here’s the premise:
- A Github action is run to push NuGet packages to Github packages.
- The action is “dotnet nuget push **/*.nupkg”, and two packages match the wildcard.
- The packages are new and thus not yet listed in Github packages.
- The package feed is owned by my org.
- The repo executing the action is owned by my org.
- I am an owner of the org.
- The repo executing the action is not a fork.
- If the token used to push is GITHUB_TOKEN (which is IIRC repo-scoped), nuget push will first emit a warning
warn : Resource not accessible by integration
then an error:
error: Response status code does not indicate success: 403 (Forbidden).
There’s other repos in the org pushing to Github packages using GITHUB_TOKEN, which works just fine. However, the packages they push are all already known - only new versions are pushed.
The GITHUB_TOKEN has the default, non-restricted permissions. This is reflected by the output of the action:
- If the token used to push is a PAT that I create with write:packages scope, nuget push will first emit a warning
warn : danielcweber does not have the correct permissions to execute
then fail with the same 403 error.
This is not an inherent error of GitHub actions - the PAT isn’t able to push from my local machine either.
The "permissions to execute
CreatePackageVersion" warning indicates that it’s probably somehow related to those packages being new. Again, my PAT should be valid because I am an owner of the org. I also tested a PAT that has all the scopes there are, to no avail.
I read a lot about GITHUB_TOKEN limitations here on the board, and using a PAT is almost always presented as a workaround. Here unfortunately, it won’t work either.
Thanks a lot.