GitHub 操作:错误 401 在 JIB maven 插件中未经授权
GitHub Actions: Error 401 Unauthorized in JIB maven plugin
简介
我目前要创建一个复合 GitHub 操作,它使用 JIB 从 Java 项目构建一个容器,并将其自动发布到 GitHub 包和 Maven Central。
有问题
但是当我尝试 运行 时出现了这个错误:
[INFO]
[INFO] Containerizing application to gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5...
Warning: Base image 'eclipse-temurin:17-jre' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
[INFO] Getting manifest for base image eclipse-temurin:17-jre...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Building jvm arg files layer...
[INFO] The base image requires auth. Trying again for eclipse-temurin:17-jre...
[INFO] Using credentials from Docker config (/home/runner/.docker/config.json) for eclipse-temurin:17-jre
[INFO] Using base image with digest: sha256:e7a4a45b88525250e668cc6149b95b3952a8e9cba8c341b70c4d34c4e4d5eed5
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.272 s
[INFO] Finished at: 2022-02-09T00:37:22Z
[INFO] ------------------------------------------------------------------------
Error: Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.2.0:build (default-cli) on project codingame-puzzles-stats-saver: Build image failed, perhaps you should make sure your credentials for 'gcr.io/mathieusoysal/codingame-puzzles-stats-saver' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for gcr.io/mathieusoysal/codingame-puzzles-stats-saver: 401 Unauthorized
Error: {"errors":[{"code":"UNAUTHORIZED","message":"Not Authorized."}]}
Error: -> [Help 1]
Error:
Error: To see the full stack trace of the errors, re-run Maven with the -e switch.
Error: Re-run Maven using the -X switch to enable full debug logging.
Error:
Error: For more information about the errors and possible solutions, please read the following articles:
Error: [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Error: Process completed with exit code 1.
受影响的代码:
name: JIB container publish
description: "Build automatically container with JIB and publish it to GitHub Packages."
branding:
icon: "package"
color: "gray-dark"
inputs:
# Use docker.io for Docker Hub if empty
REGISTRY:
description: "Registry of the image to publish"
required: true
default: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME:
description: "Name of the image to publish"
required: true
default: ${{ github.repository }}
# Username to login to registry
USERNAME:
description: "Username to login to registry"
required: true
default: ${{ github.actor }}
# Password to login to registry
PASSWORD:
description: "Password to login to registry"
required: true
# Name of the tag to publish
tag-name:
description: "Tag name of the image to publish"
required: true
default: "latest"
# Java version to use
java-version:
description: "Java version to use"
required: true
default: "17"
runs:
using: "composite"
steps:
- id: downcase
uses: ASzc/change-string-case-action@v2
with:
string: ${{ inputs.IMAGE_NAME }}
- uses: actions/checkout@v2
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
distribution: "adopt"
java-version: ${{ inputs.java-version }}
- name: Buil JIB container and publish to GitHub Packages
run: |
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build \
-Djib.to.image=${{ inputs.REGISTRY }}/${{ steps.downcase.outputs.lowercase }}:${{ inputs.tag-name }} \
-Djib.to.auth.username=${{ inputs.USERNAME }} \
-Djib.to.auth.password=${{ inputs.PASSWORD }}
shell: bash
执行相关 GitHub 操作的代码:
name: Deploy Javadoc
on:
name: JIB container publish
on:
release:
types: [created]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- name: JIB container build and publish
uses: MathieuSoysal/jib-container-publish.yml@v2.0.7
with:
# Use docker.io for Docker Hub if empty
REGISTRY: gcr.io
# github.repository as <your-account>/<your-repo>
IMAGE_NAME: ${{ github.repository }}
# Tag name of the image to publish
tag-name: ${{ github.event.release.tag_name }}
# Username to login to registry
USERNAME: ${{ github.actor }}
# Password to login to registry
PASSWORD: ${{ secrets.GITHUB_TOKEN }}
java-version: 17
问题
有人有解决这个问题的想法吗?
回购的 Link:https://github.com/MathieuSoysal/jib-container-publish.yml
一切看起来都很好。 Jib 从 -Dto.auth.{username|password}.
检索了凭据
Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
我怀疑您只是没有为 gcr.io(Google Container Registry,与 ghcr.io 不同)传递正确的“用户名”和“密码”。从此doc,
Note: This method of authentication should be used only as a last resort, as it is insecure to make your password visible in plain text. Note that often cloud registries (for example, Google GCR, Amazon ECR, and Azure ACR) do not accept "user credentials" (such as Gmail account name and password) but require different forms of credentials. For example, you may use oauth2accesstoken or _json_key as the username for GCR, and AWS for ECR. For ACR, you may use a service principle.
AFAICT,对于 GCR,to.auth.username 字面意思是 oath2accesstoken 或 _json_key。用户名是 ${{ github.actor }}.
