CODEWITHSUNDEEP
mavengithub-package-registry
Alexey Anufriev
Alexey Anufriev

Reputation: 436

How to reference public GitHub packages from maven project

I have a GitHub repo with a library published to its own GitHub packages maven repository. And I also have another project where I want to reference this library as a dependency.

When I add the following configuration to the POM file of my project it just doesn't work.

<repositories>
 <repository>
  <id>github</id>
  <name>GitHub Packages</name>
  <url>https://maven.pkg.github.com/test-account/test-lib</url>
 </repository>
</repositories>

It requires me to authenticate. I understand that this is pretty logical as it is basically not a sources repo but an underlying maven repo. But is there a way to have normal maven access to this dependency? My library is in the public repo.

P.S. Please, do not suggest using Jitpack as I would like to have clean solution without any additional resources.

Upvotes: 8

Views: 4538

Answers (4)

elect
elect

Reputation: 7190

If you don't consider as additional resource a Gradle plugin, then I'd suggest you mine

I was exactly in your shoes, you can either:

  • have a Github repository acting as a Maven repository
  • or publish on Github Packages and easier the consumption for Gradle clients

Upvotes: 0

Prometheus
Prometheus

Reputation: 563

The accepted answer no longer works.

Currently GitGuardian automatically revokes the Personal Access Token (PAT) if that method is applied in public repositories. As recommended by GitHub staff, the work-around solution is the following:

  1. Create a PAT with just the read:packages scope
  2. Execute docker run ghcr.io/jcansdale/gpr encode

This will output the following:

$ docker run ghcr.io/jcansdale/gpr encode 0123456789abcsef
An encoded token can be included in a public repository without being automatically deleted by GitHub.

These can be used in various package ecosystems like this:

A NuGet `nuget.config` file:
<packageSourceCredentials>
  <github>
    <add key="Username" value="PublicToken" />
    <add key="ClearTextPassword" value="&#48;123456789abcsef" />
  </github>
</packageSourceCredentials>

A Maven `pom.xml` file:
<repositories>
  <repository>
    <id>github-public</id>
    <url>https://public:&#48;[email protected]/<OWNER>/*</url>
  </repository>
</repositories>

An npm `.npmrc` file:
@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken="\u0030123456789abcsef"
You can use this snippet in you project’s configuration file.

Note, you shouldn’t include your own read:packages PAT if you have access to any private packages you need to protect. In this case it is best to create a machine-user.

Upvotes: 3

mrts
mrts

Reputation: 18925

Currently, you cannot. There is an ongoing discussion here with this feature request. You can find multiple workarounds in that discussion thread and also voice your opinion.

Upvotes: 3

Frans
Frans

Reputation: 4022

The answer seems to be "you can't". See this comment from a GitHub staff member:

Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.

For now the simplest option seems to be to create a personal access token with read access and include it in the URL of the <repository> section in your pom.xml, like this:

<repository>
  <id>github</id>
  <name>GitHub Packages</name>
  <url>https://my-user:[email protected]/my-user/my-repo</url>
</repository>

Otherwise, options are probably:

  • Create a personal access token with read access and just share it with the whole world.
  • Use the workaround described here
  • Publish to Maven Central (but that's a whole world of pain)

Upvotes: 13

Related Questions