Stuck 403 forbidden while deploying

[ylambrus]

Hi,

Trying to deploy a snapshot on sonatype nexus using the following workflow:

- name: Nexus Repo Publish
      uses: sonatype-nexus-community/nexus-repo-github-action@master
      with:
        serverUrl: https://oss.sonatype.org/content/repositories/snapshots
        username: ${{ secrets.SONARTYPE_USER }}
        password: ${{ secrets.SONARTYPE_SEC }}
        format: maven2
        repository: Snapshots
        coordinates: groupId=net.loobpack.kafka-connect-healthchecks artifactId=kafka-connect-healthcheck-extension version=0.0.6-SNAPSHOT
        assets: extension=jar
        filename: ./target/kafka-connect-healthcheck-extension-0.0.6-SNAPSHOT.jar

Though I keep having the following error :

Run sonatype-nexus-community/nexus-repo-github-action@master
/usr/bin/docker run --name cc4956589bd97751d24f429203ebe79577279a_a567f9 --label cc4956 --workdir /github/workspace --rm -e JAVA_HOME_8.0.275_x64 -e JAVA_HOME -e JAVA_HOME_8_0_275_X64 -e INPUT_SERVERURL -e INPUT_USERNAME -e INPUT_PASSWORD -e INPUT_FORMAT -e INPUT_REPOSITORY -e INPUT_COORDINATES -e INPUT_ASSETS -e INPUT_FILENAME -e HOME -e GITHUB_JOB -e GITHUB_REF -e GITHUB_SHA -e GITHUB_REPOSITORY -e GITHUB_REPOSITORY_OWNER -e GITHUB_RUN_ID -e GITHUB_RUN_NUMBER -e GITHUB_RETENTION_DAYS -e GITHUB_ACTOR -e GITHUB_WORKFLOW -e GITHUB_HEAD_REF -e GITHUB_BASE_REF -e GITHUB_EVENT_NAME -e GITHUB_SERVER_URL -e GITHUB_API_URL -e GITHUB_GRAPHQL_URL -e GITHUB_WORKSPACE -e GITHUB_ACTION -e GITHUB_EVENT_PATH -e GITHUB_ACTION_REPOSITORY -e GITHUB_ACTION_REF -e GITHUB_PATH -e GITHUB_ENV -e RUNNER_OS -e RUNNER_TOOL_CACHE -e RUNNER_TEMP -e RUNNER_WORKSPACE -e ACTIONS_RUNTIME_URL -e ACTIONS_RUNTIME_TOKEN -e ACTIONS_CACHE_URL -e GITHUB_ACTIONS=true -e CI=true -v "/var/run/docker.sock":"/var/run/docker.sock" -v "/home/runner/work/_temp/_github_home":"/github/home" -v "/home/runner/work/_temp/_github_workflow":"/github/workflow" -v "/home/runner/work/_temp/_runner_file_commands":"/github/file_commands" -v "/home/runner/work/kafka-connect-healthchecks/kafka-connect-healthchecks":"/github/workspace" cc4956:589bd97751d24f429203ebe79577279a  "https://oss.sonatype.org/content/repositories/snapshots" "***" "***" "maven2" "Snapshots" "groupId=net.loobpack.kafka-connect-healthchecks artifactId=kafka-connect-healthcheck-extension version=0.0.6-SNAPSHOT" "extension=jar" "./target/kafka-connect-healthcheck-extension-0.0.6-SNAPSHOT.jar"
Caught: com.sonatype.nexus.api.exception.RepositoryManagerException: Upload component was unsuccessful (403 response from server)
com.sonatype.nexus.api.exception.RepositoryManagerException: Upload component was unsuccessful (403 response from server)
    at com.sonatype.nexus.api.zz.fg.a(SourceFile:106)
    at com.sonatype.nexus.api.zz.fg.a(SourceFile:87)
    at com.sonatype.nexus.api.zz.fg.a(SourceFile:65)
    at com.sonatype.nexus.api.zz.ff.upload(SourceFile:157)
    at com.sonatype.nexus.api.zz.ff.upload(SourceFile:140)
    at com.sonatype.nexus.api.repository.v3.RepositoryManagerV3Client$upload.call(Unknown Source)
    at NexusPublisher.run(NexusPublisher.groovy:64)
Caused by: com.sonatype.nexus.api.zz.fl: Forbidden
    at com.sonatype.nexus.api.zz.fm.handleResponse(SourceFile:51)
    at org.apache.http.impl.client.CloseableHttpClient.execute(SourceFile:223)
    at org.apache.http.impl.client.CloseableHttpClient.execute(SourceFile:165)
    at com.sonatype.nexus.api.zz.fg.a(SourceFile:84)
    ... 5 more

I can deploy using those credentials with an old school deployment manager ( mvn deploy / pom.xml), but I can't using this github action.

We can't figure out why we get this error. It looks like NexusPublisher is trying to push not in the correct place

Any help ?

[scolastico]

same

[new-javacc]

same

[bhamail]

I setup a test project that exercises this action, and while doing so, at one point I was seeing 403 errors too.

It turned out to be a "permissions issue". I solved it by first making sure I had all the plumbing regarding URLs and repo name correct by using "administrator" credentials with Nexus Repository. Once I verified I could publish using an administrator, I then changed to a "non-admin" account, and added permissions until it "worked" again. There are probably a way to get even fewer permissions working, but this is where I stopped the "wash-rinse-repeat" dance. The name of the repository I used was raw-github-action-test.

I hope this helps.