For personal users, a personal access token makes sense, e.g. reading from
@yanneves/my-package in a personal repository. But for organisations, a personal access token is not restricted to one organisation, so I could compromise another organisation’s private packages by using the token for one organisation. Plus, if the personal access token owner leaves the organisation, dependent actions would suddenly fail. I’d consider the personal access token to be a dangerous and unsupported workaround.
A safer workaround is to use a dedicated automation user (e.g.
my-org-bot) to house these personal access tokens. This was common practice on legacy organisation accounts but will come at a premium (per-user pricing) on current organisation accounts, required for private repository actions and packages. At the moment, this implementation to use Github Actions with private Github Packages is not fit-for-purpose for organisations.