Why gradle publish task is not able to get secret token passed by Github action?

Question

I have implemented GITHUB workflow actions to publish my Spring Boot app to GitHub Packages.

I have followed the Github gradle ref but I'm getting 401 Unauthorized

It seems that the github action is not able to pass env variables to let gradle task to get GIT_CICD_TOKEN by using System.getenv("GIT_CICD_TOKEN") .

My followed implementations:

Step for publishing package on github packages:

- name: Publish package
  uses: gradle/gradle-build-action@v2
  with:
      gradle-version: 8.5
      arguments: Publish
    env:
        GIT_CICD_TOKEN: ${{ secrets.GIT_CICD_TOKEN }}

Gradle file:

plugins {
    id 'maven-publish'
    id 'java'
    id 'org.springframework.boot' version '3.2.1'
    id 'io.spring.dependency-management' version '1.1.4'
}

publishing {
    repositories {
        maven {
            name = "GitHubPackages"
            url = "https://maven.pkg.github.com/organization_name/repo_name"
            credentials {
                username = 'myUserName'
                password = System.getenv("GIT_CICD_TOKEN")
            }
        }
    }

    publications {
        maven(MavenPublication) {
            artifact bootJar
            groupId = 'com.xx'
            artifactId = 'appName'
            version = '0.0.1-XXXX-SNAPSHOT'
        }
    }
}

NOTE: I have tried to put token string value directly on password field and it worked fine.

Do you have any suggestions on it ?

Answer 1

I understood that I can use the default GITHUB variables to publish the package without using Personal Access Token.

Let me post my workflow and build.gradle file that are working fine.

Ref GITHUB defaul Variables link

GITHUB Publish-package Workflow fixed :

name: Publish-package-on-GitHub-packages

on:
  workflow_dispatch:
    inputs:
        environment:
          description: Target environment
          required: true
          type: environment
          default: dev

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
        contents: read
        packages: write
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v3

      - name: packaging workflow  
        uses: actions/setup-java@v3
        with:
          java-version: '17'
          distribution: 'temurin'

      - name: Make gradlew executable
        run: |
          chmod +x ./gradlew

      - name : Get App Version
        id: get-app-version
        run: |
          echo "APP_VERSION_NAME=$(${{github.workspace}}/gradlew -q printAppVersionName)" >> "$GITHUB_ENV"
      
      - name: Print App version
        id: print-app-version
        run: |
          echo "app version: ${{env.APP_VERSION_NAME}}"

      - name: Validate Gradle wrapper
        uses: gradle/wrapper-validation-action@v1

      - name: Publish package
        uses: gradle/gradle-build-action@v2
        with:
          gradle-version: 8.5
          arguments: Publish
        env:
            GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Link to GITHUB_TOKEN ref

REMARK on GITHUB_TOKEN and GITHUB_ACTOR

At the start of each workflow job, GitHub automatically creates a unique GITHUB_TOKEN secret to use in your workflow. You can use the GITHUB_TOKEN to authenticate in the workflow job.

I recommended to check GITHUB_TOKEN's Workflow permissions at followed path

Action--> General --> Workflow permissions In my case

GITHUB_ACTOR The name of the person or app that initiated the workflow.

As written in the github documentation the permissions key specifies the access that the GITHUB_TOKEN secret will allow.

build.gradle 8.5 version

        plugins {
            id 'maven-publish'
            id 'java'
            id 'org.springframework.boot' version '3.2.1'
            id 'io.spring.dependency-management' version '1.1.4'
        }
        
        ext {
            group = 'com.xx'
            name = 'app_name'
            version = '0.0.1-feature_name-SNAPSHOT'
        }
        
        
        java {
            sourceCompatibility = '17'
        }
        
        repositories {
            mavenCentral()
        }
        
        dependencies {
            implementation 'org.springframework.boot:spring-boot-starter'
            testImplementation 'org.springframework.boot:spring-boot-starter-test'
        }

        task printAppVersionName {
        setSkipBootRun();
        println project.ext.version
    }
    
        def setSkipBootRun() {
        def value = hasProperty('inputSkipBootRun') ? inputSkipBootRun : false;
        project.ext.skipBootRun = value;
    
        }
        
        tasks.named('test') {
            useJUnitPlatform()
        }
        
        
        publishing {
            repositories {
                maven {
                    name = "GitHubPackages"
                    url = "https://maven.pkg.github.com/org_name/repo_name"
                    credentials {
                        username = System.getenv("GITHUB_ACTOR")
                        password = System.getenv("GITHUB_TOKEN")
                    }
                }
            }
        
            publications {
                maven(MavenPublication) {
                    artifact bootJar
                    groupId = project.ext.group
                    artifactId = project.ext.name
                    version = project.ext.version
                }
            }
        }