Gradle: Resource missing for dependency when using GITHUB_TOKEN

[mindhaq]

I have a project residing in two GH repositories. There is library in common, and the application is using that library.

I have a successfully published package of the library in GitHub Packages.

I have setup the application project in a way that if I build it locally, it will download the library using a personal access token.

build.gradle:

repositories {
    mavenLocal()
    mavenCentral()
    maven {
        name = "GitHubPackages-common"
        url = "https://maven.pkg.github.com/OWNER/rr-common"
        credentials {
            username = System.getenv("GITHUB_USERNAME")
            password = System.getenv("GITHUB_TOKEN")
        }
    }
}

In the GH action for building the application, I use the GITHUB_TOKEN, and when I print that out in the build script, it seems to be passed along correctly.

build.yml:

- name: Build with Gradle
      env:
        GITHUB_USERNAME: "OWNER"
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      run: ./gradlew --stacktrace --warning-mode all --info clean test bootJar

However, the build fails because the library cannot be downloaded. First trying at maven central (unsuccessfully as expected) and then trying at github, and also failing.

Resource missing. [HTTP GET: https://repo.maven.apache.org/maven2/de/OWNER/common/1.0.3/common-1.0.3.pom]
Resource missing. [HTTP HEAD: https://repo.maven.apache.org/maven2/de/OWNER/rr-common/1.0.3/common-1.0.3.jar]
Resource missing. [HTTP GET: https://maven.pkg.github.com/OWNER/common/de/OWNER/common/1.0.3/common-1.0.3.pom]
Resource missing. [HTTP HEAD: https://maven.pkg.github.com/OWNER/common/de/OWNER/rr-common/1.0.3/common-1.0.3.jar]

The failing URLs work fine when entered into a browser (after authentication).

A working workaround for me was now to create a user-specific API Token, put that into the projects secrets and use that from within the build action. And that works! But isn’t that exactly what GITHUB_TOKEN should be used for?

[BrightRan]

The following note may be able to answer your doubt.
NOTE: The permissions of GITHUB_TOKEN are limited to the repository that contains your workflow. If you need a token that requires permissions that aren’t available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.
As the note mentioned, if your common library is not published on the same GitHub repository where the workflow is hosted, it is not able to download the library via the GITHUB_TOKEN in the workflow. So you need to create a new PAT to get more permission scopes.
More detailed info about GITHUB_TOKEN, you can reference here: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token

[mindhaq]

Understood. I was probably hoping to get the same developer experience as I get when using NPM packages.

I opened another posting for that, as it has nothing to do with GitHub actions.

https://github.saobby.my.eu.orgmunity/t5/GitHub-API-Development-and/GitHub-package-registry-as-Maven-repo-with-many-private/m-p/41488#M3734

[hfhbd]

But it should be possible to use packages: read with the GitHub token provided by Actions to fetch the published maven artifacts to the same repo, shouldn't it?