Publish Maven artifact to Package Repository fails with Access denied

Hi. Using GitLab.com with a hosted project.

The CI pipeline is working well, project is a maven project.

Have followed the decription in Maven packages in the Package Repository | GitLab

But I get message

Could not transfer metadata bwa.gitlab:customregistry:1.0-SNAPSHOT/maven-metadata.xml from/to gitlab-maven (https://gitlab.com/api/v4/projects/24136422/packages/maven): Access denied to: https://gitlab.com/api/v4/projects/24136422/packages/maven/bwa/gitlab/customregistry/1.0-SNAPSHOT/maven-metadata.xml , ReasonPhrase:Forbidden.

The command executed in CI pipeline is

**mvn $MAVEN_CLI_OPTS -s $CI_PROJECT_DIR/ci_settings.xml deploy**

The ci-settings.xml is created : (xxxx is just to mask the real Deploy-Token value)

<settings xmlns="http://maven.apache.org/SETTINGS/1.1.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd">
  <servers>
    <server>
      <id>gitlab-maven</id>
      <configuration>
        <httpHeaders>
          <property>
            <name>Deploy-Token</name>
            <value>xxxxxxxxxxx</value>
          </property>
        </httpHeaders>
      </configuration>
    </server>
  </servers>
</settings>

Then the pom.xml has

<repositories>
	    <repository>
	        <id>gitlab-maven</id>
	        <url>${env.CI_SERVER_URL}/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url>
	    </repository>
</repositories>
<distributionManagement>
	    <repository>
	        <id>gitlab-maven</id>
	        <url>${env.CI_SERVER_URL}/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url>
	    </repository>
	    <snapshotRepository>
	        <id>gitlab-maven</id>
	        <url>${env.CI_SERVER_URL}/api/v4/projects/${env.CI_PROJECT_ID}/packages/maven</url>
	    </snapshotRepository>
</distributionManagement>    

Following the doc this should be simple, but it’s not.

I’m very certain that the deploy-token value is correct, but I wonder if the username of the deploytoken shall be put somewhere ?

The scope of the DeployToken is : read_repository, read_registry, write_registry, read_package_registry, write_package_registry

1 Like

By changing the Deploy-Token to Private-Token and use a private token with api scope, it works. So it looks like a bug in GitLab ?

1 Like