Authorization issue with private maven repository

[justinwb]

Nice work on this action. Running into an authz issue today with our private sonatype nexus maven repo. All has been running well until we added a dependency in the pom on another library hosted in the same private repository. Suddenly we're seeing authorization issues and it's a bit difficult to debug what's happening within the action. Looking at other possible causes in the environment but thought it was worth filing an issue here in case there's something known or an obvious hitch in my configuration.

Failed to execute goal on project main-xyz: Could not resolve dependencies for project main-xyz:jar:0.1.1-SNAPSHOT: 
Failed to collect dependencies at dependency-xyz:0.9.1: 
Failed to read artifact descriptor for dependency-xyz:jar:0.9.1: 
Could not transfer artifact dependency-xyz:pom:0.9.1 from/to repo-id-xyz (repo-url-xyz): 
Authentication failed for dependency-xyz.pom 401 Unauthorized -> [Help 1]

I'm not seeing this behavior locally, or in our other actions using the same credentials (from github secrets) which use actions/setup-java@v1.

Action is configured as follows:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - name: Build and Test
        uses: qcastel/github-actions-maven-cmd@master
        with:
          maven-args: "clean install -Ddockerfile.skip -DdockerCompose.skip -Djib.skip"
      - name: Prepare and Deploy Release
        uses: qcastel/github-actions-maven-release@master
        env:
          JAVA_HOME: /usr/lib/jvm/java-11-openjdk/
        with:
          # releases are done from the main branch
          release-branch-name: "main"
          version-minor: ${{github.event.inputs.minor_increment}}
          version-major: ${{github.event.inputs.major_increment}}
          git-release-bot-name: "xyz-bot"
          git-release-bot-email: "[email protected]"
          ###########################################################
          maven-args: ""
          ###########################################################
          ssh-private-key: ${{ secrets.XYZ_SSH }}
          ###########################################################
          gpg-enabled: true
          gpg-key-id: ${{ secrets.XYZ_KEY_ID }}
          gpg-key: ${{ secrets.XYZ_KEY }}
          ###########################################################
          # configure nexus repository
          maven-repo-server-id: repo-id-xyz   
          maven-repo-server-username: ${{ secrets.XYZ_MAVEN_USERNAME }}
          maven-repo-server-password: ${{ secrets.XYZ_MAVEN_PASSWORD }}

[justinwb]

I should probably note that this actually failing in the qcastel/github-actions-maven-cmd@master step

[qcastel]

@justinwb I am not sure what it could be, as this github action hasn't changed.

Can I see the repo? (add my user if it's a private repo)

[jhorne1992]

@justinwb I have this exact same issue, were you able to fix it?

[caiges]

I'm running into this as well. Reverting to an older release that did not change private maven server configuration to use JSON blobs works fine:

uses: qcastel/[email protected]
with:
         maven-repo-server-id: repo-id
         maven-repo-server-username: ${{ secrets.maven_repo_username }}
         maven-repo-server-password: ${{ secrets.maven_repo_password }}

[qcastel]

@caiges I would be interested to debug the JSON blobs issue still. Is there a way you can share with me your config so I could reproduce the issue you had?

[qcastel]

At the moment, I somehow left a log of the maven settings: https://github.com/qcastel/docker-maven-release/blob/master/setup-maven-servers.sh#L40

Could you tell if there is an error in the resulting settings xml ?

Note: I will remove this logs as it's best not logging the settings each time but for now, lets use it.

[justinwb]

@justinwb I have this exact same issue, were you able to fix it?

@jhorne1992 No I was never able to resolve it. i was able to work around it at the time because the repository was open-source / public and making a public repo in nexus worked. I'm about to need it for private repositories again and likely to run into the same problem.

@qcastel any progress getting to a root cause / solution?

[justinwb]

Some updates on this after a few days of testing:

1. I'm still running into this problem, and it's happening regardless of private repository. Specifically, it happens on nexus as well as github packages.
2. Targeting qcastel/[email protected] per @caiges suggestion didn't change the behavior for me.
3. It works if the release is for private artifacts that don't depend on other artifacts in a private repository. For example, if I'm releasing A in private repository B, and A has no other dependencies on artifacts in private repository B, there are no issues. If I'm releasing C in private repository B, and C also depends on A in private repository B, I see the problem.

@qcastel I can't give you access to the repositories in question because they are proprietary in nature. There's some urgency on our side to resolve this, so I may start digging in deeper on the root cause of this and #47. If you have any pointers (or could assist) let me know.