Read GitHub Packages permission for GitHub App?

[dgholz]

Hello, I’m looking at the list of permissions that an App can be granted and I can’t see one which would allow my app to fetch packages from a repo. Is there a permission I can grant my app to fetch packages from repos/orgs it’s installed into?

[francisfuzz]

👋 Hello, @dgholz ! Welcome to the GitHub Community Forum––we’re glad to see you post this question here. 👍

Permissions on “packages” is not currently available for all¹ GitHub Apps (see GitHub Apps Permissions for more details).

We’re always working to improve GitHub and the GitHub Support Community, and we consider every suggestion we receive. Would you mind submitting this through our official product feedback form so that our product team can track your request?

It may be worth noting that you can use either of these tokens to authenticate with GitHub Packages:

• a personal access token with the read:packages scope.
• the GITHUB_TOKEN that GitHub automatically creates for your repository when you enable GitHub Actions (see About GitHub Packages with GitHub Actions and Permissions for the GITHUB_TOKEN for more details).

We hope this helps!

---

¹ At this time of writing, the GITHUB_TOKEN from GitHub Actions is an installation token associated with a GitHub App owned by GitHub and is the only GitHub App with access to packages.

[dgholz]

Thanks, that’s helpful. I used an Action and its token to fetch packages from my org, but I see today that it’s failing to see private packages (published on other repos in our org). Last week it was working fine, was the scope of the token’s access to GitHub Packages changed recently?

[glloydcorecard]

Would love to actually see GitHub Applications have permissions to Read/Write to packages. We are currently trying to leverage the GITHUB_TOKEN when leveraging a maven parent. However, it fails to download the package. The only solution we have found so far it leverage a user PAT which is not a tenable solution.

Additionally in the workflow we did set the package permission to write and it was still unable to download the package.

[kshiftw]

Github Support confirmed that it is still not possible to authenticate with a GitHub App token on the GitHub Package Registry:

You cannot authenticate with a GitHub App token on the GitHub Package Registry.

This is a pain point for other GitHub users as well and the Packages team is looking into supporting GitHub App installation tokens for authenticating to the Package Registry. There is an open internal feature request for this functionality, I have added your voice to it. This is not on our public roadmap yet, so I do not have a link for you to follow the progress. However, we usually announce such features as they become available on the [ChangeLog](https://github.blog/changelog/) page of our [Blog](https://github.blog/).

If you are using GitHub Actions for your builds, you can use the GITHUB_TOKEN available on each workflow run.

https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions

If not, you'll need to [create a personal access token(classic)](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) with the packages scope to access the packages.

[loki666]

It's not clear to me...

Can a workflow running on repo A access the maven package repository on private repository B using GITHUB_TOKEN?

Both repositories are part of the same org.

Thanks

[cs-fokko]

Not clear for me as well. For NPM packages we can set access rights for different private repos in the org but not for Maven. Moreover, the repository information in the registry link is not that relevant as we can insert anything there. The GitHub Maven indexes packages on org level. But we cannot access the packages from actions within the org. It's a real hassle. Right now, I guess, the only solution is a PAT.

[florianmutter]

Giving permission to a different repo does not work for NPM for us

[rowi1de]

https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#github-actions-access-for-packages-scoped-to-organizations

This should work but is really inconvenient:
If you want to pull package of Repo A,
you need to add Repo B (… Z) there to allow access via workflows? In organizations it can be multitude of packages / repositories using each other.

[warrenackerman]

We are having this issue as well. We want to use a git hub app generated token to download packages from our private repositories and it is not working.
I see this issue is over 3 years old with no real updates from Github.
@loki666 the GITHUB_TOKEN I think this will not work since it has only rights to the repo the workflow was triggered from.
@cs-fokko That approach did not work for us. We tried adding individual repos (RepoB in our scenario) to package settings and we were unable to authorize DL of RepoA Packages to RepoB's workflow.

[meghein]

Also having this issue, would love a resolution - anything in the pipeline to fix this??

[garyy7811]

this is an example of usage: https://github.com/orgs/community/discussions/78090

need permissions to access org packages.

