On Thu, Sep 28, 2023 at 4:37 AM Vladimir Belousov <[email protected]> wrote:
> We use dependencies that are hosted on GitHub Packages in our plugin. I guess you mean https://github.com/jenkinsci/redhat-dependency-analytics-plugin/blob/f4b606b8b509795917edc2f2915c6a3322a85e4d/pom.xml#L212-L215 to access https://github.com/RHEcosystemAppEng/exhort-java-api This is not standard practice and is likely to cause issues. Normally any dependencies you need should be published either to Jenkins Artifactory, if they are specific to Jenkins, or Maven Central if not. I am well aware that https://github.com/RHEcosystemAppEng/exhort-java-api/blob/ed0cb76f5ccd1d0d74bdbc6d36a4c04b2900d51c/.github/workflows/release.yml#L56-L61 is vastly simpler to manage than deploying to OSSRH. At some point https://sigstore.github.io/sigstore-maven-plugin/ should make it possible to deploy to Central using GHA OIDC tokens, but it is not ready yet and AFAIK there is no published timeline. If you really want to access GH Packages, you can probably do so with `GITHUB_TOKEN` in GHA without needing a PAT. This would work for the CD action, probably with custom modifications, but would not work for ci.jenkins.io so Jenkinsfile would be useless; you would need to set up your own CI. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr3cZ-hh_%3D7zJ8t91kdf3aEi08c%2Br1-A9eQrgo9NaLa_yg%40mail.gmail.com.
