Partial support for maven SNAPSHOTs

[gsmachado]

Hello,

This answer says that it’s possible to upload/push snapshot packages with the same version (e.g., 0.1-SNAPSHOT).

However, it also says that there was a bug that prevents to push artifacts with -javadoc and -sources extension, somehow. Is that still an issue?

Because I’m trying to upload/push version 3.0.1-SNAPSHOT, and I get the following error:

* What went wrong:
Execution failed for task ':compiler:publishMavenJavaPublicationToMavenRepository'.
> Failed to publish publication 'mavenJava' to repository 'maven'
   > Could not GET 'https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/compiler/3.0.1-SNAPSHOT/maven-metadata.xml'. Received status code 400 from server: Bad Request

When I go to fetch the maven-metadata.xml file on the URL from above, I get:

error retrieving metadata for snapshot file: compiler-3.0.1-20200527.103236-1-sources.jar

What’s the problem?

Thanks!

[jcansdale]

Hi @gsmachado,

Sorry about the delay in getting back to you!

gsmachado:

However, it also says that there was a bug that prevents to push artifacts with -javadoc and -sources extension, somehow. Is that still an issue?

This issue should now be fixed.

gsmachado:

When I go to fetch the maven-metadata.xml file on the URL from above, I get:

error retrieving metadata for snapshot file: compiler-3.0.1-20200527.103236-1-sou

I am able to fetch your maven-metadata.xml using the following command:

$ curl https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/compiler/3.0.1-SNAPSHOT/maven-metadata.xml -u token:${READ_PACKAGES_TOKEN} | xmllint --format -
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1661  100  1661    0     0   3831      0 --:--:-- --:--:-- --:--:--  3827
<?xml version="1.0"?>
<metadata modelVersion="">
  <groupId>io.neow3j</groupId>
  <artifactId>compiler</artifactId>
  <version>3.0.1-SNAPSHOT</version>
  <versioning>
    <snapshot>
      <timestamp>20200527.103236</timestamp>
      <buildNumber>1</buildNumber>
    </snapshot>
    <lastUpdated>20200527103248</lastUpdated>
    <snapshotVersions>
      <snapshotVersion>
        <extension>jar</extension>
        <value>3.0.1-20200527.103236-1</value>
        <updated>20200527103237</updated>
      </snapshotVersion>
      <snapshotVersion>
        <extension>pom</extension>
        <value>3.0.1-20200527.103236-1</value>
        <updated>20200527103238</updated>
      </snapshotVersion>

READ_PACKAGES_TOKEN is a PAT with the read:packages scope.

Any chance you could point me to a GitHub Actions workflow that shows this failing?

[gsmachado]

Hello @jcansdale

Thanks for your reply, even if took a while. No worries! 😉

So… I can confirm that now I can successfully publish 3.0.1-SNAPSHOT – i.e., update/re-upload artifacts using the same version (like an overwrite). That’s fine!

However, I still don’t get it: even if the repo is public (open-source project), users mandatorily need to use a token with read:packages scope, somehow?

I don’t know if you’re familiar with Java/Gradle ecosystem, but, if I set-up a project with the following gradle.build content, it fails:

plugins {
    id 'java'
}
group 'org.example'

version '1.0-SNAPSHOT'
repositories {

mavenCentral()

maven {

url "https://maven.pkg.github.com/neow3j/neow3j/"

}

}
dependencies {

compile 'io.neow3j:contract:3.0.1-SNAPSHOT'

testCompile group: 'junit', name: 'junit', version: '4.12'

}

The output of a simple gradle compileJava on this repository example gives the following output:

> Could not resolve all files for configuration ':compileClasspath'.
   > Could not resolve io.neow3j:contract:3.0.1-SNAPSHOT.
     Required by:
         project :
      > Could not resolve io.neow3j:contract:3.0.1-SNAPSHOT.
         > Unable to load Maven meta-data from https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/contract/3.0.1-SNAPSHOT/maven-metadata.xml.
            > Could not get resource 'https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/contract/3.0.1-SNAPSHOT/maven-metadata.xml'.
               > Could not GET 'https://maven.pkg.github.com/neow3j/neow3j/io/neow3j/contract/3.0.1-SNAPSHOT/maven-metadata.xml'. Received status code 401 from server: Unauthorized

