The repo scope doesn’t actually fix the larger issue for open source projects –
The scope is great for private repositories, but it shouldn’t be required for a public one.
I agree, scopeless tokens should grant read-only access to public information. Unfortunately this isn’t the way it’s implemented at the moment.
This prevents open-source projects from relying on github artifacts, as we can’t rely on everyone having a github token set up for their projects.
I’ve created a workaround for this that allows PATs with the
read:packages scope to be included in public projects. The idea is to encode the PAT so that it isn’t automatically deleted by GitHub when pushed to a public repository.
If you have docker installed, you can use it like this:
$ docker run jcansdale/gpr encode READ_PACKAGES_TOKEN An encoded token can be included in a public repository without being automatically deleted by GitHub. These can be used in various package ecosystems like this: A NuGet `nuget.config` file: <packageSourceCredentials> <github> <add key="Username" value="PublicToken" /> <add key="ClearTextPassword" value="READ_PACKAGES_TOKEN" /> </github> </packageSourceCredentials> A Maven `settings.xml` file: <servers> <server> <id>github</id> <username>PublicToken</username> <password>READ_PACKAGES_TOKEN</password> </server> </servers> An npm `.npmrc` file: @OWNER:registry=https://npm.pkg.github.com //npm.pkg.github.com/:_authToken="\u0052\u0045\u0041\u0044\u005f\u0050\u0041\u0043\u004b\u0041\u0047\u0045\u0053\u005f\u0054\u004f\u004b\u0045\u004e"
This is a bit of a hack, but it does seem to work. You can find a Maven example here: