The validation for required configuration elements is too strict. E.g., all proxy settings are optional (see https://maven.apache.org/xsd/settings-1.0.0.xsd, note the minOccurs="0") and some even have default values.

<xs:complexType name="Proxy">
	<xs:annotation>
		<xs:documentation source="version">1.0.0</xs:documentation>
		<xs:documentation source="description">The
			<code>&lt;proxy&gt;</code>
			element contains informations required to a proxy settings.
		</xs:documentation>
	</xs:annotation>
	<xs:all>
		<xs:element minOccurs="0" name="active" type="xs:boolean" default="false">
			<xs:annotation>
				<xs:documentation source="version">1.0.0</xs:documentation>
				<xs:documentation source="description">Whether this proxy configuration is the active one.</xs:documentation>
			</xs:annotation>
		</xs:element>
		<xs:element minOccurs="0" name="protocol" type="xs:string" default="http">
			<xs:annotation>
				<xs:documentation source="version">1.0.0</xs:documentation>
				<xs:documentation source="description">The proxy protocol.</xs:documentation>
			</xs:annotation>
		</xs:element>
		<xs:element minOccurs="0" name="username" type="xs:string">
			<xs:annotation>
				<xs:documentation source="version">1.0.0</xs:documentation>
				<xs:documentation source="description">The proxy user.</xs:documentation>
			</xs:annotation>
		</xs:element>
		<xs:element minOccurs="0" name="password" type="xs:string">
			<xs:annotation>
				<xs:documentation source="version">1.0.0</xs:documentation>
				<xs:documentation source="description">The proxy password.</xs:documentation>
			</xs:annotation>
		</xs:element>
		<xs:element minOccurs="0" name="port" type="xs:int" default="8080">
			<xs:annotation>
				<xs:documentation source="version">1.0.0</xs:documentation>
				<xs:documentation source="description">The proxy port.</xs:documentation>
			</xs:annotation>
		</xs:element>
		<xs:element minOccurs="0" name="host" type="xs:string">
			<xs:annotation>
				<xs:documentation source="version">1.0.0</xs:documentation>
				<xs:documentation source="description">The proxy host.</xs:documentation>
			</xs:annotation>
		</xs:element>
		<xs:element minOccurs="0" name="nonProxyHosts" type="xs:string">
			<xs:annotation>
				<xs:documentation source="version">1.0.0</xs:documentation>
				<xs:documentation source="description">The list of non-proxied hosts (delimited by |).</xs:documentation>
			</xs:annotation>
		</xs:element>
		<xs:element minOccurs="0" name="id" type="xs:string">
			<xs:annotation>
				<xs:documentation source="version">1.0.0</xs:documentation>
			</xs:annotation>
		</xs:element>
	</xs:all>
</xs:complexType>

Omitting optional settings currently leads to following error: proxies must contain id, active, protocol, host, port and nonProxyHosts.

To reproduce
Use following step in your GitHub action:

    - name: Configure Maven
      uses: s4u/[email protected]
      with:
          proxies: '[{"active": "true", "protocol": "https", "host": "proxy.host", "username": "proxy_user", "password": "proxy_password", "nonProxyHosts": ""}]'

This will result in following error: proxies must contain id, active, protocol, host, port and nonProxyHosts, even when those settings are specified but empty ("nonProxyHosts": "").

Expected behavior
Should create settings.xml with specified settings.

