sbt-github-packages icon indicating copy to clipboard operation
sbt-github-packages copied to clipboard
verified publisher icon djspiewak

A valid Github token shouldn't always be mandatory

Open ldeluigi opened this issue 5 years ago • 3 comments

If my project uses the plugin just for publication, without needing to resolve any Github Package dependency, it should not pretend to have a valid GITHUB_TOKEN defined, so that the project could be built without specifying one.

Possible solutions:

  • A boolean flag to suppress errors and turn them into warnings.
  • Detect if there is any GitHub Packages dependency, and, if not, ignore the absence of a valid token. (Could be impossible to do, I didn't explore that much this possibility).

ldeluigi avatar Oct 19 '20 07:10 ldeluigi

Probably related to #27.

ldeluigi avatar Oct 19 '20 07:10 ldeluigi

As noted in #34, this isn't really my decision. :-( GitHub requires a token even for read-only access to packages.

djspiewak avatar Mar 07 '21 21:03 djspiewak

@djspiewak, thank you for making this great plugin. It is really helping make github packages easier to use with Scala.

I ran into the same issue as described above and was able to work around it with:

githubTokenSource := TokenSource.Or(
    TokenSource.Environment("GITHUB_TOKEN"), // Injected during a github workflow for publishing
    TokenSource.Environment("SHELL"),  // safe to assume this will be set in all our devs environments, usually /bin/bash, doesn't matter what it is to prevent local errors
  ),

The scenario we have is that we have one repo that is a multi-project build, where we build common jars that we want to publish internally. It does not use Resolver.githubPackages and only downloads from public sources. When we create tags in this repo, we are wanting to publish our artifacts internally, which we can do by injecting {{ secrets.GITHUB_TOKEN}} as the environment variable GITHUB_TOKEN. The idea being that those that want to contribute to the common libraries do not need to set up a PAT for publishing, we just review their PR, merge, and eventually tag it to release and the automation takes care of the rest.

In our other private repos, we do configure it to use the Resolver.githubPackages and anyone developing in those will need to create a personal access token with read packages scope in order to be able to build and we will have them set it up in their gitconfig.

jonstacks avatar Mar 25 '21 18:03 jonstacks