GitHub Community
Limiting token access scope to specific packages (containers) on repo? #138909
Replies: 2 comments 4 replies
-
|
what about using GitHub Apps.this can provide more fine grained control over repository and package access.you can install it at the organization level and configure with specific permissions. |
Beta Was this translation helpful? Give feedback.
-
|
But it looks like it has the same scope limitations as PAT:
I can only select read access without any more specificity. Or is there some way to later define "narrower" scope or something? Like I would initially specify read access for packages and then when I install an "app" I would be able to give access only to those packages I want? |
Beta Was this translation helpful? Give feedback.
-
|
When you create app,you set the maximum permissions it can have. So yes at this stage you give it read access to packages without more specificity. You can create multiple installations of the same app, each with access to different sets of repositories. This effectively allows you to create "package groups"with separate access tokens. if this solves your problem dont forget to mark this comment as answer to close topic and if you have further questions dont hesitate to reach me via mail/telegram |
Beta Was this translation helpful? Give feedback.
-
|
Unfortunately as I said all my packages are related with single repository (as it would be redundant to create new repository for each new package, because we use monorepo). So the scope is still the same as you can't specify to which packages you give access to, only which repository, which then means you give access to all packages or no packages at all. At least I only was able to select repository when installing an app and nothing more |
Beta Was this translation helpful? Give feedback.
-
|
i understand.i dont know what to do in this situation try to create a [REQUEST] topic. |
Beta Was this translation helpful? Give feedback.
-
|
🕒 Discussion Activity Reminder 🕒 This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions: 1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as 2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own. 3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution. Note: This dormant notification will only apply to Discussions with the Thank you for helping bring this Discussion to a resolution! 💬 |
Beta Was this translation helpful? Give feedback.
-
Select Topic Area
Question
Body
Is there a way to have more fine grained scope for packages using same user (or org) to generate multiple tokens? We have many packages (docker images) related with single repository. Classic token only gives read access to all packages and I don't see a way to limit that scope.
We need each token to have scope for specific package only and to not need to use multiple users for that (ideally to just generate token from org, but not sure if its even possible).
Currently we workaround this by creating separate github user and granting that user access only to specific package. And then generate classic PAT to have package read access (which does not have more fine grained scope than just read to all possible packages user can access). But this way each "bot" user costs money, yet it is not used as real user..
That new fine grained Token, does not seem to even work properly with users, because if you have some user that has access to org and its resources, that user is not an owner. And to specify access via that TOKEN, it must be an owner, so you can't even choose repository from org.
Beta Was this translation helpful? Give feedback.
All reactions