According to “About Github Packages page ”, I need to create a token with “read:packages” and “repo” scopes because my repo is private.
I don’t think our documentation is correct here. You’ll find you only need the
read:packages scope to install private packages.
But the token has full access to all my private repositories because “repo” scope is flagged. Is that right? Is there any other way to share packages from private repositories?
What I suggest you do is create a machine-user account that has access to the private repositories you need to share packages from (it only needs
read access). You can then generate PATs with the
read:package scope from this account.
If this PAT might be intentionally pushed to a public repository, you will need to encode it to prevent it from being automatically deleted by GitHub.
I’ve created a tool that will let you encode
read:packages PATs for use in various package ecosystems. If you have Docker installed, you can use it like this:
docker run jcansdale/gpr encode <READ_PACKAGES_TOKEN>
It will output the following:
An encoded token can be included in a public repository without being automatically deleted by GitHub.
These can be used in various package ecosystems like this:
A NuGet `nuget.config` file:
<add key="Username" value="PublicToken" />
<add key="ClearTextPassword" value="<READ_PACKAGES_TOKEN>" />
A Maven `settings.xml` file:
An npm `.npmrc` file:
Your collaborators can this this to access your private packages from their public or private repositories.
Because there is the possibility that someone might decode one of these tokens and push it to a public repository, to makes sense to create a new PAT for each set of collaborators.
Does that help at all?