Introduction
I am currently to create a composite GitHub Actions that build a container from Java project with JIB and publish it automatically to a GitHub Packages and Maven Central.
Problematic
But I got this error when I try to run it:
[INFO]
[INFO] Containerizing application to gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5...
Warning: Base image 'eclipse-temurin:17-jre' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
[INFO] Getting manifest for base image eclipse-temurin:17-jre...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Building jvm arg files layer...
[INFO] The base image requires auth. Trying again for eclipse-temurin:17-jre...
[INFO] Using credentials from Docker config (/home/runner/.docker/config.json) for eclipse-temurin:17-jre
[INFO] Using base image with digest: sha256:e7a4a45b88525250e668cc6149b95b3952a8e9cba8c341b70c4d34c4e4d5eed5
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 10.272 s
[INFO] Finished at: 2022-02-09T00:37:22Z
[INFO] ------------------------------------------------------------------------
Error: Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.2.0:build (default-cli) on project codingame-puzzles-stats-saver: Build image failed, perhaps you should make sure your credentials for 'gcr.io/mathieusoysal/codingame-puzzles-stats-saver' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for gcr.io/mathieusoysal/codingame-puzzles-stats-saver: 401 Unauthorized
Error: {"errors":[{"code":"UNAUTHORIZED","message":"Not Authorized."}]}
Error: -> [Help 1]
Error:
Error: To see the full stack trace of the errors, re-run Maven with the -e switch.
Error: Re-run Maven using the -X switch to enable full debug logging.
Error:
Error: For more information about the errors and possible solutions, please read the following articles:
Error: [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Error: Process completed with exit code 1.
Affected code:
name: JIB container publish
description: "Build automatically container with JIB and publish it to GitHub Packages."
branding:
icon: "package"
color: "gray-dark"
inputs:
# Use docker.io for Docker Hub if empty
REGISTRY:
description: "Registry of the image to publish"
required: true
default: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME:
description: "Name of the image to publish"
required: true
default: ${{ github.repository }}
# Username to login to registry
USERNAME:
description: "Username to login to registry"
required: true
default: ${{ github.actor }}
# Password to login to registry
PASSWORD:
description: "Password to login to registry"
required: true
# Name of the tag to publish
tag-name:
description: "Tag name of the image to publish"
required: true
default: "latest"
# Java version to use
java-version:
description: "Java version to use"
required: true
default: "17"
runs:
using: "composite"
steps:
- id: downcase
uses: ASzc/change-string-case-action@v2
with:
string: ${{ inputs.IMAGE_NAME }}
- uses: actions/checkout@v2
- name: Set up JDK 17
uses: actions/setup-java@v2
with:
distribution: "adopt"
java-version: ${{ inputs.java-version }}
- name: Buil JIB container and publish to GitHub Packages
run: |
mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build \
-Djib.to.image=${{ inputs.REGISTRY }}/${{ steps.downcase.outputs.lowercase }}:${{ inputs.tag-name }} \
-Djib.to.auth.username=${{ inputs.USERNAME }} \
-Djib.to.auth.password=${{ inputs.PASSWORD }}
shell: bash
Code that execute the GitHub Actions in question:
name: Deploy Javadoc
on:
name: JIB container publish
on:
release:
types: [created]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- name: JIB container build and publish
uses: MathieuSoysal/[email protected]
with:
# Use docker.io for Docker Hub if empty
REGISTRY: gcr.io
# github.repository as <your-account>/<your-repo>
IMAGE_NAME: ${{ github.repository }}
# Tag name of the image to publish
tag-name: ${{ github.event.release.tag_name }}
# Username to login to registry
USERNAME: ${{ github.actor }}
# Password to login to registry
PASSWORD: ${{ secrets.GITHUB_TOKEN }}
java-version: 17
Question
Anyone have an idea to solve this problem?
Link of the repo: https://github.com/MathieuSoysal/jib-container-publish.yml
CodePudding user response:
Everything looks good. Jib retrieved credentials from -Dto.auth.{username|password}.
Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
I suspect that you are just not passing the right "username" and "password" for gcr.io (Google Container Registry, which is different from ghcr.io). From this doc,
Note: This method of authentication should be used only as a last resort, as it is insecure to make your password visible in plain text. Note that often cloud registries (for example, Google GCR, Amazon ECR, and Azure ACR) do not accept "user credentials" (such as Gmail account name and password) but require different forms of credentials. For example, you may use
oauth2accesstokenor_json_keyas the username for GCR, andAWSfor ECR. For ACR, you may use a service principle.
AFAICT, for GCR, to.auth.username would be either oath2accesstoken or _json_key literally. It doesn't make sense that the username is ${{ github.actor }}.
Aside, you should make sure that the auth arguments you pass on the command-line is not logged or shown for security. Take a look at this Stack Overflow answer to understand general registry authentication.
Also, typically you'll want auth for both the "from" image and "to" image.