Github Packages not showing up in Organization Packages UI

Our GH organization cannot see any packages, even though our CI is able to push and pull from packages. This has been the case ever since we were on GHCR private beta.

  1. We’ve been on the private beta for container registry, where our URLS were containers.pkg
  2. We just switched to the public beta and changed the urls to ghcr
  3. We’re also not able to open this URL in the browser: https://github.com/orgs/$ORG/packages/container/$CONTAINER_NAME
  4. Our CI is able to pull/push to images ghcr.io/$ORG/$CONTAINER_NAME

Any thoughts on what might be going on?

Hi @varunsrin! Could you connect share the organization name or connect with us via support so we can investigate?

One common issue we’ve seen when organizations use a PAT from bot accounts is that only the bot can see the container image because all images default to private and only the bot can see. If this is the case you can log in as the bot and add a team or users with read access to the container via that URL.

Just to make sure I’m understanding correctly: As an organization, we have to use a bot account to publish packages because we need a PAT and cannot used the passed-in GITHUB_TOKEN, but at the same time, packages published are only visible to the bot account and not the organization? So for every package we have to manually log in with the bot account and edit permissions?

Is this intended or will this be fixed at some point?

Currently PATs are required for access to GHCR, you do not have to use a bot account to publish packages; that is only a common pattern. Any user within the organization can create a PAT with the read:packages and write:packages scopes and create or write to containers. But right now you cannot use the GITHUB_TOKEN from Actions to authenticate against GHCR.

The first user to create a container is granted admin access and containers default to private visibility such that if you did use a bot account to create containers the bot is the only one with admin and is the only account who can see the private image.

There are two fixes coming. First we’re working on changes to the visibility that will simplify finding and sharing the images. And we’re also working on a way to use the Actions GITHUB_TOKEN to auth against GHCR such that PATs won’t be necessary.

1 Like

Thanks, that makes sense. Using an employee’s PAT instead of a bot account seems like a somewhat dangerous approach so I would rather not do that. The admin privilege isn’t really a problem, but having a way to change the default visibility to everyone in the organization would be great!