How publish to only one organisation package repository

Hi,

I’m admin (and owner) of several organisations.
I’m setting up the workflow for one repository of one organisation.
The only way I found to publish (with maven) in one repository was to generate a personal token and used my own account.
This Token have limited OAuth scopes, but I don’t find a way to restrict the token to an organisation/repository.

Is there a way to use a technical account and token to publish with a limited scope (OAuth & repo/orga) ? I didn’t succeed to use the GITHUB_TOKEN secret by following the docs I found on this subject.

If not possible, is there a way to limit my personal key to a subset of my own repository ?

Thanks for your help,
Philippe

PS : it’s my first experience with Action & Workflow, I’m really more familiar with Gitlab concepts

@pkernevez,

When you create a personal access token (PAT), there is not method to limit the scope of this PAT to a specific organization or repository. What you can choose is to limit the scope to private repositories or public repositories or all repositories on your organisations and user account. More details, see “Available scopes”.

The permissions of the GITHUB_TOKEN are limited to the repository that contains your workflow.
That means the GITHUB_TOKEN is only available to the repository where the workflow is running. You can’t use it to access other repositories in the workflow.

Thanks for your response.

I finally found the right way to use the github_token, the documentation purpose many ways but not of them are right (or complete in fact).

I had to:

  1. Defined a settings.xml file:
    <servers>
        <server>
            <id>github_release</id>
            <configuration>
                <httpHeaders>
                    <property>
                        <name>Authorization</name>
                        <value>Bearer ${env.GITHUB_TOKEN}</value>
                    </property>
                </httpHeaders>
            </configuration>
        </server>
    </servers>
</settings>
  1. Use the right distribution repositories (and replace $org and $repo with your real organisation and repository:
    <distributionManagement>
        <repository>
            <id>github_release</id>
            <url>https://maven.pkg.github.com/$org/$repo</url>
        </repository>
        <snapshotRepository>
            <id>github_release</id>
            <url>https://maven.pkg.github.com/$org/$repo</url>
        </snapshotRepository>
    </distributionManagement>
  1. Use the right parameter to maven command action:
    - name: Publish to GitHub Packages Apache Maven
      run: mvn -s ${GITHUB_WORKSPACE}/maven/settings.xml -B deploy
      working-directory: java
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        GITHUB_WORKSPACE: ${{ github.workspace }}