If this is really the case, and I got it right, this is a real problem for the adoption of Maven-related projects! It will certainly bring lots of frustration, and people will not widely use it. ☹️

People (users of libraries) just want to add the repository URL, add the dependency, and then start using libs/artifacts! That’s it. No generation of tokens. No account on GitHub. No addition configuration. Nothing. It’s open-source software anyway, thus, packages and its metadata (maven-metadata.xml) should be widely accessible. :slight_smile:

Let me know if I misinterpreted something… also, maybe there’s a configuration, somewhere, that I missed.

Thanks!

[jcansdale]

@gsmachado,

gsmachado:

However, I still don’t get it: even if the repo is public (open-source project), users mandatorily need to use a token with read:packages scope, somehow?

From what I understand, it’s currently intended more for internal development dependencies than for hosting public packages. Packages can be made accessible to anyone with a GitHub account who is motivated to create a PAT (which isn’t exactly public).

It is possible to create a read:packages token on behalf of users that might want to build your project. There are however a couple of complications:

1. GitHub will automatically delete tokens that are pushed to public repositories
2. The read:packages scope gives access packages associated with private as well as public packages

gsmachado:

I don’t know if you’re familiar with Java/Gradle ecosystem, but, if I set-up a project with the following gradle.build content, it fails:

I’m still experimenting with Gradle configurations, but what you might be able to do is something like the following:

  <a href="https://github.com/jcansdale-test/gradle-java-consume/pull/1" target="_blank" rel="noopener nofollow ugc">github.com/jcansdale-test/gradle-java-consume</a>

Use a public read:packages token

<div class="branches">
  <code>jcansdale-test:master</code> ← <code>jcansdale-test:public-token</code>
</div>

<div class="github-info">
  <div class="date">
    opened <span class="discourse-local-date" data-format="ll" data-date="2020-07-20" data-time="08:16:28" data-timezone="UTC">08:16AM - 20 Jul 20 UTC</span>
  </div>

  <div class="user">
    <a href="https://github.com/jcansdale-test" target="_blank" rel="noopener nofollow ugc">
      <img alt="jcansdale-test" src="https://user-images.githubusercontent.com/11719160/181087729-f2a4ebc3-e72f-469a-a557-5ad08f269881.png" class="onebox-avatar-inline" width="20" height="20">
      jcansdale-test
    </a>
  </div>

  <div class="lines" title="2 commits changed 2 files with 2 additions and 5 deletions">
    <a href="https://github.com/jcansdale-test/gradle-java-consume/pull/1/files" target="_blank" rel="noopener nofollow ugc">
      <span class="added">+2</span>
      <span class="removed">-5</span>
    </a>
  </div>
</div>

### What this PR does

1. Create a PAT with the read:packages scope from a s…afe account (e.g. a machine user account)
2. Use docker run jcansdale/gpr encode <PAT> to encode the token
3. Add a credentials element to the maven details with username and password
4. username can be anything and password the encoded string from example .npmrc file

For example:

