Error Code 403 Forbidden: Cannot resolve package dependency for a package scoped to a public repository of an Organization with Gradle & Android Studio

[kthieuJHA]

Select Topic Area

Question

Body

I am developing an Android library module that I published to my organization's public repository successfully months ago. Following an implementation guide for Gradle where we attempt to implement this module in another Android app in Android Studio through the use of Github Packages and a PAT with read:packages scope permission and no authorization to the organization on Github; basically a public non-affliate who wants to download and use my module. That same person is unable to resolve the dependency; attempting to find the reason with './gradlew build' in Terminal shows that they received a 403 code Forbidden from the server. This shouldn't be the case from what I understand though: the package is scoped to its repository(Gradle or Maven registry is repository scoped only with Github Packages if I recall correctly) and the repository is a public one, albeit belonging to an Organization that required authenticating a PAT with write permissions for its developers like myself. Am I missing anything from the below implementation for that person to successfully resolve the dependency in their Android app?

libs.version.toml (unrelated dependencies are omitted in this sample code)
`[versions]
moduleVersion = "1.3.0"

[libraries]
groupid-artifactid = { group = "groupid", name = "artifactid", version.ref = "moduleVersion" }

[plugins]
android-application = { id = "com.android.application", version.ref = "agp" }
kotlin-android = { id = "org.jetbrains.kotlin.android", version.ref = "kotlin" }
kotlin-compose = { id = "org.jetbrains.kotlin.plugin.compose", version.ref = "kotlin" }`

settings.gradle.kts
dependencyResolutionManagement { repositoriesMode.set(RepositoriesMode.FAIL_ON_PROJECT_REPOS) repositories { google() mavenCentral() maven { url = uri("https://maven.pkg.github.com/organization_name/repository_name") credentials { username = "github_user" password = "github_PAT" } } } }

build.gradle.kts (app module) (unrelated dependencies again omitted)
dependencies { implementation(libs.groupid.artifactid) }

Below is what is returned when running ./gradlew build command in terminal

Task :app:checkDebugAarMetadata FAILED

FAILURE: Build failed with an exception.

• What went wrong:
  Execution failed for task ':app:checkDebugAarMetadata'.

Could not resolve all files for configuration ':app:debugRuntimeClasspath'.
Could not resolve com.groupid:artifactid:1.3.0.
Required by:
project :app
> Could not resolve com.groupid:artifactid:1.3.0.
> Could not get resource 'https://maven.pkg.github.com/organization/repository/com/groupid/artifactid/1.3.0/module-1.3.0.pom'.
> Could not GET 'https://maven.pkg.github.com/organization/repository/com/groupid/artifactid/1.3.0/module-1.3.0.pom'. Received status code 403 from server: Forbidden

• Try:

Run with --stacktrace option to get the stack trace.
Run with --info or --debug option to get more log output.
Run with --scan to get full insights.
Get more help at https://help.gradle.org.

BUILD FAILED in 2s
1 actionable task: 1 executed

Any explanations, tips, and or solutions would be greatly appreciated as this is a roadblock for my team to proceed. Thank you.

[its-avdhesh]

---

Hi! Thanks for providing such a well-detailed description — this helps a lot in narrowing down the problem.

🔍 Quick Summary of the Issue

You're using GitHub Packages (Maven registry) to publish an Android library to a public GitHub repository under an organization, and trying to let non-affiliated public users consume it via a PAT with read:packages scope. However, they're receiving a 403 Forbidden error during dependency resolution.

---

✅ Key Points to Check and Resolve

1. Access Rules for GitHub Packages in Organizations

Even if the repository is public, GitHub Packages under an organization still requires authentication via PAT, even for read access.
Also, there are organization-level settings that might restrict access to GitHub Packages by default.

🔐 By default, unauthenticated users (or users without explicit access) may get 403 Forbidden, even if the repository is public.

---

2. Organization Settings Might Be the Real Blocker

Go to your GitHub organization’s settings:

• 🔧 Navigate to: https://github.com/organizations/<your-org>/settings/packages

• Look under: Package access policies

• Make sure that:

  • ✅ Public access is enabled for packages in that repo

  • ✅ "Require SSO" or internal-only access is not enabled

  • ✅ The person’s PAT is not expired or improperly scoped

---

3. PAT Must Be for a User with at Least Read Access to the Repo

Even though the package is public, the Maven registry still requires credentials. Make sure:

• The GitHub username and PAT belong to a valid GitHub account

• The PAT has at least read:packages

• The user is not being blocked by a lack of org-level access, even indirectly

---

4. Use This Gradle Block Carefully

Make sure this part of your settings.gradle.kts has the correct repo name, org name, and credentials, especially with quotes:

maven {
    url = uri("https://maven.pkg.github.com/organization_name/repository_name")
    credentials {
        username = "github_username" // not a token literal
        password = "github_PAT" // not expired and has read:packages
    }
}

✅ Tip: Do not hardcode the actual token in public code — use Gradle properties or environment variables.

---

🧪 Optional Debug Tips

1. Run with --info to get more detail:

   ./gradlew build --info
   

2. Check whether the .pom file can be accessed directly via curl:

   curl -u username:token https://maven.pkg.github.com/org/repo/com/groupid/artifactid/1.3.0/artifactid-1.3.0.pom
   

---

✅ Recommended Fix Summary

✅ Item	Explanation
PAT must have read:packages scope	Required even for public org packages
Org must allow public package access	Can be restricted at org level (check settings)
Repo name must match exactly	Case-sensitive URLs
Use full Maven coordinates	Make sure your TOML/groupId/artifactId/version align properly
Authenticate using actual GitHub username	Not token as username (for Maven, it's real username + PAT)

---

Let me know if you'd like help testing with a minimal repo setup or sharing a sample build.gradle.kts using properties for credentials securely.

Happy to help debug further if needed!

---

[kthieuJHA]

We followed all the conventions that should have normally been enough to avoid this 403, but we still had the issue. Until, and this might be unrelated but it has proven to work: we logged out of Github of all accounts prior to attempting the gradle sync to resolve the dependency in Android Studio, and out of 2 attempts, both of them were successful. Perhaps there is some cookie or cache in our work macbooks that is preventing us from resolving the dependency properly...

Also, we double checked all the scopes of the package; they should be public because the repository is public. I don't think I personally have access to see Package access policies to verify step 2. Might have to reach out to someone in my company to investigate these on my behalf.

So for the time being, we are chalking this up to our macbooks being blocked due to some system credentials or session blocking our connection with gradle to github packages. But lets wait a few days to see if this question can be marked as resolved.

Please let me know what you think about our observations above as well if you can, we would appreciate it.

[jizzbuttxxx]

WHEN IS THIS BULLSHIT GONNA BE FIXED NOBODY GIVES A DAMN WHAT THE HELL THEY SIT AROUND DOING NOTHING BUT SCREWING UP APP FOR ROKU AND EVERYTHING EVERYWHERE WHEN IS THIS GOING TO BE FIXED NO SOLUTION NO PLANS ON FIXING IT THE HELL GET WHOEVER IS RESPONSIBLE FOR DISABLING GOOGLE PHOTO VIEW APP AND HAVE THEM EITHER FIX IT OR FIRE THEM BRING IN ANOTHER TEAM OF PROFESSIONALS USING AI THAT IS BULLSHIT I MEAN

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