[MMartyn]

This is also presenting a problem for me as well. It seems odd that the app token can be used to pull down release binaries but can't pull down packages.

[domgraziano]

Same problem here, spoke with enterprise support today and seems odd that one should use a personal access token instead of an app. Suggestion for support was that this is till the only option available with the added burden that a PAT can only be usable with a seat and you pay for a seat! Plus: for GitHub Apps, the rate limit is 15,000 requests per hour. However, if you're using a PAT, the rate limit is 5,000 requests per hour. I would love to see Github to action a resolution for such a significant limitation in its roadmap.

[acuD1]

Hi, same problems here. Generated tokens from Github App can't pull from ghcr.io.

$ gh token generate --key private-key.pem --app-id <redacted>                                                                                                                                                                               
{
  "token": "ghs_<redacted>",
  "expires_at": "2024-06-11T15:50:57Z",
  "permissions": {
    "actions": "write",
    "contents": "write",
    "metadata": "read",
    "packages": "write",
    "workflows": "write"
  }
}

In the logs we can see that.

docker: Error response from daemon: denied.

But it might be due to the username field. Which username should we put for login to the registry ? (Even though we get Login Succeeded).

[mtparet]

Who is really using GitHub packages ? With the lack of correct permission management, it's just not acceptable to use in any enterprise with a minimum security level required by the business/clients.

It's just for public packages for now.

[benbonnet]

This discussion demonstrates you can't automate much atop github package registry, as it remains manual, so adoption can't even take off.
For now, and for internal tooling, many might want to have it all managed at the same place

[garyy7811]

I think this is on purpose, to keep people using Github workflow to build Github repo.

…

On Mon, Jul 1, 2024 at 10:15 AM Ben ***@***.***> wrote: This discussion demonstrates you can't automate much atop github package registry, as it remains manual. For internal tooling, many might want to have it all managed at the same place — Reply to this email directly, view it on GitHub <#24636 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AHMU2QFLYOOGGBG2IZRMQN3ZKFQBVAVCNFSM6AAAAAAZDU3KDOVHI2DSMVQWIX3LMV43SRDJONRXK43TNFXW4Q3PNVWWK3TUHM4TSMRWGE4TS> . You are receiving this because you commented.Message ID: ***@***.***>

[mjfpalmer]

+1

Really silly that my GitHub app can do everything it needs to using its own access token, except read packages!

[chrede88]

Saw this packages permission while going through one of my Github App's permissions the other day. It's a bit strange, as the help link to a page that doesn't exist: https://docs.github.com/en/rest/authentication/permissions-required-for-github-apps?apiVersion=2022-11-28#repository-permissions-for-packages

Could it be that this is now "half way" implemented?

[evilhamsterman]

Thanks, @francisfuzz is there an update on this?

[tim-becker]

I'm also confused why this permission exists but doesn't seem to work

[venkatamutyala]

This is exciting. I assume they are still working on it/testing it. So hopefully we will be able to switch over soon than later.

[evilhamsterman]

I can certainly see that they may be testing it, though it shouldn't be listed in the available permissions if it isn't live yet. They have been doing a bunch recently to improve apps, like allowing Enterprises to share apps across their organizations, before we either had to create multiple apps or make apps publicly visible. It would be nice to get a response from GitHub, perhaps I'll reach out to my rep

[fbonander]

I ran into the same thing. Got this response from our GitHub rep.

Unfortunately, GitHub Apps cannot authenticate against GitHub Packages registry. Only the Actions GITHUB_TOKEN and Personal Access Token can do so.
Though the UI refers to GitHub Apps Package permission as "Packages published to the GitHub Package Platform", they can only access Package billing aspects on the GitHub's REST API. I am going to raise this internally towards our Product managers to clarify the UI.

[rowi1de]

What are the current options for organizations with multiple private repository packages:

• Use a PAT of a developer or “service user”
• To use GITHUB_TOKEN, it is required to add every repo to each package that should be able to pull in a workflow? https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#github-actions-access-for-packages-scoped-to-organizations