can't use GITHUB_TOKEN to restore Nuget Package from private repo in the same organization

It looks like GITHUB_TOKEN is fine for pushing the nuget package but I’m not able to use it when trying to restore a package coming from a different repo in the same organizaiton.  If I use my own account and PAT then the nuget package restore will work.  Obviously having to use PAT is completely opposite to GITHUB_TOKEN and the least desirable of all the solutions.  Is accessing packages from private repos all within a single organization a supported feature?

2 Likes

The GITHUB_TOKEN is automatically created by GitHub, and the permissions of this token are limited to the repository that contains your workflow. If you need a token that requires permissions that aren’t available in the GITHUB_TOKEN, you can create a personal access token and set it as a secret in your repository.

So, if your package is not pushed to the same GitHub repository where the workflow is hosted, it is not able to download the package via the GITHUB_TOKEN in the workflow. 

More details about GITHUB_TOKEN, you can reference here: https://help.github.com/en/actions/automating-your-workflow-with-github-actions/authenticating-with-the-github_token#about-the-github_token-secret

2 Likes

While I appreciate the clarification @brightran, genuinely, I do find it very limiting. It’s very common in a multi-repo (rather than mono-repo) architecture to have different packages hosted in different repos under the same organization.

This is not an edge case, I am genuinely surprised that this hasn’t caused more problems for people, perhaps people are just using private NPM repositories. We’ve just migrated off one to GitHub Packages and working fine for the team themselves, but now our CI is broken.

Having to work around it as @rshillington mentioned by using a PAT is the biggest smell that this is broken and should be addressed.

As ever it’s always a question of priorities, but for an organization as passionate about GitHub, and serious about providing developers and organizations the best software development tools to work with, and with more than enough resources, I’m surprised Microsoft has seemingly dropped the ball here.

If something has changed in the last 8 months, then I apologise, it’s just frustrating after spending a lot of time migrating many packages over to GitHub Packages that something like this is possible.

I shouldn’t have assumed though that we could configure permissions for GITHUB_TOKENs across multiple repos under the same organization, that’s my fault.