Pull packages from GitHub private packages, return status: 401 Unauthorized and 'parent.relativePath' points at wrong local POM

[ParryQiu]

Description:

Attempting to configure an action to fetch packages from a repository within the same organization results in an authentication error.
The error is encountered when downloading dependencies from GitHub's Maven package repository.
Despite correct configuration, the process fails with a 401 Unauthorized status, indicating an issue with authentication.

Downloading from github: https://maven.pkg.github.com/xx/xx/xx/xx/xx/xx.pom

Error: ] Some problems were encountered while processing the POMs:
[FATAL] Non-resolvable parent POM ... authentication failed for https://maven.pkg.github.com/, status: 401 Unauthorized and 'parent.relativePath' points at wrong local POM @ line 7, column 13

Task version:
actions/setup-java@v4

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Repro steps:

Below is the YAML configuration for the GitHub Action used to deploy Maven packages upon a release event.

name: Maven Package Deploy

on:
  release:
    types: [created]

jobs:
  build-and-deploy:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write

    steps:
      - uses: actions/checkout@v4

      - name: Set up JDK 11
        uses: actions/setup-java@v4
        with:
          java-version: '11'
          distribution: 'adopt'
          cache: maven
          server-id: github
          server-username: xxx
          server-password: ${{ secrets.GITHUB_TOKEN }}

...

Additionally, here's the relevant section from the pom.xml file that specifies the repository configuration:

...

    <repositories>
        <repository>
            <id>github</id>
            <name>GitHub OWNER Apache Maven Packages</name>
            <url>https://maven.pkg.github.com/xx/xxxxxx</url>
        </repository>
    </repositories>

...

Expected behavior:
The action should successfully pull the required packages from the GitHub Maven repository without encountering authentication issues.

Actual behavior:
The action fails with a 401 Unauthorized error when attempting to fetch packages, indicating a failure in authentication.

[htpaf]

It is very likely an access problem and not a setup-java problem (using solely my own experience with GHA and nothing specifically with setup-java).

If you are targeting a packages repo other than the current/same repo (the action is running in) both repos or rather their access configurations need to work together.

Packages functionality is by default per repo but you can target another repo which means an extra look at how permissions are setup between the repos.

If you want to authenticate with a token you may need a server login to the package location:

    <server>
      <id>github</id>
      <username>x-access-token</username>
      <password>${env.A_TOKEN_WITH_PROPER_PERMISSIONS}</password>
    </server>

A_TOKEN_WITH_PROPER_PERMISSIONS typically GITHUB_TOKEN but it depends.

Most 401 and 403 often have to do with exactly what they say -> you have incorrect permissions for workflows, repos, actions, environments, packages.

One way to try is to use a PAT for debugging purposes of course you will have to have proper access to all the places like admin for all repos involved but then the 401 and 403 often go away and you know that there is some permission issue within your workflows.

[HarithaVattikuti]

Hello @ParryQiu
Thank you for creating this issue. We will investigate it and get back to you as soon as we have some feedback.

[ParryQiu]

Update

I attempted to directly upload my settings.xml file (contains server id and auth info) and use the command mvn --batch-mode deploy -s settings.xml, and the entire action was successful.

Thus, could there be an issue with the following logic?

setup-java/src/auth.ts

Line 51 in 9704b39

export async function createAuthenticationSettings(

[ParryQiu]

I've created a PR for reference.

#604

[mahabaleshwars]

Hello @ParryQiu, I have tried replicating the issue but couldn't do with given inputs. Could you please attach link to the build or public repository to reproduce the issue ?

[mahabaleshwars]

Hello @ParryQiu, Just touching base on this matter. It would be incredibly helpful if you could share a public repository for us to better understand and address the issue. By the way, issue #599 had a similar problem where missing write permissions for the PAT was the root cause. It may be worth checking if that's the case here as well. Thank you for your cooperation.

[ParryQiu]

Hello @ParryQiu, Just touching base on this matter. It would be incredibly helpful if you could share a public repository for us to better understand and address the issue. By the way, issue #599 had a similar problem where missing write permissions for the PAT was the root cause. It may be worth checking if that's the case here as well. Thank you for your cooperation.

Hello, thank you for the update.
I will test it again and, for now, I am going to close the PR.
Thank you for your cooperation.