-
Hello, I have repository with java project and configured GitHub Actions workflow, which publishes jar into GitHub Packages maven repository. I would like to use the published JAR package in other project, so I need to add it to
I also need to add maven repository into
This does not work, because when maven attempt to download artifact it failes, because request is unauthorized. GitHub Packages help tells that I need to add my user name and token into This probably fixes an issue. For example, if I clone some project which rely on dependencies hosted on GitHub Packages maven repo I’ll fail to compile it. Will have to investigate what the heck is going on. Figure out that I need to register on GitHub. Then generate token. Store in in On the other hand the dependency JAR could be downloaded manually via https://github.com/me/my-repo/packages, so why on earth authorization is required when downloaded via maven? Is there any hidden setting to turn off requirement? |
Beta Was this translation helpful? Give feedback.
Replies: 39 comments 19 replies
-
Is there anything we the community can do to help get this feature implemented faster? I won't presume to know the reasoning behind this requirement, but as others have said, it's extremely restrictive. |
Beta Was this translation helpful? Give feedback.
-
This limitation applies not just to Maven registries but also to NuGet, RubyGems and any build system supported by GitHub. It's a completely baffling oversight / design decision, requiring users to include credentials in their build / dependency management scripts in order to download public packages! Really defeats the purpose of using GitHub Packages, especially in open-source projects. I'd argue it could lead to a security issue too, requiring credentials to be used in e.g. a pom.xml file of a project and completely inconvenient for users to not only have to configure an additional repository source, but also set up a GitHub account with personal access tokens (ensuring the right permissions) just to download a JAR file. |
Beta Was this translation helpful? Give feedback.
-
The fact that public repositories can be read anonymously but public packages cannot makes no sense to me. I have written a short shell script that deploys to a separate branch in your project that can be read anonymously for anyone looking for a workaround: https://github.com/ThomasOM/MavenRepoTool |
Beta Was this translation helpful? Give feedback.
-
Dear github team, Any news on this one after 3 years? |
Beta Was this translation helpful? Give feedback.
-
Yep. It would be great if github solves this. |
Beta Was this translation helpful? Give feedback.
-
Got a reply from support:
That's one of a questionable moves for sure, as it defeats the purpose of a maven repository and it's a nice 180 degrees turn on their side considering their past statement. |
Beta Was this translation helpful? Give feedback.
-
+1 would love to be able to add a dependency in my pom.xml that points to a public GitHub Package w/o having to muck with Maven's auth settings |
Beta Was this translation helpful? Give feedback.
-
Hey @clarkbw, thanks for the update! I’d like to bring to attention that JCenter is being shut down globally on 1st may this year. JCenter is currently one of the biggest maven repositories in the world in amount of artifacts. There are several projects currently looking for a new home and while github package registry looks awesome, this one particular (missing) feature is preventing several projects I know from choosing github packages over self-hosting. It’s pretty rare for a developer to have a github PAT on their maven (or gradle) configuration (much less on both) and it’s quite a barrier to entry for new developers (needing to create a github account → learning which of the 40 options to create a PAT → learning how to configure maven (or/and gradle) and their IDE). It would be very interesting if this could be prioritized before the JCenter sunsetting deadline and could bring several people to use github packages (it’s A LOT easier than central). |
Beta Was this translation helpful? Give feedback.
-
This is still a very important feature. not having the public repos really makes using maven repos not worth it..... |
Beta Was this translation helpful? Give feedback.
-
This also applies to NPM-packages, which does not make any sense for public packages as well, also breaking developer experience and making it nearly impossible to include GitHub packages in any CI/CD pipeline, which essentially defeats the general purpose of packaging a project. What's even more baffling is the fact, that you can easily include the GitHub repository URL itself verbatim in NPM, accessing a public repo without any auth, but the package based on exactly that repo is not available without auth. WTF? oO While using the repo itself is feasible, this is just a git clone, excluding the possibility of packaging steps, also resulting in a weird notation in package.json. Please allow non-authed installations of GitHub packages. Setting up the registry is alright, but providing a PAT completely breaks the functionality. |
Beta Was this translation helpful? Give feedback.
-
Any update on this feature??? |
Beta Was this translation helpful? Give feedback.
-
Any update on this? it would be great to have this feature. |
Beta Was this translation helpful? Give feedback.
-
Any updates on this? |
Beta Was this translation helpful? Give feedback.
-
Is there any workaround yet? |
Beta Was this translation helpful? Give feedback.
-
As I manage some open source Java projects on Github, I can’t ask people to authenticate before using the repo, so I switched to https://jitpack.io as a Maven repo. |
Beta Was this translation helpful? Give feedback.
-
I'd love to have anonymous access to public packages too. I just experimented getting a package published and I was very surprised when I couldn't use it anonymously. |
Beta Was this translation helpful? Give feedback.
-
this is so absurd that it is still not working. are there any plans from github to get that running? @jcansdale and if so? when? :) |
Beta Was this translation helpful? Give feedback.
-
Still in the future column on the roadmap. Hopefully in the fall this year. |
Beta Was this translation helpful? Give feedback.
-
jcansdale:
This works! Thank you! One small tweak: it’s just encode, not xmlEncode. |
Beta Was this translation helpful? Give feedback.
-
Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that. For Actions you can add a PAT to your secrets store or use the |
Beta Was this translation helpful? Give feedback.
-
Having PAT on public NPM packages makes this feature useless. Not a surprise I wasn't able to find any well known open source web projects using NPM Github Packages (checked angular, react, vuejs, bootstrap etc) |
Beta Was this translation helpful? Give feedback.
-
This is disappointing to read after having spent significant time getting familiar with and publishing packages to GitHub Packages. We will switch to Maven Central for publishing open source packages. |
Beta Was this translation helpful? Give feedback.
-
jdsalasca's solution worked perfectly for me. Just created a read-only access token for packages, and included in build.gradle. As it is read-only for a public registry, it can be included cleartext. |
Beta Was this translation helpful? Give feedback.
-
Found out topic raising exactly the same issue Download from Github Package Registry without authentication |
Beta Was this translation helpful? Give feedback.
-
Agree with the common sentiment here, not very useful unless it behaves like all the other large package repos |
Beta Was this translation helpful? Give feedback.
-
Having this available for pretty much everyone to use would be a great option.
I also wanted to use this once, but never got it to work. The publication gave an error with a 4xx code (I believe it was 403) yet (parts of) the package where apparently distributed to the upstream repo. |
Beta Was this translation helpful? Give feedback.
-
I wonder if in the meantime one could create a proxy service that access the Maven repo on GitHub and just exposes it without authentication needed. Not ideal and a bit of extra work but it does not seem predictable when we will get this feature from GitHub. Maybe never |
Beta Was this translation helpful? Give feedback.
-
Until GitHub removes the auth requirement, here is a good alternative: https://jitpack.io/ |
Beta Was this translation helpful? Give feedback.
-
Seems like Santa is not coming with this gift this year.
You can find the source code here. Can't wait to kill this project when Github allows unauthenticated requests to packages. |
Beta Was this translation helpful? Give feedback.
-
I've decided to host our own package solution using reposilite, it is eaisly deployed using docker. Ironically, here's their GitHub page: https://github.com/dzikoysk/reposilite well worth a look if your in a pinch and need a better solution. |
Beta Was this translation helpful? Give feedback.
There are a few thing you can do to make this a little less painful.
settings.xml
file at the root of your repository.mvn/maven.config
file that contains-s settings.xml
read:packages
scopeIf your repository is private, you can place the PAT directly in your
settings.xml
file. If your repository is public, you can’t push t…