-
I feel some confused about tokens and scopes when used to share packages from private repositories. I have a private repository with some collaborators. I want “publish” a package from this repo to be shared among those collaborators. According to “About Github Packages page”, I need to create a token with “read:packages” and “repo” scopes because my repo is private. So, with that token my collegues could log in Github npm registry and install the package. But the token has full access to all my private repositories because “repo” scope is flagged. Is that right? Is there any other way to share packages from private repositories? Thanks in advance for your time. |
Beta Was this translation helpful? Give feedback.
Replies: 5 comments
-
Hi @lomedil,
I don’t think our documentation is correct here. You’ll find you only need the
What I suggest you do is create a machine-user account that has access to the private repositories you need to share packages from (it only needs If this PAT might be intentionally pushed to a public repository, you will need to encode it to prevent it from being automatically deleted by GitHub. I’ve created a tool that will let you encode
It will output the following:
Your collaborators can this this to access your private packages from their public or private repositories. Because there is the possibility that someone might decode one of these tokens and push it to a public repository, to makes sense to create a new PAT for each set of collaborators. Does that help at all? |
Beta Was this translation helpful? Give feedback.
-
Great! I have created a machine-user account, added as collaborator for one of my private proyects and created a PAT. Now with that PAT I can donwload packages from that private repository. This strategy solves this and another questions that I was thinking about. I didn’t try your Docker application because I don’t have installed it on this machine. But I know why a PAT must be encoded and how I can do it. About ‘repo’ scope for PAT. I afraid that docs are right. When I try to login to NPM using a PAT with just the ‘read:packages’ scope, it throws this error:
Anyway. Your answer are more than correct. Thank you very much. |
Beta Was this translation helpful? Give feedback.
-
Instead of using
Then do:
Could you let me know if this works? |
Beta Was this translation helpful? Give feedback.
-
Yes, you are right. To be more specific, I tried to install a global package, not a module as project dependency. Based in your suggestion, I created a file Once more, thank you very much. |
Beta Was this translation helpful? Give feedback.
-
Hello @jcansdale , I’ve tried your tool to encode my PAT and this is the result i got :
I use your docker image latest version, Docker version 20.10.7, and running on Ubuntu 20.04. Is it a bug on your tool or am I missing something here? Thank you, Argi. |
Beta Was this translation helpful? Give feedback.
Hi @lomedil,
I don’t think our documentation is correct here. You’ll find you only need the
read:packages
scope to install private packages.What I suggest you do is create a machine-user account that has access to the private repositories you need to share packages from (it only needs
read
access). You can then generate PATs with theread:package
scope from this account.If th…