The co I'm at separates repository access to different teams, and because we're using GitHub Packages - the access to Maven artifacts is also restricted.

I see, so Github packages basically solves this problem?! Although it does really lock you in to Github Actions as the transfer cost is very high (We have uberjars easily 1GB).

Cost is not my problem (anymore) so can't comment on that. Also, I'm really curious why do you store uberjars in Maven - I assume these aren't applications, but libraries with extra resources?

as for the lock in, it's a myth - I moved ~50 projects from Circle to GHA - it took a week and we were up and running just fine 🤷

Oops, I didn’t mean lock in that way. I’m sure we can move our cicd pipeline around easily. It’s just that GH Packages - charges a high cost if your workers are outside of GitHub (our workers are because we find the GitHub ones too slow and have no local caching), so if you want benefit of packages you are highly incentivized to use GitHub action workers too (because of the transfer costs). We might store the Uber jars in maven so they can be redeployed to servers without rebuilding. Even if we use non uberjars - it could be 100s of mbs of data transfer each build.

Right right

Other approach that could be cost effective and have better access controls is to use S3 + IAM + AWS SSO

so only users authorized to SSO into given account can push/pull artifacts into S3 via S3 Wagon - I'm theorizing here as I never used S3 for maven storage

but we do use AWS SSO and multiple accounts a lot, for different things - and it's a nice access barier

also, you can move to Docker and use ECR (definitely not GH Packages, their docker image repo is super limited, at least last time I used it)

but I'm just speculating, I don't know much about your setup :-)