repositories {
    maven {
        name = "remote"
        // Adapt the URL for your remote repository
        url = uri("https://maven.pkg.github.com/jcansdale-test/gradle-java-publish")
        credentials { 
            // Use this if the repo requires auth 
            // see https://docs.gradle.org/6.4/userguide/declaring_repositories.html#sec:supported_transport_protocols
            username = "token"
            password = "\u003c\u0050\u0041\u0054\u003e...................................................."
        }
    }
}
```</span></p>
  </div>

  </article>

  <div class="onebox-metadata">
    
    
  </div>

  <div style="clear: both"></div>
</aside>

<ol>
<li>Create a PAT with the <code>read:packages</code> scope from a safe account (e.g. a <a href="https://developer.github.com/v3/guides/managing-deploy-keys/#machine-users" rel="noopener nofollow ugc">machine user</a> account)</li>
<li>Use <code>docker run jcansdale/gpr encode &lt;PAT&gt;</code> to encode the token (see <a href="https://github.com/jcansdale/gpr" rel="noopener nofollow ugc">here</a>)</li>
<li>Add a <code>credentials</code> element to the maven details with <code>username</code> and <code>password</code>
</li>
<li>
<code>username</code> can be anything and <code>password</code> the encoded string from example <code>.npmrc</code> file</li>
</ol>
<p>For example:</p>
<pre><code class="lang-auto">repositories {
    maven {
        name = "remote"
        // Adapt the URL for your remote repository
        url = uri("https://maven.pkg.github.com/jcansdale-test/gradle-java-publish")
        credentials { 
            // Use this if the repo requires auth 
            // see https://docs.gradle.org/6.4/userguide/declaring_repositories.html#sec:supported_transport_protocols
            username = "token"
            password = "\u003c\u0050\u0041\u0054\u003e...................................................."
        }
    }
}
</code></pre>
<p>I’d be interested to know if something like this would work for you.</p>

[gsmachado]

Hey @jcansdale

Thanks for the fast reply! Much appreciated! :slight_smile:

jcansdale:

From what I understand, it’s currently intended more for internal development dependencies than for hosting public packages. Packages can be made accessible to anyone with a GitHub account who is motivated to create a PAT (which isn’t exactly public).

Oh, ok. This is exactly what I meant.
So, it means that GitHub packages feature is not intended for hosting (real) public packages. Gotcha.

However, this is a use case that is interesting for tons of open source projects out there, including neow3j. The advantages of publishing to GitHub Packages instead of JFrog/SonaType/etc are obvious: everything in a single platform, GitHub. It’s faster, and there’s a bunch of opportunities to explore there (including metrics of download, etc) in the entire software delivery lifecycle: development, release, distribution, measure.

At the moment, what you propose is not really suitable for widely public packages – because of the necessity of creating a PAT.

Where can I submit a Feature Request for this?

[jcansdale]

gsmachado:

At the moment, what you propose is not really suitable for widely public packages – because of the necessity of creating a PAT.

What if you create a read:packages PAT that is distributed with the project? Is the solution proposed in the PR above not an option?

gsmachado:

Where can I submit a Feature Request for this?

This is a known issue and being worked on for the next version of GitHub Packages. I’m afraid I can’t give you a timeline though.

[gsmachado]

jcansdale:

What if you create a read:packages PAT that is distributed with the project? Is the solution proposed in the PR above not an option?

Unfortunately, that’s not an option… because I would need to make that read:packages PAT public on the README.md of our project – developers/users should want to copy and paste the details to configure their gradle.build to import our library and start using it. So, since you mentioned that GitHub removes/deletes tokens that are publicly distributed, then, I conclude that’s not a viable option.

jcansdale:

This is a known issue and being worked on for the next version of GitHub Packages. I’m afraid I can’t give you a timeline though.

Great! We really want this feature. Let us know once it comes out.

If there’s any link or GitHub issue that I can subscribe to follow the progress of such a feature, let me know!

Thanks a lot for your help and directions. 😄

[jcansdale]

gsmachado:

If there’s any link or GitHub issue that I can subscribe to follow the progress of such a feature, let me know!

There isn’t I’m afraid. It would be nice it there was a public repository where we could track this kind of thing. What do you think @whitneyimura?

[gsmachado]

Hey @jcansdale and @whitneyimura
Any news on this matter (unauthenticated packages)?

[jcansdale]

gsmachado:

Any news on this matter (unauthenticated packages)?

