Read GitHub Packages permission for GitHub App? #24636

dgholz · 2020-06-01T17:05:09Z

dgholz
Jun 1, 2020

Hello, I’m looking at the list of permissions that an App can be granted and I can’t see one which would allow my app to fetch packages from a repo. Is there a permission I can grant my app to fetch packages from repos/orgs it’s installed into?

Answered by francisfuzz

Jun 5, 2020

👋 Hello, @dgholz ! Welcome to the GitHub Community Forum––we’re glad to see you post this question here. 👍

Permissions on “packages” is not currently available for all¹ GitHub Apps (see GitHub Apps Permissions for more details).

We’re always working to improve GitHub and the GitHub Support Community, and we consider every suggestion we receive. Would you mind submitting this through our official product feedback form so that our product team can track your request?

It may be worth noting that you can use either of these tokens to authenticate with GitHub Packages:

a personal access token with the read:packages scope.
the GITHUB_TOKEN that GitHub automatically creates for your repository…

View full answer

francisfuzz · 2020-06-05T18:27:32Z

francisfuzz
Jun 5, 2020

👋 Hello, @dgholz ! Welcome to the GitHub Community Forum––we’re glad to see you post this question here. 👍

Permissions on “packages” is not currently available for all¹ GitHub Apps (see GitHub Apps Permissions for more details).

We’re always working to improve GitHub and the GitHub Support Community, and we consider every suggestion we receive. Would you mind submitting this through our official product feedback form so that our product team can track your request?

It may be worth noting that you can use either of these tokens to authenticate with GitHub Packages:

a personal access token with the read:packages scope.
the GITHUB_TOKEN that GitHub automatically creates for your repository when you enable GitHub Actions (see About GitHub Packages with GitHub Actions and Permissions for the GITHUB_TOKEN for more details).

We hope this helps!

¹ At this time of writing, the GITHUB_TOKEN from GitHub Actions is an installation token associated with a GitHub App owned by GitHub and is the only GitHub App with access to packages.

0 replies

dgholz · 2020-06-11T12:00:12Z

dgholz
Jun 11, 2020
Author

Thanks, that’s helpful. I used an Action and its token to fetch packages from my org, but I see today that it’s failing to see private packages (published on other repos in our org). Last week it was working fine, was the scope of the token’s access to GitHub Packages changed recently?

0 replies

glloydcorecard · 2022-03-29T19:42:52Z

glloydcorecard
Mar 29, 2022

Would love to actually see GitHub Applications have permissions to Read/Write to packages. We are currently trying to leverage the GITHUB_TOKEN when leveraging a maven parent. However, it fails to download the package. The only solution we have found so far it leverage a user PAT which is not a tenable solution.

Additionally in the workflow we did set the package permission to write and it was still unable to download the package.

0 replies

kshiftw · 2023-06-12T16:50:48Z

kshiftw
Jun 12, 2023

Github Support confirmed that it is still not possible to authenticate with a GitHub App token on the GitHub Package Registry:

You cannot authenticate with a GitHub App token on the GitHub Package Registry.

This is a pain point for other GitHub users as well and the Packages team is looking into supporting GitHub App installation tokens for authenticating to the Package Registry. There is an open internal feature request for this functionality, I have added your voice to it. This is not on our public roadmap yet, so I do not have a link for you to follow the progress. However, we usually announce such features as they become available on the [ChangeLog](https://github.blog/changelog/) page of our [Blog](https://github.blog/).

If you are using GitHub Actions for your builds, you can use the GITHUB_TOKEN available on each workflow run.

https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions

If not, you'll need to [create a personal access token(classic)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) with the packages scope to access the packages.

3 replies

loki666 Oct 13, 2023

It's not clear to me...

Can a workflow running on repo A access the maven package repository on private repository B using GITHUB_TOKEN?

Both repositories are part of the same org.

Thanks

cs-fokko Oct 13, 2023

Not clear for me as well. For NPM packages we can set access rights for different private repos in the org but not for Maven. Moreover, the repository information in the registry link is not that relevant as we can insert anything there. The GitHub Maven indexes packages on org level. But we cannot access the packages from actions within the org. It's a real hassle. Right now, I guess, the only solution is a PAT.

florianmutter Jan 9, 2024

Giving permission to a different repo does not work for NPM for us

warrenackerman · 2023-10-13T14:15:43Z

warrenackerman
Oct 13, 2023

We are having this issue as well. We want to use a git hub app generated token to download packages from our private repositories and it is not working.
I see this issue is over 3 years old with no real updates from Github.
@loki666 the GITHUB_TOKEN I think this will not work since it has only rights to the repo the workflow was triggered from.
@cs-fokko That approach did not work for us. We tried adding individual repos (RepoB in our scenario) to package settings and we were unable to authorize DL of RepoA Packages to RepoB's workflow.

0 replies

meghein · 2023-12-07T19:51:21Z

meghein
Dec 7, 2023

Also having this issue, would love a resolution - anything in the pipeline to fix this??

0 replies

garyy7811 · 2023-12-08T11:54:47Z

garyy7811
Dec 8, 2023

this is an example of usage: https://github.com/orgs/community/discussions/78090

need permissions to access org packages.

0 replies

MMartyn · 2024-03-25T20:04:49Z

MMartyn
Mar 25, 2024

This is also presenting a problem for me as well. It seems odd that the app token can be used to pull down release binaries but can't pull down packages.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Read GitHub Packages permission for GitHub App? #24636

{{title}}

Replies: 8 comments 3 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

Select a reply

Read GitHub Packages permission for GitHub App? #24636

Replies: 8 comments · 3 replies

dgholz Jun 11, 2020 Author

Replies: 8 comments 3 replies

dgholz
Jun 11, 2020
Author