Ya, from a security perspective we would like to be using the OAuth App at least, instead of spending $21/m to have a forever-token just to pull node packages in CI.
Thanks Mickey for following up about this and getting some answers, even if you can’t share much publicly, that’s still helpful.
I will continue to monitor this thread, so if there are any updates in the future that you can share publicly, please do so when you get a chance. It definitely would be a great improvement if this was resolved at some point.
This has just caused us a major PITA. PATs are really not the answer, I work across multiple orgs and I really don’t want to have to open that up using my PAT.
Please push this through asap so that a secrets.GITHUB_TOKEN is org scoped
Wow, this is crazy. I don’t understand the use case for a token scoped to the repo for packages. An org-wide token can at least install reusable code from another repo within the org, which is something we often do. If you are in the same repo, you’re probably using direct references. The github token is, for all intents and purposes, useless.