0

介绍

我目前正在创建一个复合 GitHub Actions,它使用 JIB 从 Java 项目构建一个容器,并将其自动发布到 GitHub Packages 和 Maven Central。

有问题的

但是当我尝试运行它时出现此错误:

[INFO] 
[INFO] Containerizing application to gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5...
Warning:  Base image 'eclipse-temurin:17-jre' does not use a specific image digest - build may not be reproducible
[INFO] Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5
[INFO] Getting manifest for base image eclipse-temurin:17-jre...
[INFO] Building dependencies layer...
[INFO] Building resources layer...
[INFO] Building classes layer...
[INFO] Building jvm arg files layer...
[INFO] The base image requires auth. Trying again for eclipse-temurin:17-jre...
[INFO] Using credentials from Docker config (/home/runner/.docker/config.json) for eclipse-temurin:17-jre
[INFO] Using base image with digest: sha256:e7a4a45b88525250e668cc6149b95b3952a8e9cba8c341b70c4d34c4e4d5eed5
[INFO] 
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  10.272 s
[INFO] Finished at: 2022-02-09T00:37:22Z
[INFO] ------------------------------------------------------------------------
Error:  Failed to execute goal com.google.cloud.tools:jib-maven-plugin:3.2.0:build (default-cli) on project codingame-puzzles-stats-saver: Build image failed, perhaps you should make sure your credentials for 'gcr.io/mathieusoysal/codingame-puzzles-stats-saver' are set up correctly. See https://github.com/GoogleContainerTools/jib/blob/master/docs/faq.md#what-should-i-do-when-the-registry-responds-with-unauthorized for help: Unauthorized for gcr.io/mathieusoysal/codingame-puzzles-stats-saver: 401 Unauthorized
Error:  {"errors":[{"code":"UNAUTHORIZED","message":"Not Authorized."}]}
Error:  -> [Help 1]
Error:  
Error:  To see the full stack trace of the errors, re-run Maven with the -e switch.
Error:  Re-run Maven using the -X switch to enable full debug logging.
Error:  
Error:  For more information about the errors and possible solutions, please read the following articles:
Error:  [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoExecutionException
Error: Process completed with exit code 1.

受影响的代码:

name: JIB container publish
description: "Build automatically container with JIB and publish it to GitHub Packages."
branding:
  icon: "package"
  color: "gray-dark"

inputs:
  # Use docker.io for Docker Hub if empty
  REGISTRY:
    description: "Registry of the image to publish"
    required: true
    default: ghcr.io
  # github.repository as <account>/<repo>
  IMAGE_NAME:
    description: "Name of the image to publish"
    required: true
    default: ${{ github.repository }}
  # Username to login to registry
  USERNAME:
    description: "Username to login to registry"
    required: true
    default: ${{ github.actor }}
  # Password to login to registry
  PASSWORD:
    description: "Password to login to registry"
    required: true
  # Name of the tag to publish
  tag-name:
    description: "Tag name of the image to publish"
    required: true
    default: "latest"
  # Java version to use
  java-version:
    description: "Java version to use"
    required: true
    default: "17"

runs:
  using: "composite"
  steps:
    - id: downcase
      uses: ASzc/change-string-case-action@v2
      with:
        string: ${{ inputs.IMAGE_NAME }}

    - uses: actions/checkout@v2
    - name: Set up JDK 17
      uses: actions/setup-java@v2
      with:
        distribution: "adopt"
        java-version: ${{ inputs.java-version }}

    - name: Buil JIB container and publish to GitHub Packages
      run: |
        mvn compile com.google.cloud.tools:jib-maven-plugin:3.2.0:build \
        -Djib.to.image=${{ inputs.REGISTRY }}/${{ steps.downcase.outputs.lowercase }}:${{ inputs.tag-name }} \
        -Djib.to.auth.username=${{ inputs.USERNAME }} \
        -Djib.to.auth.password=${{ inputs.PASSWORD }}
      shell: bash

执行相关 GitHub 操作的代码:

name: Deploy Javadoc

on:
name: JIB container publish

on:
  release:
    types: [created]

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - name: JIB container build and publish
        uses: MathieuSoysal/jib-container-publish.yml@v2.0.7
        with:
          # Use docker.io for Docker Hub if empty
          REGISTRY: gcr.io
          # github.repository as <your-account>/<your-repo>
          IMAGE_NAME: ${{ github.repository }}
          # Tag name of the image to publish
          tag-name: ${{ github.event.release.tag_name }}
          # Username to login to registry
          USERNAME: ${{ github.actor }}
          # Password to login to registry
          PASSWORD: ${{ secrets.GITHUB_TOKEN }}
          java-version: 17

问题

有人有解决这个问题的想法吗?

回购链接:https ://github.com/MathieuSoysal/jib-container-publish.yml

4

1 回答 1

1

一切看起来都很好。Jib 从 检索凭据-Dto.auth.{username|password}

Using credentials from <to><auth> for gcr.io/mathieusoysal/codingame-puzzles-stats-saver:v1.0.2.5

我怀疑您只是没有为gcr.io(Google Container Registry,它不同于ghcr.io)传递正确的“用户名”和“密码”。从这个文档

注意:这种身份验证方法只能作为最后的手段使用,因为以纯文本形式显示您的密码是不安全的。请注意,通常云注册表(例如,Google GCR、Amazon ECR 和 Azure ACR)不接受“用户凭据”(例如 Gmail 帐户名和密码),但需要不同形式的凭据。例如,您可以使用oauth2accesstoken_json_key作为 GCR 和AWSECR 的用户名。对于 ACR,您可以使用服务原则

对于 GCR,AFAICTto.auth.username要么是,要么是oath2accesstoken字面上_json_key的。用户名是 没有意义${{ github.actor }}

此外,为了安全起见,您应该确保未记录或显示您在命令行中传递的 auth 参数。查看此Stack Overflow 答案以了解一般注册表身份验证。

此外,通常您需要对“from”图像和“to”图像进行身份验证。

于 2022-02-09T16:56:16.813 回答