GitHub操作: JIB maven插件中未经授权的错误401

Question

引言

目前，我将创建一个复合GitHub操作，使用JIB从Java构建一个容器，并自动将其发布到GitHub包和Maven Central中。

成问题

但是当我试图运行它时，我得到了这个错误：

[INFO] 
[INFO] Containerizing application to gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5...
Warning:  Base image 'eclipse-temurin:17-jre' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
[INFO] Getting manifest for base image eclipse-temurin:17-jre...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Building jvm arg files layer...
[INFO] The base image requires auth. Trying again for eclipse-temurin:17-jre...
[INFO] Using credentials from Docker config (/home/runner/.docker/config.json) for eclipse-temurin:17-jre
[INFO] Using base image with digest: sha256:e7a4a45b88525250e668cc6149b95b3952a8e9cba8c341b70c4d34c4e4d5eed5
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  10.272 s
[INFO] Finished at: 2022-02-09T00:37:22Z
[INFO] ------------------------------------------------------------------------
Error:  Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.2.0:build (default-cli) on project codingame-puzzles-stats-saver: Build image failed, perhaps you should make sure your credentials for 'gcr.io/mathieusoysal/codingame-puzzles-stats-saver' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for gcr.io/mathieusoysal/codingame-puzzles-stats-saver: 401 Unauthorized
Error:  {"errors":[{"code":"UNAUTHORIZED","message":"Not Authorized."}]}
Error:  -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Error: Process completed with exit code 1.

受影响的代码：

name: JIB container publish
description: "Build automatically container with JIB and publish it to GitHub Packages."
branding:
  icon: "package"
  color: "gray-dark"

inputs:
  # Use docker.io for Docker Hub if empty
  REGISTRY:
    description: "Registry of the image to publish"
    required: true
    default: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME:
    description: "Name of the image to publish"
    required: true
    default: ${{ github.repository }}
  # Username to login to registry
  USERNAME:
    description: "Username to login to registry"
    required: true
    default: ${{ github.actor }}
  # Password to login to registry
  PASSWORD:
    description: "Password to login to registry"
    required: true
  # Name of the tag to publish
  tag-name:
    description: "Tag name of the image to publish"
    required: true
    default: "latest"
  # Java version to use
  java-version:
    description: "Java version to use"
    required: true
    default: "17"

runs:
  using: "composite"
  steps:
    - id: downcase
      uses: ASzc/change-string-case-action@v2
      with:
        string: ${{ inputs.IMAGE_NAME }}

    - uses: actions/checkout@v2
    - name: Set up JDK 17
      uses: actions/setup-java@v2
      with:
        distribution: "adopt"
        java-version: ${{ inputs.java-version }}

    - name: Buil JIB container and publish to GitHub Packages
      run: |
        mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build \
        -Djib.to.image=${{ inputs.REGISTRY }}/${{ steps.downcase.outputs.lowercase }}:${{ inputs.tag-name }} \
        -Djib.to.auth.username=${{ inputs.USERNAME }} \
        -Djib.to.auth.password=${{ inputs.PASSWORD }}
      shell: bash

执行有关GitHub操作的代码：

name: Deploy Javadoc

on:
name: JIB container publish

on:
  release:
    types: [created]

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: JIB container build and publish
        uses: MathieuSoysal/jib-container-publish.yml@v2.0.7
        with:
          # Use docker.io for Docker Hub if empty
          REGISTRY: gcr.io
          # github.repository as <your-account>/<your-repo>
          IMAGE_NAME: ${{ github.repository }}
          # Tag name of the image to publish
          tag-name: ${{ github.event.release.tag_name }}
          # Username to login to registry
          USERNAME: ${{ github.actor }}
          # Password to login to registry
          PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          java-version: 17

问题

有人想办法解决这个问题吗？

回购的链接：https://github.com/MathieuSoysal/jib-container-publish.yml

Answer 1

一切看起来都很好。Jib从-Dto.auth.{username|password}检索凭据。

Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5

我怀疑您只是没有为gcr.io传递正确的“用户名”和“密码”(，与ghcr.io不同)。从这个文档，

备注：这种身份验证方法只能作为最后手段使用，因为在纯文本中显示密码是不安全的。请注意，云注册中心(例如，Google、Amazon和Azure ACR)通常不接受“用户凭据”(如Gmail帐户名和密码)，但需要不同形式的凭据。例如，您可以使用_json_key作为GCR的用户名，使用AWS作为ECR的用户名。对于ACR，您可以使用https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal。

AFAICT，对于GCR来说，to.auth.username要么是oath2accesstoken，要么是_json_key。用户名是${{ github.actor }}是没有意义的。

另外，您应该确保您在命令行上传递的auth参数不会被记录下来或显示在安全性上。看看这个堆栈溢出应答，了解一般注册表身份验证。

另外，通常您都希望使用“从”图像和“到”图像。