GITHUB_TOKEN not allowing access to GPR packages from other repos

This doesn’t make any sense to me. After banging my head for a few hours attempting to set up a build for a private .NET Core repo that depends on a NuGet package from a sibling repo (under same org), I discovered the problem (as the docs confirmed) is that GITHUB_TOKEN doesn’t allow access to sibling repo packages when using GPR. That’s a huge miss it seems to me: almost every private org is going to have interdependencies between packages. The only solution I’ve found is to generate a PAT for my own user and use that, but that’s an obviously bad practice to have user-specific credentials in a shared build.

Am I missing something? Anyone else hit this issue too and have advice? We’ve evaluating replacing our Nexus instance with GitHub Packages, but issues like this are making it a hard sell. If there’s a feature request I could vote on/follow for this, please let me know!


It’s by designed, the GITHUB token’s permissions are limited to the repository that contains the workflow, cannot work for the brother repo. Please check official doc for more details. As you mentioned, use PAT as secrets is an alternative. According to the policy, you can raise a feed back ticket here: Thanks.

Running into the same issue