Closed serpro69 closed 5 months ago
Looking at the deploy
output from local, I can see it does actually try to download the maven metadata:
[DEBUG] Using transporter HttpTransporter with priority 5.0 for https://maven.pkg.github.com/org/maven-packages
[DEBUG] Using connector BasicRepositoryConnector with priority 0.0 for https://maven.pkg.github.com/org/maven-packages with username=serpro69, password=***
Uploading to github: https://maven.pkg.github.com/org/maven-packages/foo/bar/parent-pom/0.0.1/parent-pom-0.0.1.pom
Uploaded to github: https://maven.pkg.github.com/org/maven-packages/foo/bar/parent-pom/0.0.1/parent-pom-0.0.1.pom (20 kB at 5.3 kB/s)
Downloading from github: https://maven.pkg.github.com/org/maven-packages/foo/bar/parent-pom/maven-metadata.xml
Downloaded from github: https://maven.pkg.github.com/org/maven-packages/foo/bar/parent-pom/maven-metadata.xml (224 B at 366 B/s)
[DEBUG] Writing tracking file '/home/sergio/.m2/repository/foo/bar/parent-pom/resolver-status.properties'
Uploading to github: https://maven.pkg.github.com/org/maven-packages/foo/bar/parent-pom/maven-metadata.xml
Uploaded to github: https://maven.pkg.github.com/org/maven-packages/foo/bar/parent-pom/maven-metadata.xml (333 B at 434 B/s)
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 5.638 s
[INFO] Finished at: 2024-04-09T13:47:20+02:00
I suppose that's what's failing. But why is this failing? Am I missing something in the workflow?
Thinking out loud here, this is the servers part of the settings.xml
<server>
<id>
github
</id>
<username>
serpro69
</username>
<password>
***
</password>
</server>
The password comes from GITHUB_TOKEN
. Is it assumed that GITHUB_ACTOR
(in this case the PR author) can use the action's GITHUB_TOKEN
to authenticate to the packages repo?
The strangest thing, it fails on lookup of a package, not upload of it...
I'm completely confused why this isn't working, since according to documentation this should be pretty simple.
Even tried to set all possible permissions to write
for the job:
permissions:
actions: write
checks: write
contents: write
deployments: write
id-token: none
issues: write
packages: write
pages: write
pull-requests: write
repository-projects: write
security-events: write
statuses: write
That still fails when I try to use GITHUB_TOKEN
. The only way this works for me so far is if I try to use a secret with my own personal token, which is so far from ideal I can't even see such a workaround being viable.
GITHUB_TOKEN seems to be completely broken for this purpose.
Hello @serpro69 Thank you for creating this issue. We will investigate it and get back to you as soon as we have some feedback.
Thanks @HarithaVattikuti ,
I've spent an entire day yesterday with this, and it does not seem like authentication with github.actor
+ github.token
is possible at the moment for maven packages.
This works perfectly fine when I use a personal token and a username of the token owner, so it's very likely that something is wrong with the GITHUB_TOKEN
.
Hi @serpro69, publishing the package only requires the GITHUB_TOKEN, no server configuration needed. However, if you're planning to install packages linked to other private repositories, you'll need a PAT (Personal Access Token). For further details, please check the GitHub Packages Documentation.
Hi @mahabaleshwars . I see, thank you for the comment. I suppose you're referring to this part of the docs:
a personal access token (classic) with at least read:packages scope to install packages associated with other private repositories (which GITHUB_TOKEN can't access).
I guess it makes sense, if GITHUB_TOKEN
can't access other repos, you won't be able to publish to them using this token either.
I do wish that the docs were a bit more clearer on this. E.g. in Publishing a package docs, it says :
If you would like to publish multiple packages to the same repository, you can include the URL of the repository in the
element of the pom.xml file. GitHub will match the repository based on that field. Since the repository name is also part of the distributionManagement element, there are no additional steps to publish multiple packages to the same repository.
Which is what made me think that this should work, since it explicitly says "no other steps are needed" and doesn't mention the token details.
But I suppose documentation updates are beyond the scope of this issue, so I'll close it.
Thanks again for providing the details on how this is supposed to work.
Description:
When trying to deploy maven artifact to github packages,
mvn deploy
fails with an error "Could not find artifact foo.bar:parent-pom:pom:0.0.1 in github"The weird error is that
foo.bar:parent-pom:0.0.1
is the artifact I'm trying to publish in the first place, so why is it trying to download it?Note: this is the first package version. Don't know if this matters. But I can successfully deploy from local using a token with
package:write
permissions, so I think this has something to do with the workflow, rather than the fact that the package doesn't exist.Output from maven:
Task version:
v4
Platform:
Runner type:
Repro steps:
A description with steps to reproduce the issue. If your have a public example or repo to share, please provide the link.
Maven pom distribution management:
Expected behavior:
Package should be published
Actual behavior: