ActionsからPackagesへPublishしようとしてもForbiddenとかUnauthorizedで失敗する の変更点
#author("2025-03-28T11:10:47+09:00","default:pitablog","pitablog")
#author("2025-03-28T11:11:16+09:00","default:pitablog","pitablog")
* GitHub ActionsからPackagesへPublishしようとしてもForbiddenとかUnauthorizedで失敗する [#e2758e54]
#splitbody{{
LEFT:
&tag(情報技術,Java,Maven,Gradle,GitHub,GitHub Actions,GitHub Packages);
#split
RIGHT:&size(13){投稿日: 2025-03-28 (金)};
}}
#bcontents
** はじめに [#ue113a9b]
試しにActionsでPackagesへPublishしようとしているんだけどどうしてかエラーが出る。
#ika_twitter(tweet,PitaQ_Modding,1905273194371785141)
*** エラー1 [#se0e1528]
#gcode{{
> Task :publishMavenJavaPublicationToGitHubPackagesRepository FAILED
FAILURE: Build failed with an exception.
* What went wrong:
Execution failed for task ':publishMavenJavaPublicationToGitHubPackagesRepository'.
> Failed to publish publication 'mavenJava' to repository 'GitHubPackages'
> Could not PUT 'https://maven.pkg.github.com/(以下略)'. Received status code 401 from server: Unauthorized
* Try:
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.
[Incubating] Problems report is available at: file:///home/runner/work/storagebox-fabric/storagebox-fabric/build/reports/problems/problems-report.html
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
For more on this, please refer to https://docs.gradle.org/8.12/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
BUILD FAILED in 1m 42s
9 actionable tasks: 9 executed
Error: Process completed with exit code 1.
}}
*** エラー2 [#h81dbfb5]
#gcode(txt){{
#gcode{{
> Task :publishMavenJavaPublicationToGitHubPackagesRepository FAILED
FAILURE: Build failed with an exception.
[Incubating] Problems report is available at: file:///home/runner/work/storagebox-fabric/storagebox-fabric/build/reports/problems/problems-report.html
* What went wrong:
Deprecated Gradle features were used in this build, making it incompatible with Gradle 9.0.
Execution failed for task ':publishMavenJavaPublicationToGitHubPackagesRepository'.
> Failed to publish publication 'mavenJava' to repository 'GitHubPackages'
You can use '--warning-mode all' to show the individual deprecation warnings and determine if they come from your own scripts or plugins.
> Could not PUT 'https://maven.pkg.github.com/(以下略)'. Received status code 403 from server: Forbidden
For more on this, please refer to https://docs.gradle.org/8.12/userguide/command_line_interface.html#sec:command_line_warnings in the Gradle documentation.
* Try:
9 actionable tasks: 9 executed
> Run with --stacktrace option to get the stack trace.
> Run with --info or --debug option to get more log output.
> Run with --scan to get full insights.
> Get more help at https://help.gradle.org.
BUILD FAILED in 1m 13s
Error: Process completed with exit code 1.
}}
** 解決策: GITHUB_TOKEN を使うのを諦める [#ed6d0a5a]
#ika_twitter(tweet,PitaQ_Modding,1905432980514037772)
以下のように変更してみた。
ちなみにこれはbuildしてPackagesにpublishするworkflowだ。
#gcode(yml){{
#gcode(yml){{{
# Build and Publish
name: Gradle CI
on: [push, pull_request]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Set up Java 21
uses: actions/setup-java@v3
with:
java-version: '21'
distribution: 'temurin'
- name: Change gradlew permissions
run: chmod +x ./gradlew
- name: Build with Gradle
uses: gradle/gradle-build-action@v2
with:
arguments: build
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: Artifacts
path: build/libs/
publish:
runs-on: ubuntu-latest
needs: build
steps:
- uses: actions/checkout@v3
- name: Set up Java 21
uses: actions/setup-java@v3
with:
java-version: '21'
distribution: 'temurin'
- name: Download artifacts
uses: actions/download-artifact@v4
with:
name: Artifacts
path: build/libs/
- name: Change gradlew permissions
run: chmod +x ./gradlew
- name: Publish to GitHub Packages
env:
GITHUB_TOKEN: ${{ secrets.PAT_KEY }}
run: ./gradlew assemble publish
}}
}}}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
にしていたが、どうやらGITHUB_TOKENは権限不足で使えないようだ。
たとえ、permissions: でpackages: writeにしてもセキュリティ上の理由でpublicリポジトリでは不可能なようである。
なので次のようにシークレットを指定する。
名前は任意だがここではPAT_KEYというシークレットをつくった。
シークレットキーはリポジトリの上バー「Settings」->左のサイドバー「Secrets and variables」->左のサイドバーに展開された「Actions」から作成できる。
Repository secretsの「New repository secret」をクリックして任意だがここでは「PAT_KEY」とし、Personal access tokens (classic)のトークンを貼り付けてシークレットを作成する。
そしてのenvには以下のように変更する
GITHUB_TOKEN: ${{ secrets.PAT_KEY }}
おそらくだが、Actionsからセキュリティ上の理由でPublicなリポジトリではデフォのGITHUB_TOKENではPackagesにPublishできないような仕様なんだと思う。
PRをマージして悪意のあるコードが入ったまま、Publishしてしまうというインシデントを考えるとまあ妥当なのだろうか。
しかし、Docsにもそれについて言及されていないとは参った。Private Repoなら成功する模様。
** コメント [#e1eae827]
#pctrlcmt
&size(10){キーワード: 情報技術, GitHub Packages, Publish, GitHub Actions, CI/CD, 自動化, エラー, Failed, 権限不足, PAT, Token, トークン};
![[PukiWiki]](./skin/logo.png "[PukiWiki]"){kind=logo}
