I would like to use credentials of the physical user during the release. I use following stack: my own maven plugin wrapping maven-release-plugin, jenkins, nexus, git. On Jenkins I use parameters and password mask plugin to provide username and password for the user who is executing the build. The problem is that credentials for Jenkins, Git and Nexus may be different, so I can NOT re-use them. Obviously I could use CI user to authenticate everything but because of some regulations I can not do that.
First I tried to use -Dusername and -Dpassword but 1) this works only for git, 2) password for git and nexus is different. Besides that I want to use key based authentication for git.
Then I tried to programmatically change credentials by changing session/project object before executing maven-release-plugin:
final MavenExecutionRequest request = new DefaultMavenExecutionRequest()
.setLocalRepository(session.getLocalRepository())
.setPluginArtifactRepositories(session.getCurrentProject().getPluginArtifactRepositories())
.setRemoteRepositories(session.getCurrentProject().getRemoteArtifactRepositories())
.setBaseDirectory(new File(properties.getCheckoutDirectory()))
.setPluginGroups(session.getPluginGroups())
.setProjectPresent(true)
.setPom(new File(properties.getCheckoutDirectory() + "/pom.xml"))
.setGoals(Arrays.asList(goal))
.setInteractiveMode(false)
.setUserSettingsFile(new File(session.getSystemProperties().getProperty("user.home") + "/.m2/settings.xml"))
;
request.setUserProperties(preparePropertiesForMvn(properties));
for (ArtifactRepository artifactRepository : session.getCurrentProject().getRemoteArtifactRepositories()) {
if (artifactRepository.getId().equals("nexus-releases")) {
artifactRepository.setAuthentication(new Authentication(properties.getNexusUser(),properties.getNexusPassword()));
}
}
final MavenExecutionResult result = defaultMaven.execute(request);
At very end stage maven-deploy-plugin (which is executed by release plugin) reads ~/.m2/settings.xml file and gets (wrong - CI) credentials from it.
Is there the other way than preparing own customized settings.xml file for the build with builded in credentials? I would like to avoid to store the credentials on the local storage.
You can use the following method to add your own server configuration:
org.apache.maven.settings.Settings.addServer(org.apache.maven.settings.Server)
Tested and verified with help:effective-settings as I have no means to test agains any repository manager at the moment.
As long as you call the above method with your own server configuration ahead of the Maven deploy plugin, you should be good to go.
Server server = new Server();
server.setId("myServer");
server.setUsername("myUserName");
server.setPassword("myPassword");
settings.addServer(server);
Related
Has anybody a working example of how to push a container image into a ghcr using the jib gradle plugin from within a github actions workflow?
I've tried the whole day but whatever combination of password or tokens I try I always end with the jib plugin complaining about an invalid authentication. Although I can push to the ghcr from my local computer with gradlew jib.
Really, I would be very thankful for any help.
> com.google.cloud.tools.jib.plugins.common.BuildStepsExecutionException: Build image failed, perhaps you should make sure you have permissions for ghcr.io/tobias-neubert/eclipse-temurin and set correct credentials. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-forbidden-or-denied for help
You have to
allow your repository access to the package (github profile page -> Packages -> Package Settings)
Set the write permission for the GITHUB_TOKEN in your workflow (permissions.packages: write)
I am trying to make my jar available in maven central .All works fine when I do it manually from nexus repository manager UI. Problem occurs when I try to automate the complete steps using sbt-release plugin .On running sonatypeRelease I see it tries to connect to Nexus repository URL: https://oss.sonatype.org/service/local and later failed to connect throwing below error
No credential is found for oss.sonatype.org. Prepare ~/.sbt/(sbt_version)/sonatype.sbt file .
In my sonatype.sbt URL I have set below config
credentials += Credentials(
"Sonatype Nexus Repository Manager",
"s01.oss.sonatype.org",
"username",
"password"
)
I am not sure how can I make sonatypeRelease take the config url instead of default one .I am quite sure this sonatype.sbt is being referenced as publishrelease works and it takes the correct sonatype nexus repository URL.
Any help on this would be helpful
I missed putting these lines in my build.sbt file
sonatypeCredentialHost := "s01.oss.sonatype.org"
sonatypeRepository := "https://s01.oss.sonatype.org/service/local"
I'm using GitLab CI Auto DevOps to compile a project based on Maven based in a DinD (docker-in-docker) runner.
CI job start, and buildpack for Maven is correctly detected (based on herokuish).
How can I configure a custom settings file without switching to a custom .gitlab-ci.yml?
I would like to continue using Auto DevOps.
Because maven needs access to a private repository based on Nexus it is convenient to configure a custom settings.xml (and version it with your source code)
The easiest solution is to include a custom settings.xml. This feature was included in the corresponding buildpack used by Auto DevOps some time ago, as you can see in this article from Heroku buildpacks about "Using a Custom Maven Settings File".
