【问题标题】:GitHub Actions: Error 401 Unauthorized in JIB maven pluginGitHub Actions:JIB maven 插件中的错误 401 未经授权
【发布时间】:2022-02-10 07:46:52
【问题描述】:

简介

我目前正在创建一个复合 GitHub Actions,它使用 JIB 从 Java 项目构建一个容器,并将其自动发布到 GitHub Packages 和 Maven Central。

有问题

但是当我尝试运行它时出现此错误:

[INFO] 
[INFO] Containerizing application to gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5...
Warning:  Base image 'eclipse-temurin:17-jre' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
[INFO] Getting manifest for base image eclipse-temurin:17-jre...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Building jvm arg files layer...
[INFO] The base image requires auth. Trying again for eclipse-temurin:17-jre...
[INFO] Using credentials from Docker config (/home/runner/.docker/config.json) for eclipse-temurin:17-jre
[INFO] Using base image with digest: sha256:e7a4a45b88525250e668cc6149b95b3952a8e9cba8c341b70c4d34c4e4d5eed5
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  10.272 s
[INFO] Finished at: 2022-02-09T00:37:22Z
[INFO] ------------------------------------------------------------------------
Error:  Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.2.0:build (default-cli) on project codingame-puzzles-stats-saver: Build image failed, perhaps you should make sure your credentials for 'gcr.io/mathieusoysal/codingame-puzzles-stats-saver' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for gcr.io/mathieusoysal/codingame-puzzles-stats-saver: 401 Unauthorized
Error:  {"errors":[{"code":"UNAUTHORIZED","message":"Not Authorized."}]}
Error:  -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Error: Process completed with exit code 1.

受影响的代码:

name: JIB container publish
description: "Build automatically container with JIB and publish it to GitHub Packages."
branding:
  icon: "package"
  color: "gray-dark"

inputs:
  # Use docker.io for Docker Hub if empty
  REGISTRY:
    description: "Registry of the image to publish"
    required: true
    default: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME:
    description: "Name of the image to publish"
    required: true
    default: ${{ github.repository }}
  # Username to login to registry
  USERNAME:
    description: "Username to login to registry"
    required: true
    default: ${{ github.actor }}
  # Password to login to registry
  PASSWORD:
    description: "Password to login to registry"
    required: true
  # Name of the tag to publish
  tag-name:
    description: "Tag name of the image to publish"
    required: true
    default: "latest"
  # Java version to use
  java-version:
    description: "Java version to use"
    required: true
    default: "17"

runs:
  using: "composite"
  steps:
    - id: downcase
      uses: ASzc/change-string-case-action@v2
      with:
        string: ${{ inputs.IMAGE_NAME }}

    - uses: actions/checkout@v2
    - name: Set up JDK 17
      uses: actions/setup-java@v2
      with:
        distribution: "adopt"
        java-version: ${{ inputs.java-version }}

    - name: Buil JIB container and publish to GitHub Packages
      run: |
        mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build \
        -Djib.to.image=${{ inputs.REGISTRY }}/${{ steps.downcase.outputs.lowercase }}:${{ inputs.tag-name }} \
        -Djib.to.auth.username=${{ inputs.USERNAME }} \
        -Djib.to.auth.password=${{ inputs.PASSWORD }}
      shell: bash

执行相关 GitHub 操作的代码:

name: Deploy Javadoc

on:
name: JIB container publish

on:
  release:
    types: [created]

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: JIB container build and publish
        uses: MathieuSoysal/jib-container-publish.yml@v2.0.7
        with:
          # Use docker.io for Docker Hub if empty
          REGISTRY: gcr.io
          # github.repository as <your-account>/<your-repo>
          IMAGE_NAME: ${{ github.repository }}
          # Tag name of the image to publish
          tag-name: ${{ github.event.release.tag_name }}
          # Username to login to registry
          USERNAME: ${{ github.actor }}
          # Password to login to registry
          PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          java-version: 17

问题

有人有解决这个问题的想法吗?

回购链接:https://github.com/MathieuSoysal/jib-container-publish.yml

【问题讨论】:

    标签: java maven github-actions jib maven-jib


    【解决方案1】:

    一切看起来都不错。 Jib 从-Dto.auth.{username|password} 检索到凭据。

    Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
    

    我怀疑您只是没有为gcr.io(Google Container Registry,与ghcr.io 不同)传递正确的“用户名”和“密码”。从这个doc

    注意:这种身份验证方法只能作为最后的手段使用,因为以纯文本形式显示您的密码是不安全的。请注意,通常云注册表(例如,Google GCR、Amazon ECR 和 Azure ACR)不接受“用户凭据”(例如 Gmail 帐户名和密码),但需要不同形式的凭据。例如,您可以使用 oauth2accesstoken or _json_key 作为 GCR 的用户名,使用 AWS 作为 ECR 的用户名。对于 ACR,您可以使用 service principle

    AFAICT,对于 GCR,to.auth.username 在字面上是 oath2accesstoken_json_key。用户名是${{ github.actor }} 没有意义。


    此外,为了安全起见,您应该确保未记录或显示您在命令行中传递的身份验证参数。看看这个Stack Overflow answer 了解一般的注册表身份验证。

    此外,通常您需要对“发件人”图像和“收件人”图像进行身份验证。

    【讨论】:

    • 这个工作流工作github.com/MathieuSoysal/Java-Maven-Project-Template/blob/main/…,他使用${{ github.actor }}
    • 但我认为你是对的 GitHub 一定堵塞了 secrets.GITHUB_TOKEN,所以问题是如何告诉它不要这样做。
    • 该链接针对ghcr.io(较新的GitHub注册表),因此使用${{ github.actor }}似乎是正确的。在您的情况下,您的目标是 gcr.io(Google 那个)。
    • 所以现在我发现gcr.io 是一个错字,而您实际上想要定位ghcr.io
    猜你喜欢
    • 2015-12-11
    • 1970-01-01
    • 1970-01-01
    • 2019-03-07
    • 1970-01-01
    • 2015-04-19
    • 1970-01-01
    • 1970-01-01
    • 2017-12-20
    相关资源
    最近更新 更多