Can't push new nuget packages to Github packages

Hello,

here’s the premise:

  • A Github action is run to push NuGet packages to Github packages.
  • The action is “dotnet nuget push **/*.nupkg”, and two packages match the wildcard.
  • The packages are new and thus not yet listed in Github packages.
  • The package feed is owned by my org.
  • The repo executing the action is owned by my org.
  • I am an owner of the org.
  • The repo executing the action is not a fork.
  • If the token used to push is GITHUB_TOKEN (which is IIRC repo-scoped), nuget push will first emit a warning

warn : Resource not accessible by integration

then an error:

error: Response status code does not indicate success: 403 (Forbidden).

There’s other repos in the org pushing to Github packages using GITHUB_TOKEN, which works just fine. However, the packages they push are all already known - only new versions are pushed.

The GITHUB_TOKEN has the default, non-restricted permissions. This is reflected by the output of the action:

GITHUB_TOKEN Permissions
Actions: write
Checks: write
Contents: write
Deployments: write
Discussions: write
Issues: write
Metadata: read
Packages: write
PullRequests: write
RepositoryProjects: write
SecurityEvents: write
Statuses: write

  • If the token used to push is a PAT that I create with write:packages scope, nuget push will first emit a warning

warn : danielcweber does not have the correct permissions to execute CreatePackageVersion

then fail with the same 403 error.

This is not an inherent error of GitHub actions - the PAT isn’t able to push from my local machine either.

The "permissions to execute CreatePackageVersion" warning indicates that it’s probably somehow related to those packages being new. Again, my PAT should be valid because I am an owner of the org. I also tested a PAT that has all the scopes there are, to no avail.

I read a lot about GITHUB_TOKEN limitations here on the board, and using a PAT is almost always presented as a workaround. Here unfortunately, it won’t work either.

Thanks a lot.
Daniel