So I defined MAVEN_SETTINGS_PATH variable in .gitlab-ci.yml config file:
variables:
- MAVEN_SETTINGS_PATH: ".m2/settings.xml"
Then, included the file settings.xml in the repository.
Avoid to include secrets or another sensible information
When using a private maven repository with credentials
Finally, you can define in Gitlab some variables to be used in settings.xml. Using Gitlab UI or API add variables for the user, password, and repository url, to be included as environment variables from Gitlab into the job. Then you can use it in settingx.xml like ${env.VARIABLE_NAME}
Example of Gitlab-CI configuration file:
include:
- template: Auto-DevOps.gitlab-ci.yml
variables:
MAVEN_SETTINGS_PATH: ".m2/settings.xml"
AUTO_DEVOPS_BUILD_IMAGE_FORWARDED_CI_VARIABLES: NEXUS_REPO_USER,NEXUS_REPO_PASSWORD,NEXUS_REPO_URL
As a final recommendation, you should avoid to use passwords in environment variables, use native methods from your environment for credentials storage is recommended.
I am the maintainer of a public GitHub repo. I have set up GitHub Actions to build a publish to GitHub Packages. You can see the package has been created here:
https://github.com/paulschwarz/spring-dotenv/packages/135114
The first thing I notice is that GitHub only gives a Maven installation snippet. I used this code to add the dependency to another project and it appeared to work.
Now I want to import this package into a Gradle project. I added
dependencies {
implementation ('me.paulschwarz:spring-dotenv:0.0.3')
}
and gradle tells me
Could not find me.paulschwarz:spring-dotenv:0.0.3.
Searched in the following locations:
- https://jcenter.bintray.com/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom
- https://repo.maven.apache.org/maven2/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom
This is already strange because my Maven project appeared to have no problem resolving the dependency. I must say I'm curious how that worked? Surely GitHub Packages isn't integrated with JCenter or Maven Central?
Anyway, next step, add the repository
repositories {
jcenter()
mavenCentral()
maven { url = uri('https://maven.pkg.github.com/paulschwarz/spring-dotenv') }
}
At this point, Gradle should understand where to find the package. However, I get this
> Could not resolve me.paulschwarz:spring-dotenv:0.0.3.
> Could not get resource 'https://maven.pkg.github.com/paulschwarz/spring-dotenv/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom'.
> Could not GET 'https://maven.pkg.github.com/paulschwarz/spring-dotenv/me/paulschwarz/spring-dotenv/0.0.3/spring-dotenv-0.0.3.pom'. Received status code 401 from server: Unauthorized
Is this really a 401 unauthorized? or is the URL wrong and it's trying to hit an authorized endpoint?
If it's genuine, then why? This is a public repo with public packages. I can download the package directly from the GitHub page anonymously. What am I doing wrong in Gradle?
As you have observed, GitHub doesn't support unauthorized package access right now (but planned in future) as explained by one of their staff (May 27 '20):
Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.
For Actions you can add a PAT to your secrets store or use the GITHUB_TOKEN to authenticate. In your settings.xml we suggest using the environment variable approach (see setup-java 4) so you don’t store the tokens in the file.
As mentioned above you need to authenticate to GitHub Packages.
ext {
GITHUB_TOKEN = System.getenv("GITHUB_TOKEN")
}
maven {
url "https://maven.pkg.github.com/paulschwarz/spring-dotenv"
credentials {
username GITHUB_USER
password GITHUB_TOKEN
}
}
Where GITHUB_USER is defined in your gradle.properties and GITHUB_TOKEN is defined as an environment variable. GITHUB_TOKEN is available inside your GitHub Actions workflow file as ${{ secrets.GITHUB_TOKEN }}
You will have to define it yourself when running locally.
In my case, I'm using Maven. After researching around, ended up that I need to generate a GitHub token instead of using the plain GitHub user login password one.
I'm trying to set up automated build for go projects. Most people just use github dependencies which don't need credentials. We have some internal dependencies however available on our private git central server. Credentials are needed however to have go access these.
A possible workaround would be to configure a global git variable inside our build machines / build dockers; something like:
git config --global url."https://user:password#private.git.server/".insteadOf "https://private.git.server/"
however this doesn't seem to be the best solution to me, since the password would be stored in a human-readable text file.
I think the git-credentials plugin should be able to help me out; could I maybe export GIT_TERMINAL_PROMPT=1 and let the git-credentials plugin fill in for me?
How could I make sure go get or go install gets access to our private repository in a secure way?
I use a workaround with GITHUB_TOKEN to solve this.
Generate GITHUB_TOKEN here https://github.com/settings/tokens
export GITHUB_TOKEN=xxx
git config --global url."https://${GITHUB_TOKEN}:x-oauth-basic#github.com/mycompany".insteadOf "https://github.com/mycompany"
This way you don't expose the password and can revoke token at any time.
Note: Go uses http when downloading dependencies, not ssh.