I’ve tried to use opam-publish to publish a new version of my rfsm package. The used version in 2.2.0. I get the following error message
$ opam-publish
The following will be published:
- rfsm version 2.2 with opam file at /Users/jserot/Dev/ml/rfsm/rfsm.opam
archive at https://github.com/jserot/rfsm/archive/refs/tags/2.2.tar.gz
You will be shown the patch before submitting.
Please confirm the above data. Continue ? [Y/n] Y
Cloning the package repository, this may take a while...
+ /usr/local/bin/git "clone" "git@github.com:ocaml/opam-repository.git" "/Users/jserot/.opam/plugins/opam-publish/repos/ocaml%opam-repository"
- Cloning into '/Users/jserot/.opam/plugins/opam-publish/repos/ocaml%opam-repository'...
- git@github.com: Permission denied (publickey).
- fatal: Could not read from remote repository.
-
- Please make sure you have the correct access rights
- and the repository exists.
[ERROR] Uncaught exception: "/usr/local/bin/git clone git@github.com:ocaml/opam-repository.git
/Users/jserot/.opam/plugins/opam-publish/repos/ocaml%opam-repository" exited with code 128
IIUC, opam-publish tries to clone the opam repo on GH into my local .opam directory and fails because i do not have the required auths. Is this repo not public ?
It sounds more like it tries to git clone git@github.com:ocaml/opam-repository.git and there is no SSH public/private keypair on your system to allow doing that. Does running this command in the shell manually work for you?
opam-publish < 2.7.0 requires an SSH key registered with github that git is able to use, as @Leonidas said.
opam-publish 2.7.0 changes that to use the token directly but has some issues that are being currently dealt with (automatic token migration, missing token permission).
If you can keep these issues in mind, you can use 2.7.0 by removing the ~/.opam/plugins/opam-publish directory to reset the previous configuration and adding the missing workflow permission when creating the new token.
But if you have an SSH key, better keep opam-publish at its current version and use the key for now until these issues are dealt with.
Seems you’re right @Leonidas. Running the git clone command from the shell gives the same error.
Thx for the suggestion @kit-ty-kate. I will try to use SSH keys (although it has never been clear for me how ro create and use them, unfortunately - but my fault )
I finally managed to use SSH keys for pushing/pulling to GH.
But opam publish insists on using tokens:
$ opam publish
The following will be published:
- rfsm version 2.3 with opam file at /Users/jserot/Dev/ml/rfsm/rfsm.opam
archive at https://github.com/jserot/rfsm/archive/refs/tags/2.3.tar.gz
You will be shown the patch before submitting.
Please confirm the above data. Continue ? [Y/n] Y
Existing Github token is no longer valid (~/.opam/plugins/opam-publish/ocaml%opam-repository.token).
Please generate a Github token at https://github.com/settings/tokens/new to allow access.
The "public_repo" scope is required ("repo" if submitting to a private opam repository).
Please enter your GitHub personal access token:
How do i instruct opam publish to use an existing pair of SSH keys ?
ps : btw, there seems to be two ways of invoking opam publish: opam publish and opam-publish. Are they equivalent ?
I don’t think that is possible because opam-publish (like dune-release) uses the GitHub API and that one needs access tokens. SSH keys are only used for pushing to Git repos.
Generally the Github API is more powerful than what can be done with SSH keys as it allows opening PRs etc but can also do Git operations now so in theory only tokens are necessary. I wrote a quick hack to implement a subset of dune-release functionality some time ago that only used Github API tokens and I think this the way to go in the future (at least when publishing to Github).
The recent releases of opam-publish have gone the other way, as @Leonidas says, and made it possible to do this with just the GitHub token.
Yes - opam-publish is the binary, and opam publish causes opam itself to install opam-publish (if necessary) and then invoke it. opam publish is slightly better because it doesn’t require you to have opam-publish installed in your current switch.
I’m using opam-publish 2.2.0. I should be able (have to ?) use SSH keys, don’t i ?
I’ve recently switched to SSH keys for pushing/pulling to GH. Surely I can get back to GH tokens but can the two mechanisms co-exist for the same repo ?
You can use SSH keys to do git operations on GitHub hosted repos (e.g., pushing and pulling from a repo), but opam-publish also opens PRs into the opam repo, which requires hitting the GitHub REST API, and this latter authentication requires the token.
)