How to add Github maven registry into build.sbt

Question

I want to add a scala Library into my build.sbt dependencies. Here is the sample package, and it publishes in Github registry. This library is not from the official maven repository, I could not find it in Maven repository. I think it could not install in there.

<dependency>
  <groupId>gjuoun</groupId>
  <artifactId>hellopackage_2.13</artifactId>
  <version>0.1.6</version>
</dependency>

And then, I find it should belong to ghcr.io, so I add this line to my build.sbt.

resolvers += "hellopackage" at "http://ghcr.io/gjuoun/hellopackage"

It does not work at all. I could not use it. I am looking for a better to install this package by using resolvers without addSbtPlugin. (I don't want to use pom.xml if possible)

Thanks for any help.

Answer 1

• You can use Daniel Spiewak's sbt plugin sbt-github-packages.

See details in http4s-request-signer_2.13 dependency is not downloaded from central repository

• If you don't want to use sbt plugins and you're interested only in building your project but not publishing it (to Github registry) then you can just add to build.sbt

// specifying repo is optional: "_"
resolvers += "Another maven repo" at "https://maven.pkg.github.com/gjuoun/_"

credentials += Credentials(
  "GitHub Package Registry",
  "maven.pkg.github.com",
  "_", // user is ignored
  "ghp_YOUR_GITHUB_TOKEN"
)

libraryDependencies += "gjuoun" %% "hellopackage" % "0.1.6"

That's basically what the plugin does.

For security reasons it's better not to hardcode the token in build.sbt but for example put it into environment variable

credentials += Credentials(
  "GitHub Package Registry",
  "maven.pkg.github.com",
  "_",
  sys.env("GITHUB_TOKEN")
)

You can check that without credentials sbt will not be able to build your project.

The thing is that although manually you can download a JAR from Github in your browser without authentification (and put it into lib), this doesn't mean that Github allow reading, resolving, downloading programmatically via API (sbt, ivy, coursier) without authentification.

You need authentification only the first time. Then JAR will be cached locally in ~/.cache/coursier/v1/https/maven.pkg.github.com/gjuoun/_/gjuoun/hellopackage_2.13/0.1.6/ and will be taken from there further on.

Several quotes:

A valid Github token shouldn't always be mandatory #28

GitHub requires a token even for read-only access to packages.

Credentials should remain optional #34

So the problem I have with this is the fact that resolution from GitHub Packages also requires a token. You can't just download a package unauthenticated, meaning that credentials are necessary at all times regardless of whether or not you're publishing. Honestly, this is a thing that GitHub needs to fix.