--- stage: Package group: Package Registry info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/product/ux/technical-writing/#assignments --- # Maven packages in the Package Registry **(FREE)** Publish [Maven](https://maven.apache.org) artifacts in your project's Package Registry using Gradle. Then, install the packages whenever you need to use them as a dependency. For documentation of the specific API endpoints that the Maven package manager client uses, see the [Maven API documentation](../../../api/packages/maven.md). Learn how to build a [Gradle](../workflows/build_packages.md#gradle) package. ## Publish to the GitLab Package Registry ### Tokens You need a token to publish a package. Different tokens are available depending on what you're trying to achieve. For more information, review the [guidance on tokens](../package_registry/index.md#authenticate-with-the-registry). - If your organization uses two-factor authentication (2FA), you must use a personal access token with the scope set to `api`. - If you publish a package via CI/CD pipelines, you must use a CI job token. Create a token and save it to use later in the process. ## Authenticate to the Package Registry with Gradle ### Authenticate with a personal access token or deploy token in Gradle In [your `GRADLE_USER_HOME` directory](https://docs.gradle.org/current/userguide/directory_layout.html#dir:gradle_user_home), create a file `gradle.properties` with the following content: ```properties gitLabPrivateToken=REPLACE_WITH_YOUR_TOKEN ``` Your token name depends on which token you use. | Token type | Token name | | --------------------- | --------------- | | Personal access token | `Private-Token` | | Deploy token | `Deploy-Token` | Add a `repositories` section to your [`build.gradle`](https://docs.gradle.org/current/userguide/tutorial_using_tasks.html) file: ```groovy repositories { maven { url "https://gitlab.example.com/api/v4/groups//-/packages/maven" name "GitLab" credentials(HttpHeaderCredentials) { name = 'REPLACE_WITH_TOKEN_NAME' value = gitLabPrivateToken } authentication { header(HttpHeaderAuthentication) } } } ``` Or add it to your `build.gradle.kts` file if you are using Kotlin DSL: ```kotlin repositories { maven { url = uri("https://gitlab.example.com/api/v4/groups//-/packages/maven") name = "GitLab" credentials(HttpHeaderCredentials::class) { name = "REPLACE_WITH_TOKEN_NAME" value = findProperty("gitLabPrivateToken") as String? } authentication { create("header", HttpHeaderAuthentication::class) } } } ``` ### Authenticate with a CI job token in Gradle To authenticate with a CI job token, add a `repositories` section to your [`build.gradle`](https://docs.gradle.org/current/userguide/tutorial_using_tasks.html) file: ```groovy repositories { maven { url "${CI_API_V4_URL}/groups//-/packages/maven" name "GitLab" credentials(HttpHeaderCredentials) { name = 'Job-Token' value = System.getenv("CI_JOB_TOKEN") } authentication { header(HttpHeaderAuthentication) } } } ``` Or add it to your `build.gradle.kts` file if you are using Kotlin DSL: ```kotlin repositories { maven { url = uri("$CI_API_V4_URL/groups//-/packages/maven") name = "GitLab" credentials(HttpHeaderCredentials::class) { name = "Job-Token" value = System.getenv("CI_JOB_TOKEN") } authentication { create("header", HttpHeaderAuthentication::class) } } } ``` ### Naming convention You can use one of three API endpoints to install a Maven package. You must publish a package to a project, but note which endpoint you use to install the package. The option you choose determines the settings you add to your `pom.xml` file for publishing. The three endpoints are: - **Project-level**: Use when you have a few Maven packages that are not in the same GitLab group. - **Group-level**: Use when installing packages from many different projects in the same GitLab group. GitLab does not guarantee the uniqueness of package names in the group. You can have two projects with the same package name and package version. As a result, GitLab serves whichever one is more recent. - **Instance-level**: Use when installing many packages from different GitLab groups or in their own namespace. **Only packages with the same path as the project** are exposed by the instance-level endpoint. | Project | Package | Instance-level endpoint available | | ------------------- | -------------------------------- | --------------------------------- | | `foo/bar` | `foo/bar/1.0-SNAPSHOT` | Yes | | `gitlab-org/gitlab` | `foo/bar/1.0-SNAPSHOT` | No | | `gitlab-org/gitlab` | `gitlab-org/gitlab/1.0-SNAPSHOT` | Yes | #### Endpoint URLs | Endpoint | Endpoint URL | Additional information | | -------- | ------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- | | Project | `https://gitlab.example.com/api/v4/projects//packages/maven` | Replace `gitlab.example.com` with your domain name. Replace `` with your project ID found on your project's homepage. | | Group | `https://gitlab.example.com/api/v4/groups//-/packages/maven` | Replace `gitlab.example.com` with your domain name. Replace `` with your group ID found on your group's homepage. | | Instance | `https:///gitlab.example.com/api/v4/packages/maven` | Replace `gitlab.example.com` with your domain name. | In all cases, to publish a package, you need: - A project-specific URL in the `distributionManagement` section. - A `repository` and `distributionManagement` section. ### Edit the Groovy DSL or Kotlin DSL The Gradle Groovy DSL `repositories` section should look like this: ```groovy repositories { maven { url "" name "GitLab" } } ``` In Kotlin DSL: ```kotlin repositories { maven { url = uri("") name = "GitLab" } } ``` - Replace `` with the [endpoint](#endpoint-urls) you chose. ## Publish using Gradle Your token name depends on which token you use. | Token type | Token name | | --------------------- | --------------- | | Personal access token | `Private-Token` | | Deploy token | `Deploy-Token` | To publish a package by using Gradle: 1. Add the Gradle plugin [`maven-publish`](https://docs.gradle.org/current/userguide/publishing_maven.html) to the plugins section: In Groovy DSL: ```groovy plugins { id 'java' id 'maven-publish' } ``` In Kotlin DSL: ```kotlin plugins { java `maven-publish` } ``` 1. Add a `publishing` section: In Groovy DSL: ```groovy publishing { publications { library(MavenPublication) { from components.java } } repositories { maven { url "https://gitlab.example.com/api/v4/projects//packages/maven" credentials(HttpHeaderCredentials) { name = "REPLACE_WITH_TOKEN_NAME" value = gitLabPrivateToken // the variable resides in $GRADLE_USER_HOME/gradle.properties } authentication { header(HttpHeaderAuthentication) } } } } ``` In Kotlin DSL: ```kotlin publishing { publications { create("library") { from(components["java"]) } } repositories { maven { url = uri("https://gitlab.example.com/api/v4/projects//packages/maven") credentials(HttpHeaderCredentials::class) { name = "REPLACE_WITH_TOKEN_NAME" value = findProperty("gitLabPrivateToken") as String? // the variable resides in $GRADLE_USER_HOME/gradle.properties } authentication { create("header", HttpHeaderAuthentication::class) } } } } ``` 1. Replace `PROJECT_ID` with your project ID, which you can find on your project's home page. 1. Run the publish task: ```shell gradle publish ``` Go to your project's **Packages and registries** page and view the published packages. ## Install a package To install a package from the GitLab Package Registry, you must configure the [remote and authenticate](#authenticate-to-the-package-registry-with-gradle). After configuring the remote and authenticate, you can install a package from a project, group, or namespace. If multiple packages have the same name and version, when you install a package, the most recently-published package is retrieved. Add a [dependency](https://docs.gradle.org/current/userguide/declaring_dependencies.html) to `build.gradle` in the dependencies section: ```groovy dependencies { implementation 'com.mycompany.mydepartment:my-project:1.0-SNAPSHOT' } ``` Or to `build.gradle.kts` if you are using Kotlin DSL: ```kotlin dependencies { implementation("com.mycompany.mydepartment:my-project:1.0-SNAPSHOT") } ``` ## Helpful hints For the complete list of helpful hints, see the [Maven documentation](../maven_repository/index.md#helpful-hints). ### Create Maven packages with GitLab CI/CD by using Gradle You can create a package each time the `main` branch is updated. 1. Authenticate with [a CI job token in Gradle](#authenticate-with-a-ci-job-token-in-gradle). 1. Add a `deploy` job to your `.gitlab-ci.yml` file: ```yaml deploy: image: gradle:6.5-jdk11 script: - 'gradle publish' only: - main ``` 1. Commit files to your repository. When the pipeline is successful, the Maven package is created. ### Publishing a package with the same name or version When you publish a package with the same name and version as an existing package, the new package files are added to the existing package. You can still use the UI or API to access and view the existing package's older assets. Consider using the Packages API or the UI to delete older package versions. ### Do not allow duplicate Maven packages To prevent users from publishing duplicate Maven packages, you can use the [GraphQl API](../../../api/graphql/reference/index.md#packagesettings) or the UI. In the UI: 1. For your group, go to **Settings > Packages and registries**. 1. Expand the **Package Registry** section. 1. Turn on the **Do not allow duplicates** toggle. 1. Optional. To allow some duplicate packages, in the **Exceptions** box, enter a regex pattern that matches the names and/or versions of packages you want to allow. Your changes are automatically saved. ### Request forwarding to Maven Central FLAG: By default, this feature is not available for self-managed. To make it available, ask an administrator to [enable the feature flag](../../../administration/feature_flags.md) named `maven_central_request_forwarding`. This feature is not available for SaaS users. When a Maven package is not found in the Package Registry, the request is forwarded to [Maven Central](https://search.maven.org/). When the feature flag is enabled, administrators can disable this behavior in the [Continuous Integration settings](../../admin_area/settings/continuous_integration.md). There are many ways to configure your Maven project to request packages in Maven Central from GitLab. Maven repositories are queried in a [specific order](https://maven.apache.org/guides/mini/guide-multiple-repositories.html#repository-order). By default, maven-central is usually checked first through the [Super POM](https://maven.apache.org/guides/introduction/introduction-to-the-pom.html#Super_POM), so GitLab needs to be configured to be queried before maven-central. [Using GitLab as a mirror of the central proxy](../maven_repository/index.md#setting-gitlab-as-a-mirror-for-the-central-proxy) is one way to force GitLab to be queried in place of maven-central. Maven forwarding is restricted to only the project level and group level [endpoints](#naming-convention). The instance-level endpoint has naming restrictions that prevent it from being used for packages that don't follow that convention and also introduces too much security risk for supply-chain style attacks.