Hi @dberringer – I’m on the Github Packages team and can help you out here.

Right now, npm package permissions are driven off the permissions of the repository to which they belong. Users can rely on personal access tokens to authenticate with Github Registry.

In your use case, you could add the user to the repository (read would be enough if they are just consuming the package), and then remove them later once the access is no longer needed. I’m not sure this 100% satisfies your use case though. We are, however, working on a more robust permissions model, so these items are on the roadmap.

Hey @whitneyimura. Thanks for the response. Can you confirm there is currently no way to create and/or rotate personal access tokens on an account except by manually doing so in the UI. Is that correct? Thanks

Thanks for confirming. Controlling access programmatically opens up some interesting use cases and would be a great addition to a future release. Thanks.

Hi @whitneyimura - I’d be interested in leveraging Github Packages in the same scenario @dberringer has described, so providing external customers (some of whom might not even have Github accounts) with access to private NPM modules but without having to provide them with access to the repository itself. The reason for this is that the repository itself would be a mono-repo hosting code for a number of external customers, so I’d like to be able to configure what customers can access which packages.

I’m glad to hear that a more robust permissions model is on the roadmap, so I’d be keen to learn if you think it would support the scenario I described? And if so, do you happen to know when it would available?

Hi @whitneyimura I’m interested in private npm modules distribution as well, is the feature in your roadmap?

Thanks,
Luca