没有意义
此外,为了安全起见,您应该确保您在 command-line 上传递的身份验证参数未被记录或显示。看看这个 以了解一般的注册表验证。
此外,通常您需要对“发件人”图像和“收件人”图像进行身份验证。
简介
我目前要创建一个复合 GitHub 操作,它使用 JIB 从 Java 项目构建一个容器,并将其自动发布到 GitHub 包和 Maven Central。
有问题
但是当我尝试 运行 时出现了这个错误:
[INFO]
[INFO] Containerizing application to gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5...
Warning: Base image 'eclipse-temurin:17-jre' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
[INFO] Getting manifest for base image eclipse-temurin:17-jre...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Building jvm arg files layer...
[INFO] The base image requires auth. Trying again for eclipse-temurin:17-jre...
[INFO] Using credentials from Docker config (/home/runner/.docker/config.json) for eclipse-temurin:17-jre
[INFO] Using base image with digest: sha256:e7a4a45b88525250e668cc6149b95b3952a8e9cba8c341b70c4d34c4e4d5eed5
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.272 s
[INFO] Finished at: 2022-02-09T00:37:22Z
[INFO] ------------------------------------------------------------------------
Error: Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.2.0:build (default-cli) on project codingame-puzzles-stats-saver: Build image failed, perhaps you should make sure your credentials for 'gcr.io/mathieusoysal/codingame-puzzles-stats-saver' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for gcr.io/mathieusoysal/codingame-puzzles-stats-saver: 401 Unauthorized
Error: {"errors":[{"code":"UNAUTHORIZED","message":"Not Authorized."}]}
Error: -> [Help 1]
Error:
Error: To see the full stack trace of the errors, re-run Maven with the -e switch.
Error: Re-run Maven using the -X switch to enable full debug logging.
Error:
Error: For more information about the errors and possible solutions, please read the following articles:
Error: [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Error: Process completed with exit code 1.
受影响的代码:
name: JIB container publish
description: "Build automatically container with JIB and publish it to GitHub Packages."
branding:
icon: "package"
color: "gray-dark"
inputs:
# Use docker.io for Docker Hub if empty
REGISTRY:
description: "Registry of the image to publish"
required: true
default: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME:
description: "Name of the image to publish"
required: true
default: ${{ github.repository }}
# Username to login to registry
USERNAME:
description: "Username to login to registry"
required: true
default: ${{ github.actor }}
# Password to login to registry
PASSWORD:
description: "Password to login to registry"
required: true
# Name of the tag to publish
tag-name:
description: "Tag name of the image to publish"
required: true
default: "latest"
# Java version to use
java-version:
description: "Java version to use"
required: true
default: "17"
runs:
using: "composite"
steps:
- id: downcase
uses: ASzc/change-string-case-action@v2
with:
string: ${{ inputs.IMAGE_NAME }}
- uses: actions/checkout@v2
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
distribution: "adopt"
java-version: ${{ inputs.java-version }}
- name: Buil JIB container and publish to GitHub Packages
run: |
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build \
-Djib.to.image=${{ inputs.REGISTRY }}/${{ steps.downcase.outputs.lowercase }}:${{ inputs.tag-name }} \
-Djib.to.auth.username=${{ inputs.USERNAME }} \
-Djib.to.auth.password=${{ inputs.PASSWORD }}
shell: bash
执行相关 GitHub 操作的代码:
name: Deploy Javadoc
on:
name: JIB container publish
on:
release:
types: [created]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- name: JIB container build and publish
uses: MathieuSoysal/jib-container-publish.yml@v2.0.7
with:
# Use docker.io for Docker Hub if empty
REGISTRY: gcr.io
# github.repository as <your-account>/<your-repo>
IMAGE_NAME: ${{ github.repository }}
# Tag name of the image to publish
tag-name: ${{ github.event.release.tag_name }}
# Username to login to registry
USERNAME: ${{ github.actor }}
# Password to login to registry
PASSWORD: ${{ secrets.GITHUB_TOKEN }}
java-version: 17
问题
有人有解决这个问题的想法吗?
回购的Link:https://github.com/MathieuSoysal/jib-container-publish.yml
一切看起来都很好。 Jib 从 -Dto.auth.{username|password}.
Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
我怀疑您只是没有为 gcr.io(Google Container Registry,与 ghcr.io 不同)传递正确的“用户名”和“密码”。从此doc,
Note: This method of authentication should be used only as a last resort, as it is insecure to make your password visible in plain text. Note that often cloud registries (for example, Google GCR, Amazon ECR, and Azure ACR) do not accept "user credentials" (such as Gmail account name and password) but require different forms of credentials. For example, you may use
oauth2accesstokenor_json_keyas the username for GCR, andAWSfor ECR. For ACR, you may use a service principle.
AFAICT,对于 GCR,to.auth.username 字面意思是 oath2accesstoken 或 _json_key。用户名是 ${{ github.actor }}.
此外,为了安全起见,您应该确保您在 command-line 上传递的身份验证参数未被记录或显示。看看这个
此外,通常您需要对“发件人”图像和“收件人”图像进行身份验证。