
export GOPROXY="https://test:%5Bredacted%5D#xxx.jfrog.io/artifactory/api/go/go"
go mod download -x
get https://test:%5Bredacted%5D#xxx.jfrog.io/artifactory/api/go/go/github.com/xxx/platform/#v/v0.21.0.mod
get https://test:%5Bredacted%5D#xxx.jfrog.io/artifactory/api/go/go/github.com/xxx/platform/#v/v0.21.0.mod: 404 Not Found (0.894s)
go: github.com/xxx/platform#v0.21.0: reading https://test:%5Bredacted%5D#xxx.jfrog.io/artifactory/api/go/go/github.com/xxx/platform/#v/v0.21.0.mod: 404 Not Found
Besides that, I can get public modules from github. Auth seems not working.
You should upgrade to JFrog Artifactory 6.19+ or 7.4.0+ as this was a missing feature until then (https://www.jfrog.com/jira/browse/RTFACT-19395).
I'm trying to set up automated build for go projects. Most people just use github dependencies which don't need credentials. We have some internal dependencies however available on our private git central server. Credentials are needed however to have go access these.
A possible workaround would be to configure a global git variable inside our build machines / build dockers; something like:
git config --global url."https://user:password#private.git.server/".insteadOf "https://private.git.server/"
however this doesn't seem to be the best solution to me, since the password would be stored in a human-readable text file.
I think the git-credentials plugin should be able to help me out; could I maybe export GIT_TERMINAL_PROMPT=1 and let the git-credentials plugin fill in for me?
How could I make sure go get or go install gets access to our private repository in a secure way?
I use a workaround with GITHUB_TOKEN to solve this.
Generate GITHUB_TOKEN here https://github.com/settings/tokens
export GITHUB_TOKEN=xxx
git config --global url."https://${GITHUB_TOKEN}:x-oauth-basic#github.com/mycompany".insteadOf "https://github.com/mycompany"
This way you don't expose the password and can revoke token at any time.
Note: Go uses http when downloading dependencies, not ssh.
I would like to use credentials of the physical user during the release. I use following stack: my own maven plugin wrapping maven-release-plugin, jenkins, nexus, git. On Jenkins I use parameters and password mask plugin to provide username and password for the user who is executing the build. The problem is that credentials for Jenkins, Git and Nexus may be different, so I can NOT re-use them. Obviously I could use CI user to authenticate everything but because of some regulations I can not do that.
First I tried to use -Dusername and -Dpassword but 1) this works only for git, 2) password for git and nexus is different. Besides that I want to use key based authentication for git.
Then I tried to programmatically change credentials by changing session/project object before executing maven-release-plugin:
final MavenExecutionRequest request = new DefaultMavenExecutionRequest()
.setLocalRepository(session.getLocalRepository())
.setPluginArtifactRepositories(session.getCurrentProject().getPluginArtifactRepositories())
.setRemoteRepositories(session.getCurrentProject().getRemoteArtifactRepositories())
.setBaseDirectory(new File(properties.getCheckoutDirectory()))
.setPluginGroups(session.getPluginGroups())
.setProjectPresent(true)
.setPom(new File(properties.getCheckoutDirectory() + "/pom.xml"))
.setGoals(Arrays.asList(goal))
.setInteractiveMode(false)
.setUserSettingsFile(new File(session.getSystemProperties().getProperty("user.home") + "/.m2/settings.xml"))
;
request.setUserProperties(preparePropertiesForMvn(properties));
for (ArtifactRepository artifactRepository : session.getCurrentProject().getRemoteArtifactRepositories()) {
if (artifactRepository.getId().equals("nexus-releases")) {
artifactRepository.setAuthentication(new Authentication(properties.getNexusUser(),properties.getNexusPassword()));
}
}
final MavenExecutionResult result = defaultMaven.execute(request);
At very end stage maven-deploy-plugin (which is executed by release plugin) reads ~/.m2/settings.xml file and gets (wrong - CI) credentials from it.
Is there the other way than preparing own customized settings.xml file for the build with builded in credentials? I would like to avoid to store the credentials on the local storage.
You can use the following method to add your own server configuration:
org.apache.maven.settings.Settings.addServer(org.apache.maven.settings.Server)
Tested and verified with help:effective-settings as I have no means to test agains any repository manager at the moment.
As long as you call the above method with your own server configuration ahead of the Maven deploy plugin, you should be good to go.
Server server = new Server();
server.setId("myServer");
server.setUsername("myUserName");
server.setPassword("myPassword");
settings.addServer(server);