javamavengithub-actionsjibmaven-jib

GitHub Actions: Error 401 Unauthorized in JIB maven plugin


Introduction

I am currently to create a composite GitHub Actions that build a container from Java project with JIB and publish it automatically to a GitHub Packages and Maven Central.

Problematic

But I got this error when I try to run it:

[INFO] 
[INFO] Containerizing application to gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5...
Warning:  Base image 'eclipse-temurin:17-jre' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
[INFO] Getting manifest for base image eclipse-temurin:17-jre...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Building jvm arg files layer...
[INFO] The base image requires auth. Trying again for eclipse-temurin:17-jre...
[INFO] Using credentials from Docker config (/home/runner/.docker/config.json) for eclipse-temurin:17-jre
[INFO] Using base image with digest: sha256:e7a4a45b88525250e668cc6149b95b3952a8e9cba8c341b70c4d34c4e4d5eed5
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  10.272 s
[INFO] Finished at: 2022-02-09T00:37:22Z
[INFO] ------------------------------------------------------------------------
Error:  Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.2.0:build (default-cli) on project codingame-puzzles-stats-saver: Build image failed, perhaps you should make sure your credentials for 'gcr.io/mathieusoysal/codingame-puzzles-stats-saver' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for gcr.io/mathieusoysal/codingame-puzzles-stats-saver: 401 Unauthorized
Error:  {"errors":[{"code":"UNAUTHORIZED","message":"Not Authorized."}]}
Error:  -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Error: Process completed with exit code 1.

Affected code:

name: JIB container publish
description: "Build automatically container with JIB and publish it to GitHub Packages."
branding:
  icon: "package"
  color: "gray-dark"

inputs:
  # Use docker.io for Docker Hub if empty
  REGISTRY:
    description: "Registry of the image to publish"
    required: true
    default: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME:
    description: "Name of the image to publish"
    required: true
    default: ${{ github.repository }}
  # Username to login to registry
  USERNAME:
    description: "Username to login to registry"
    required: true
    default: ${{ github.actor }}
  # Password to login to registry
  PASSWORD:
    description: "Password to login to registry"
    required: true
  # Name of the tag to publish
  tag-name:
    description: "Tag name of the image to publish"
    required: true
    default: "latest"
  # Java version to use
  java-version:
    description: "Java version to use"
    required: true
    default: "17"

runs:
  using: "composite"
  steps:
    - id: downcase
      uses: ASzc/change-string-case-action@v2
      with:
        string: ${{ inputs.IMAGE_NAME }}

    - uses: actions/checkout@v2
    - name: Set up JDK 17
      uses: actions/setup-java@v2
      with:
        distribution: "adopt"
        java-version: ${{ inputs.java-version }}

    - name: Buil JIB container and publish to GitHub Packages
      run: |
        mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build \
        -Djib.to.image=${{ inputs.REGISTRY }}/${{ steps.downcase.outputs.lowercase }}:${{ inputs.tag-name }} \
        -Djib.to.auth.username=${{ inputs.USERNAME }} \
        -Djib.to.auth.password=${{ inputs.PASSWORD }}
      shell: bash

Code that execute the GitHub Actions in question:

name: Deploy Javadoc

on:
name: JIB container publish

on:
  release:
    types: [created]

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: JIB container build and publish
        uses: MathieuSoysal/jib-container-publish.yml@v2.0.7
        with:
          # Use docker.io for Docker Hub if empty
          REGISTRY: gcr.io
          # github.repository as <your-account>/<your-repo>
          IMAGE_NAME: ${{ github.repository }}
          # Tag name of the image to publish
          tag-name: ${{ github.event.release.tag_name }}
          # Username to login to registry
          USERNAME: ${{ github.actor }}
          # Password to login to registry
          PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          java-version: 17

Question

Anyone have an idea to solve this problem?

Link of the repo: https://github.com/MathieuSoysal/jib-container-publish.yml


Solution

  • Everything looks good. Jib retrieved credentials from -Dto.auth.{username|password}.

    Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
    

    I suspect that you are just not passing the right "username" and "password" for gcr.io (Google Container Registry, which is different from ghcr.io). From this doc,

    Note: This method of authentication should be used only as a last resort, as it is insecure to make your password visible in plain text. Note that often cloud registries (for example, Google GCR, Amazon ECR, and Azure ACR) do not accept "user credentials" (such as Gmail account name and password) but require different forms of credentials. For example, you may use oauth2accesstoken or _json_key as the username for GCR, and AWS for ECR. For ACR, you may use a service principle.

    AFAICT, for GCR, to.auth.username would be either oath2accesstoken or _json_key literally. It doesn't make sense that the username is ${{ github.actor }}.


    Aside, you should make sure that the auth arguments you pass on the command-line is not logged or shown for security. Take a look at this Stack Overflow answer to understand general registry authentication.

    Also, typically you'll want auth for both the "from" image and "to" image.