How can we limit package publishing?

From what I read:

  • anyone with write permissions for a repository can publish a new package to that repository
  • anyone with write permissions can publish a new package version

This is fine for experienced teams, but we can see how this could go wrong when people aren’t experienced with packages and we’d like to limit publishing to certain users for the moment - and eventually, limit publishing to automation through actions.

What advice/suggestions are there for limiting publishing? Is this on the roadmap?

Hi @mrmckeb,

Glad to see you in Github Community Forum!

Typically there are two kinds of token for customer to publish a package.

  1. GITHUB_TOKEN. It has read:packages and write:packages scopes to the current repository by default(doc here), it’s only used in Github Actions.

  2. Personal access token. If the token doesn’t have write:packages scopes, it cannot be used to publish a package. Please refer to the official doc for more details.

Hence, if the customer has write permission to a repository, he/she can use GITHUB_TOKEN in Github actions to publish a package, but limit to PAT token which doesn’t have wirte: package scope.

Cannot limit package publishing in this case.

Thanks

Thanks @weide-zhoo,

This is definitely the answer I needed - but it’s unfortunate that there isn’t a little more control over package publishing right now.

Thanks again for your time!

So, there’s no way at this time to limit who can publish?

Basically if you have Write permissions you are always able to create a PAT and push whatever you want, but we have branch protections for SOX compliance reasons and it seems to go against that if anyone can simply publish a package by manually creating there own token.

Is there a way around this?