How to reference public GitHub packages from maven project

Question

I have a GitHub repo with a library published to its own GitHub packages maven repository. And I also have another project where I want to reference this library as a dependency.

When I add the following configuration to the POM file of my project it just doesn't work.

<repositories>
 <repository>
  <id>github</id>
  <name>GitHub Packages</name>
  <url>https://maven.pkg.github.com/test-account/test-lib</url>
 </repository>
</repositories>

It requires me to authenticate. I understand that this is pretty logical as it is basically not a sources repo but an underlying maven repo. But is there a way to have normal maven access to this dependency? My library is in the public repo.

P.S. Please, do not suggest using Jitpack as I would like to have clean solution without any additional resources.

Answer 1

The answer seems to be "you can't". See this comment from a GitHub staff member:

Our Maven service doesn’t allow for unauthorized access right now. We plan to offer this in the future but need to improve the service a bit before that.

For now the simplest option seems to be to create a personal access token with read access and include it in the URL of the <repository> section in your pom.xml, like this:

<repository>
  <id>github</id>
  <name>GitHub Packages</name>
  <url>https://my-user:[email protected]/my-user/my-repo</url>
</repository>

Otherwise, options are probably:

• Create a personal access token with read access and just share it with the whole world.
• Use the workaround described here
• Publish to Maven Central (but that's a whole world of pain)

Answer 2

Currently, you cannot. There is an ongoing discussion here with this feature request. You can find multiple workarounds in that discussion thread and also voice your opinion.

Answer 3

The accepted answer no longer works.

Currently GitGuardian automatically revokes the Personal Access Token (PAT) if that method is applied in public repositories. As recommended by GitHub staff, the work-around solution is the following:

1. Create a PAT with just the read:packages scope
2. Execute docker run ghcr.io/jcansdale/gpr encode

This will output the following:

$ docker run ghcr.io/jcansdale/gpr encode 0123456789abcsef
An encoded token can be included in a public repository without being automatically deleted by GitHub.

These can be used in various package ecosystems like this:

A NuGet `nuget.config` file:
<packageSourceCredentials>
  <github>
    <add key="Username" value="PublicToken" />
    <add key="ClearTextPassword" value="&#48;123456789abcsef" />
  </github>
</packageSourceCredentials>

A Maven `pom.xml` file:
<repositories>
  <repository>
    <id>github-public</id>
    <url>https://public:&#48;[email protected]/<OWNER>/*</url>
  </repository>
</repositories>

An npm `.npmrc` file:
@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken="\u0030123456789abcsef"
You can use this snippet in you project’s configuration file.

Note, you shouldn’t include your own read:packages PAT if you have access to any private packages you need to protect. In this case it is best to create a machine-user.

Answer 4

If you don't consider as additional resource a Gradle plugin, then I'd suggest you mine

I was exactly in your shoes, you can either:

• have a Github repository acting as a Maven repository
• or publish on Github Packages and easier the consumption for Gradle clients