Describe the bug

I'm getting an unexpected token error:

Run s4u/[email protected]
with:
servers: [{"id": "sonatype-nexus-snapshots", "username": "", "password": "", "privateKey": "", "passphrase": ""}]
sonatypeSnapshots: false
apacheSnapshots: false
override: true
githubServer: true
oracleRepo: false
env:
JAVA_HOME: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.19-7/x64
JAVA_HOME_11_X64: /opt/hostedtoolcache/Java_Temurin-Hotspot_jdk/11.0.19-7/x64
Prepare maven setings: /home/runner/.m2/settings.xml
maven settings.xml already exists - override
Error: Unexpected token
in JSON at position 172

The config I have is:

      - name: Set up Sonatype Snapshots Repository
        uses: s4u/[email protected]
        with:
          servers: '[{"id": "sonatype-nexus-snapshots", "username": "${{ secrets.OSSRH_USERNAME }}", "password": "${{ secrets.OSSRH_TOKEN }}", "privateKey": "${{ secrets.MAVEN_GPG_PRIVATE_KEY }}", "passphrase": "${{ secrets.MAVEN_GPG_PASSPHRASE }}"}]'

It looks like the position lines up with the ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} entry, but it;'s hard to work out why it's upset.

To Reproduce

Being reproduced on all my builds at the moment, but as I'm not sure of the exact cause I can't really provide repo instructions here.

Expected behaviour

My settings.xml setup should complete without issue.

Additional context

Could this be related to some characters in my GPG Private Key? Possible escaping issue maybe? I'm really looking for hints to help diagnose the problem.

Is your feature request related to a problem? Please describe.
Is not possible to access to Oracle Maven repository.

Describe the solution you'd like
This is the configuration needed for Oracle repository.

 <server>
    <id>maven.oracle.com</id>
    <username>username</username>
    <password>password</password>
    <configuration>
      <basicAuthScope>
        <host>ANY</host>
        <port>ANY</port>
        <realm>OAM 11g</realm>
      </basicAuthScope>
      <httpConfiguration>
        <all>
          <params>
            <property>
              <name>http.protocol.allow-circular-redirects</name>
              <value>%b,true</value>
            </property>
          </params>
        </all>
      </httpConfiguration>
    </configuration>
  </server>

It would be nice to have a configuration with this settings.
Describe alternatives you've considered
There aren't any other alternative to access that repo.

Additional context
https://docs.oracle.com/middleware/1213/core/MAVEN/config_maven_repo.htm#MAVEN9016

I'm using Azure Maven Plugins to deploy an application to the Azure Web App.
I'm using Service Principles in settings.xml.
This setup requires to add to the settings.xml server without username and password, but with custom configuration.

Currently, action requires a username and a password and does not give the ability to define the configuration section.

It will be great that you remove the requirement constraint from username and password and allow define configuration as key-value pairs.

Some proxies require authentication. There are Maven settings to configure proxy credentials:
https://maven.apache.org/settings.html#proxies

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd">
  ...
  <proxies>
    <proxy>
      <id>myproxy</id>
      <active>true</active>
      <protocol>http</protocol>
      <host>proxy.somewhere.com</host>
      <port>8080</port>
      <username>proxyuser</username>
      <password>somepassword</password>
      <nonProxyHosts>*.google.com|ibiblio.org</nonProxyHosts>
    </proxy>
  </proxies>
  ...
</settings>

(username and password).

Currently, it is not possible to specify proxy authentification using proxies option.

Is your feature request related to a problem? Please describe.
I know that the repositories section can be expressed through the pom.xml file, but still I would expect all supported features of the settings.xml file available in an action to replace the manual inclusion of a settings.xml.

I see that the 'settings-mirrors' property exists, but I don't see any reason to limit the options.

Also from https://maven.apache.org/guides/mini/guide-mirror-settings.html

• "The size of the central repository is increasing steadily To save us bandwidth and you time, mirroring the entire central repository is not allowed. (Doing so will get you automatically banned."
• Therefore it would be nice to have the 'settings-repositories' property available

Describe the solution you'd like
add a 'settings-repositories' property to the action

Describe alternatives you've considered
none.

if i don't remove the default settings.xml in .m2 i got always the warning "##[warning]maven settings.xml already exists - skip". i must manualy delete the default settings xml before i can generade my custom settings.xml with this action.

My understanding from a action that generade a settings.xml is that i must not delete some default files before using the action. by the way: it were be nice if somewhere a hint for this litte issue.

