Deviating Permissions for Package and Repository

Our team is in the process of switching to Github and using the GPR for deploying our packages. 
The documentation states: 

Manage permissions in one place

Packages in GitHub inherit the permissions of the repository, and you no longer need to manage third party solutions and sync team permissions across systems

This is generally a good idea and saves a lot of time, but we have certain situations where we want to share a private package with another development team, but not the source code itself. Since permissions are being synced, I wonder if it is possible to archieve the desired behaviour and how. 

I have spent quite some time trying to figure out how to set up permissions for such a scenario, but so far nothing worked. Any ideas on how to archieve this? 

Thank you in advance for any help!

Hi @saltcreek-alex,

Thanks for being here! Accessibility of packages is tied to the visibility of the repository to which they are published. If a user has read access on the repository, then they will be able to install these packages, if they have write access on the repository then they will be able to publish new packages, as well as new versions of existing packages. If a repository is public, then the package is public, if the repository is private, the package is private.

As a work around you might want to consider creating a specific repository that is private in your organisation here and publishing packages to this.

1 Like

Hi @andreagriffiths11,

thank you for your response.
We have already implemented this workaround and it works. I still feel like there should be a more convenient way to configure package and repository access independently from each other, perhaps in a future version.

Thank you for your time and help,