From what I read:
- anyone with write permissions for a repository can publish a new package to that repository
- anyone with write permissions can publish a new package version
This is fine for experienced teams, but we can see how this could go wrong when people aren’t experienced with packages and we’d like to limit publishing to certain users for the moment - and eventually, limit publishing to automation through actions.
What advice/suggestions are there for limiting publishing? Is this on the roadmap?