Describe the bug
The action fails to complete. Error

To Reproduce

name: Build

on:
  push:
    branches: [ master ]

jobs:
  build:

    runs-on: self-hosted

    steps:
    - uses: actions/checkout@v2
    
    - name: Setup Maven
      uses: stCarolas/[email protected]
      
    - name: Maven Settings
      uses: s4u/[email protected]
      with:
        servers: '[{"id": "myreponame", "username": "${{ secrets.USERNAME }}", "password": "${{ secrets.TOKEN }}"}]'
    
    - name: Install JDK 16
      uses: actions/setup-java@v2
      with:
        java-version: '16'
        distribution: 'adopt'
        
    - name: Build with Maven
      run: mvn -B package --file pom.xml`

Expected behavior
To setup settings.xml

Additional context
Github actions log:

Error: servers must contain id, and username or configuration```

Please try to upgrade to the latest version of jest.

As we see in #252 some code modification is needed.

The name should be maven-settings-action (two t's).

The definition is a json array (not joson).

The server with id gpg.passphrase has only passphrase show as following. But when I try to do so, I got an error of servers must contain id, and username or configuration.

<server>
	<id>gpg.passphrase</id>
	<passphrase>${env.GPG_PASSPHRASE}</passphrase>
</server>

Describe the bug
I added a server configuration with my user and token, which I use for my own computer, and attempted to build a seperate private project, that is dependent of a private maven package in GitHub Packages. Installing the packages however leads to an issue where the package can not be found.

To Reproduce
I have two private repositories in GitHub, repository A and repository B.

Repository A deploys a maven package to GitHub Packages (which works without a problem).
Repository B references the package and is able to download and install it when debugging locally.

However when running the following steps in a GitHub Action, I get the error Could not resolve dependency...

      - uses: s4u/[email protected]
        with:
          servers: '[{"id": "github", "username": "${{ env.ACTION_USER }}", "password": "${{ secrets.PACKAGES_SECRET }}"}]'
          githubServer: false
      - run: mvn clean install -T 1C -DskipTests

Full error message is as follows:

Failed to execute goal on project projectB: Could not resolve dependencies for project com.example:projectB:jar:0.0.1-SNAPSHOT: Could not find artifact com.example:projectA:jar:1.0.0-SNAPSHOT -> [Help 1]

Expected behavior
I expected the package to download without any issue.

Additional context
I have tried using the runners token, which I discovered does not have access to other private repositories. After this I tried creating a new token, which did not work either. Finally I provided the steps with my details and token, which I know to be working, as I use them locally, but still to no avail.

The Problem

I find the current embedded JSON when defining repositories, servers, proxies, properties a bit cluttering to the eye. Theres no way to format JSON inside a YAML file (other than manually).

Proposed Solution

Add Support for an external definition file in YAML or JSON and expose an 'x-path-property'
instead.

Other than that :-) Good Job!

Is your feature request related to a problem? Please describe.
The maven-gpg-plugin can take the private key passphrase from a server configuration in settings.xml.
See: https://maven.apache.org/plugins/maven-gpg-plugin/usage.html#Configure_passphrase_in_settings.xml

Validation currently prevents the given examples from working, first saying that either username or configuration must be provided.
Then, when configuration is provided, the error is that username and password must be provided.
If username is provided then password must also be provided (according to settings.xml docs), but if password is provided then passphrase will supposedly be ignored.

Describe the solution you'd like
Make the validation allow servers that only have id and passphrase.

Describe alternatives you've considered
The alternative is to specify the GPG key passphrase on the command line, and rely on GitHub to filter secret data from the build logs.

I tried to specify a custom server with a privateKey, but I got this error:

Error: servers must contain id, username and password

Alas, this is more strict than the actual servers definition.

Ideally, any legitimate server attribute should pass-through and password is optional, not required.

SonarQube reports command injection security risk in the index.test.js and cleanup.test.js scripts with the use of execSync.

