GitHub Packages access
50 views
Skip to first unread message
Vladimir Belousov
Sep 28, 2023, 4:37:22 AM9/28/23
to Jenkins Developers
Hi,
We use dependencies that are hosted on GitHub Packages in our plugin.
Access to GitHub Packages works only through a personal access token
We wanted to use https://plugins.jenkins.io/config-file-provider to generate settings.xml with the required permissions
But I'm not sure that this is the right decision.
Can you recommend anything for our case?
Plugin repository https://github.com/jenkinsci/redhat-dependency-analytics-plugin
We use dependencies that are hosted on GitHub Packages in our plugin.
Access to GitHub Packages works only through a personal access token
We wanted to use https://plugins.jenkins.io/config-file-provider to generate settings.xml with the required permissions
But I'm not sure that this is the right decision.
Can you recommend anything for our case?
Plugin repository https://github.com/jenkinsci/redhat-dependency-analytics-plugin
Jesse Glick
Sep 28, 2023, 9:02:36 AM9/28/23
to jenkin...@googlegroups.com
On Thu, Sep 28, 2023 at 4:37 AM Vladimir Belousov <vbel...@redhat.com> wrote:
We use dependencies that are hosted on GitHub Packages in our plugin.
I guess you mean https://github.com/jenkinsci/redhat-dependency-analytics-plugin/blob/f4b606b8b509795917edc2f2915c6a3322a85e4d/pom.xml#L212-L215 to access https://github.com/RHEcosystemAppEng/exhort-java-api
This is not standard practice and is likely to cause issues. Normally any dependencies you need should be published either to Jenkins Artifactory, if they are specific to Jenkins, or Maven Central if not.
I am well aware that https://github.com/RHEcosystemAppEng/exhort-java-api/blob/ed0cb76f5ccd1d0d74bdbc6d36a4c04b2900d51c/.github/workflows/release.yml#L56-L61 is vastly simpler to manage than deploying to OSSRH. At some point https://sigstore.github.io/sigstore-maven-plugin/ should make it possible to deploy to Central using GHA OIDC tokens, but it is not ready yet and AFAIK there is no published timeline.
If you really want to access GH Packages, you can probably do so with `GITHUB_TOKEN` in GHA without needing a PAT. This would work for the CD action, probably with custom modifications, but would not work for ci.jenkins.io so Jenkinsfile would be useless; you would need to set up your own CI.
Vladimir Belousov
Sep 28, 2023, 9:43:59 AM9/28/23
to Jenkins Developers
Thanks for the detailed answer
We also thought about publishing exhort-java-api to Jenkins Artifactory.
1. Does this not contradict any rules for using Jenkins Artifactory?
2. Should we publish the artifact as a plugin component if we use this approach? Based on https://github.com/jenkins-infra/repository-permissions-updater/#managing-permissions
We also thought about publishing exhort-java-api to Jenkins Artifactory.
1. Does this not contradict any rules for using Jenkins Artifactory?
2. Should we publish the artifact as a plugin component if we use this approach? Based on https://github.com/jenkins-infra/repository-permissions-updater/#managing-permissions
Jesse Glick
Sep 28, 2023, 2:04:12 PM9/28/23
to Jenkins Developers
On Thursday, September 28, 2023 at 9:43:59 AM UTC-4 Vladimir Belousov wrote:
We also thought about publishing exhort-java-api to Jenkins Artifactory.
Best to discuss in a new ticket: https://github.com/jenkins-infra/helpdesk/issues/new/choose
Reply all
Reply to author
Forward
0 new messages