How can we limit package publishing? #25938
-
From what I read:
This is fine for experienced teams, but we can see how this could go wrong when people aren’t experienced with packages and we’d like to limit publishing to certain users for the moment - and eventually, limit publishing to automation through actions. What advice/suggestions are there for limiting publishing? Is this on the roadmap? |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
Hi @mrmckeb, Glad to see you in Github Community Forum! Typically there are two kinds of token for customer to publish a package.
Hence, if the customer has write permission to a repository, he/she can use GITHUB_TOKEN in Github actions to publish a package, but limit to PAT token which doesn’t have wirte: package scope. Cannot limit package publishing in this case. Thanks |
Beta Was this translation helpful? Give feedback.
-
Thanks @weide-zhoo, This is definitely the answer I needed - but it’s unfortunate that there isn’t a little more control over package publishing right now. Thanks again for your time! |
Beta Was this translation helpful? Give feedback.
Hi @mrmckeb,
Glad to see you in Github Community Forum!
Typically there are two kinds of token for customer to publish a package.
GITHUB_TOKEN. It has
read:packages
andwrite:packages
scopes to the current repository by default(doc here), it’s only used in Github Actions.Personal access token. If the token doesn’t have
write:packages
scopes, it cannot be used to publish a package. Please refer to the official doc for more details.Hence, if the customer has write permission to a repository, he/she can use GITHUB_TOKEN in Github actions to publish a package, but limit to PAT token which doesn’t have wirte: package scope.
Cannot limit package publishing in this case.
Thanks