Is your feature request related to a problem? Please describe.
When I use [email protected] in my project to generate settings.xml then to publish libs to Maven Central, as my project depends on another lib I published to the snapshot repository. The maven complains it cannot download it b/c https://s01.oss.sonatype.org/ is not in the repository list.

According to https://central.sonatype.org/publish/publish-guide/#releasing-to-central,

Note: As of February 2021, all new projects began being provisioned on https://s01.oss.sonatype.org/.

so sonatypeSnapshots: true will add https://oss.sonatype.org/ but not the new repo https://s01.oss.sonatype.org/ to the repository list, and they are not same in my experience.

Describe the solution you'd like
I propose a new configuration works like the old sonatypeSnapshots: true, assume we name it ossrhSnapshots: true, to add the new repository url in the list.

There is maybe another way to do it. With the configuration sonatypeSnapshots: true, just add the new repository url to the list, then they both in the list, the only thing need the users to do is to configure the server id.

Describe alternatives you've considered
I tried use a custom settings.xml in my source repo, then use mvn deploy -s ${GITHUB_WORKSPACE}/.github/workflows/settings.xml 。

Additional context
noop

The setup-java action provides support for configuring a settings.xml:

    - name: Set up Apache Maven Central
      uses: actions/setup-java@v1
      with: # running setup-java again overwrites the settings.xml
        java-version: 1.8
        server-id: maven # Value of the distributionManagement/repository/id field of the pom.xml
        server-username: MAVEN_USERNAME # env variable for username in deploy
        server-password: MAVEN_CENTRAL_TOKEN # env variable for token in deploy
        gpg-private-key: ${{ secrets.MAVEN_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
        gpg-passphrase: MAVEN_GPG_PASSPHRASE # env variable for GPG private key passphrase

One should be able to use this action to update settings.xml. I believe the two options are skip and override, but ideally there is a merge option too so that one could use this action to add a new server record to an existing settings.xml.

Describe the bug
From the build log using this action
build
Node.js 12 actions are deprecated. For more information see: https://github.blog/changelog/2022-09-22-github-actions-all-actions-will-begin-running-on-node16-instead-of-node12/. Please update the following actions to use Node.js 16: s4u/maven-settings-action, s4u/maven-settings-action

To Reproduce
Use this action in a workflow

Is your feature request related to a problem? Please describe.
Unless I have misunderstood things, I think that this action assumes you add your repository to your pom.xml and just define the authentication part in the settings.xml. However, it is not such a good idea to add custom repository URLs in your Maven build file (See https://blog.sonatype.com/2009/02/why-putting-repositories-in-your-poms-is-a-bad-idea/).

Describe the solution you'd like
I would like a way to have the action generate a settings.xml that has repository entries. Ideally, it would generate something like this:

<settings xmlns="http://maven.apache.org/SETTINGS/1.0.0"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.0.0
                      http://maven.apache.org/xsd/settings-1.0.0.xsd">

  <activeProfiles>
    <activeProfile>github</activeProfile>
  </activeProfiles>

  <profiles>
    <profile>
      <id>github</id>
      <repositories>
        <repository>
          <id>central</id>
          <url>https://repo1.maven.org/maven2</url>
        </repository>
        <repository>
          <id>github</id>
          <url>https://maven.pkg.github.com/MyOrganisation/MyProject</url>
          <snapshots>
            <enabled>true</enabled>
          </snapshots>
        </repository>
      </repositories>
    </profile>
  </profiles>

  <servers>
    <server>
      <id>github</id>
      <username>GITHUB_ACTOR</username>
      <password>GITHUB_TOKEN</password>
    </server>
  </servers>
</settings>

You have

steps:
- uses: s4u/[email protected]
  with:
    servers: '[{"id": "serverId", "username": "username", "password": "password"}]'

Can secrets specified in the repository be passed into that? i.e. with "${{ secrets.username }} syntax?