This was discussed just yesterday. I’m cautiously optimistic. 🤔

[gsmachado]

Hey @jcansdale
Hope you’re doing fine! :slight_smile:

Any more optimistic news about downloading unauthenticated packages? @devhawk would be also interested in this.

Maybe, should we create another post specific to this? Or can you point us to where the discussion is happening?

[jcansdale]

Hi @gsmachado 👋

gsmachado:

Any more optimistic news about downloading unauthenticated packages? @devhawk would be also interested in this.

No official news I’m afraid. Say hi to @devhawk from me. :grinning_face_with_smiling_eyes:

I’ve just created an example Maven project that depends on a public package. You can simply clone the following repository:

github.com

jcansdale-test/maven-install-public

Install public Maven package. Contribute to jcansdale-test/maven-install-public development by creating an account on GitHub.

Then install and execute the project like this:

# install public packages
mvn install
execute example app
mvn exec:java -D exec.mainClass=com.octokat.app.InstallApp

If all goes to plan, it should output:

Hello from github-packages-examples/maven-publish, commit ed957aa2f450708a0ba42ac901f90bac48ebf012, run number 34!

The trick is adding a repository entry to the pom.xml like this:

<repository>
  <id>github-public</id>
  <url>https://public:&#56;538964239ca66dda0ba60738699571d1688c709@maven.pkg.github.com/github-packages-examples/*</url>
</repository>

• github-public is a unique repository ID. I’m deliberately not using github because the PAT would be overwritten by the actions/setup-java@v1 action.
• public is a dummy username (it can be anything).
• 8538964239ca66dda0ba60738699571d1688c709 is a PAT with the read:packages scope. The first letter is XML encoded to evade auto-deletion of scoped PATs. 😉

Would something like that work for you?

I’m sure you know more about Maven than me, so please let me know how the example could be improved!

[gsmachado]

Cool, @jcansdale! Yes, @devhawk and I are working in the same community/project (everything is open source). 🚀 We already talked about you being involved in this thread the other day. :grinning_face_with_smiling_eyes:

Thanks for the example! I’m actually using Gradle, but it’s the same logic/structure, yes.

What bothers me a bit here is to release the PAT publicly (even if it’s just read-only). So, a couple of questions:

• This PATH is associated with an account, and maybe it gets abused, e.g., to widely crawl GitHub things. This could lead to an account suspension, right?
• Is there a way to generate a PAT from an organization? Then I would feel a bit more comfortable – since I don’t have to generate from my own individual account.

Let me know!

I really appreciate your time and discussing things around here. Really helpful! Keep up the great work.

[jcansdale]

gsmachado:

Thanks for the example! I’m actually using Gradle, but it’s the same logic/structure, yes.

If you’re using Gradle, @0ffz wrote a plugin which might help. See here:

<a href="https://github.saobby.my.eu.orgmunity/t/download-from-github-package-registry-without-authentication/14407/104">Download from Github Package Registry without authentication</a> <a class="badge-wrapper  bullet" href="/c/code-to-cloud/github-packages/43"><span class="badge-category-parent-bg" style="background-color: #6a737d;"></span><span class="badge-category-bg" style="background-color: #005cc5;"></span><span style="" data-drop-close="true" class="badge-category clear-badge" title="Any questions related to GitHub Packages and how to manage your packages; upload, download, and delete. Happy to see questions about our help docs and the core set of clients and services we support but also questions about configuring and using alternate clients are welcome.">GitHub Packages</span></a>

I made a gradle plugin: GitHub - 0ffz/gpr-for-gradle: Gradle plugin for adding maven repos on Github Packages in one line to aid with this a while back, though I was trying to fix up some not-so-clean Groovy syntax because I’m unfamiliar with Groovy and chose to write it in Kotlin. Either way, it makes adding a package repo a one-liner but you dont get to customize it much if you’re using Groovy. The syntax looks like this: repositories { maven githubPackage.invoke("owner/repo") }

Apparen…

• This PATH is associated with an account, and maybe it gets abused, e.g., to widely crawl GitHub things. This could lead to an account suspension, right?

This could lead to the PAT being rate limited. I don’t think it would lead to account suspension.

• Is there a way to generate a PAT from an organization? Then I would feel a bit more comfortable – since I don’t have to generate from my own individual account.

Unfortunately, only users can generate PATs. What I’d recommend at the moment is create a machine-user account and generate a read:packages PAT from that. The PAT will then only be able to access public packages.

[yogurtearl]

related: gradle/gradle#13330