Missing scope to read in maven registry
Summary
In our organization, we have java developers that produce jars and need to share them. We use the GitLab maven repository. The documentation explains which scope to use to create a token to download and deploy artifacts but not to just download (i.e. read access) artifacts. We want to avoid Java developer to deploy artifacts as in our process only the CI/CD can to it. We have tried all the scopes and none of them allow us to have a read-only capability on the maven repository.
Steps to reproduce
Configure your settings.xml with a token generated with all the read-only scope and try to build a project that depends on another project artifact (i.e. dependency). You will get the following result:
$ mvn compile
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------------< xx.xxx:test-dep-java >-----------------------
[INFO] Building test-dep-java 0.1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
Downloading from gitlab-maven: https://gitlab.com/api/v4/groups/xxxxx/-/packages/maven/xxx/xxx/xxxxxx/0.1.15/xxxxxx-0.1.15.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.090 s
[INFO] Finished at: 2020-04-01T12:16:54+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project test-dep-java: Could not resolve dependencies for project xx.xxx:xxxxxx:jar:0.1.0-SNAPSHOT: Failed to collect dependencies at xx.xxx:xxxxxx:jar:0.1.15: Failed to read artifact descriptor for xx.xxx:xxxxxx:jar:0.1.15: Could not transfer artifact xx.xxx:xxxxxx:pom:0.1.15 from/to gitlab-maven (https://gitlab.com/api/v4/groups/xxxxx/-/packages/maven): Authorization failed for https://gitlab.com/api/v4/groups/xxxxxx/-/packages/maven/xx/xxx/xxxxxxx/0.1.15/xxxxxxx-0.1.15.pom 403 Forbidden -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
Example Project
Cannot do it sorry.
What is the current bug behavior?
Cannot use any read-only scope:
https://gitlab.com/api/v4/groups/xxxxxx/-/packages/maven/xx/xxx/xxxxxxx/0.1.15/xxxxxxx-0.1.15.pom 403 ForbiddenWhat is the expected correct behavior?
Downloaded from gitlab-maven: https://gitlab.com/api/v4/groups/xxxxxx/-/packages/maven/xx/xxx/xxxxxxx/0.1.15/xxxxxxx-0.1.15.jar (2.5 kB at 4.0 kB/s)
[INFO]
[INFO] --- maven-resources-plugin:2.6:resources (default-resources) @ test-dep-java ---
[INFO] Using 'UTF-8' encoding to copy filtered resources.
[INFO] skip non existing resourceDirectory /home/xxxxxxx/test-dep-java/src/main/resources
[INFO]
[INFO] --- maven-compiler-plugin:3.8.1:compile (default-compile) @ test-dep-java ---
[INFO] Nothing to compile - all classes are up to date
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 3.831 s
[INFO] Finished at: 2020-04-01T12:47:18+02:00
[INFO] ------------------------------------------------------------------------Relevant logs and/or screenshots
mvn compile
[INFO] Scanning for projects...
[INFO]
[INFO] -----------------------< xx.xxx:test-dep-java >-----------------------
[INFO] Building test-dep-java 0.1.0-SNAPSHOT
[INFO] --------------------------------[ jar ]---------------------------------
Downloading from gitlab-maven: https://gitlab.com/api/v4/groups/xxxxx/-/packages/maven/xxx/xxx/xxxxxx/0.1.15/xxxxxx-0.1.15.pom
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.090 s
[INFO] Finished at: 2020-04-01T12:16:54+02:00
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project test-dep-java: Could not resolve dependencies for project xx.xxx:xxxxxx:jar:0.1.0-SNAPSHOT: Failed to collect dependencies at xx.xxx:xxxxxx:jar:0.1.15: Failed to read artifact descriptor for xx.xxx:xxxxxx:jar:0.1.15: Could not transfer artifact xx.xxx:xxxxxx:pom:0.1.15 from/to gitlab-maven (https://gitlab.com/api/v4/groups/xxxxx/-/packages/maven): Authorization failed for https://gitlab.com/api/v4/groups/xxxxxx/-/packages/maven/xx/xxx/xxxxxxx/0.1.15/xxxxxxx-0.1.15.pom 403 Forbidden -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionExceptionOutput of checks
This bug happens on GitLab.com