Token with "repo" scope to install private packages?

I feel some confused about tokens and scopes when used to share packages from private repositories.

I have a private repository with some collaborators. I want “publish” a package from this repo to be shared among those collaborators. According to “About Github Packages page”, I need to create a token with “read:packages” and “repo” scopes because my repo is private. So, with that token my collegues could log in Github npm registry and install the package.

But the token has full access to all my private repositories because “repo” scope is flagged. Is that right? Is there any other way to share packages from private repositories?

Thanks in advance for your time.

Hi @lomedil,

According to “About Github Packages page ”, I need to create a token with “read:packages” and “repo” scopes because my repo is private.

I don’t think our documentation is correct here. You’ll find you only need the read:packages scope to install private packages.

But the token has full access to all my private repositories because “repo” scope is flagged. Is that right? Is there any other way to share packages from private repositories?

What I suggest you do is create a machine-user account that has access to the private repositories you need to share packages from (it only needs read access). You can then generate PATs with the read:package scope from this account.

If this PAT might be intentionally pushed to a public repository, you will need to encode it to prevent it from being automatically deleted by GitHub.

I’ve created a tool that will let you encode read:packages PATs for use in various package ecosystems. If you have Docker installed, you can use it like this:

docker run jcansdale/gpr encode <READ_PACKAGES_TOKEN>

It will output the following:

An encoded token can be included in a public repository without being automatically deleted by GitHub.
These can be used in various package ecosystems like this:

A NuGet `nuget.config` file:
<packageSourceCredentials>
  <github>
    <add key="Username" value="PublicToken" />
    <add key="ClearTextPassword" value="&#60;&#82;&#69;&#65;&#68;&#95;&#80;&#65;&#67;&#75;&#65;&#71;&#69;&#83;&#95;&#84;&#79;&#75;&#69;&#78;&#62;" />
  </github>
</packageSourceCredentials>

A Maven `settings.xml` file:
<servers>
  <server>
    <id>github</id>
    <username>PublicToken</username>
    <password>&#60;&#82;&#69;&#65;&#68;&#95;&#80;&#65;&#67;&#75;&#65;&#71;&#69;&#83;&#95;&#84;&#79;&#75;&#69;&#78;&#62;</password>
  </server>
</servers>

An npm `.npmrc` file:
@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken="\u003c\u0052\u0045\u0041\u0044\u005f\u0050\u0041\u0043\u004b\u0041\u0047\u0045\u0053\u005f\u0054\u004f\u004b\u0045\u004e\u003e"

Your collaborators can this this to access your private packages from their public or private repositories.

Because there is the possibility that someone might decode one of these tokens and push it to a public repository, to makes sense to create a new PAT for each set of collaborators.

Does that help at all?

Great! I have created a machine-user account, added as collaborator for one of my private proyects and created a PAT. Now with that PAT I can donwload packages from that private repository. This strategy solves this and another questions that I was thinking about.

I didn’t try your Docker application because I don’t have installed it on this machine. But I know why a PAT must be encoded and how I can do it.

About ‘repo’ scope for PAT. I afraid that docs are right. When I try to login to NPM using a PAT with just the ‘read:packages’ scope, it throws this error:

npm ERR! code E401
npm ERR! 401 Unauthorized - PUT https://npm.pkg.github.com/-/user/org.couchdb.user:lomedil - Error authenticating user: Personal Access Token is invalid. Your token must have the `repo` and read:packages` scopes to login to the GitHub Package Registry.

Anyway. Your answer are more than correct. Thank you very much.

@lomedil,

About ‘repo’ scope for PAT. I afraid that docs are right. When I try to login to NPM using a PAT with just the ‘read:packages’ scope, it throws this error…

Instead of using npm login, could you try creating a .npmrc at the root of your repository (changing OWNER to your user/org):

@OWNER:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}

Then do:

export GITHUB_TOKEN=<your read:packages PAT>
npm install

Could you let me know if this works?

Yes, you are right. To be more specific, I tried to install a global package, not a module as project dependency. Based in your suggestion, I created a file ~/.npmrc using a PAT with read:package and now it works.

Once more, thank you very much.

1 Like