Packages with granular permissions are scoped to a personal user or organization account. You can change the access control and visibility of a package separately from the repository that it is connected (or linked) to.
Currently, you can only use granular permissions with the Container registry. Granular permissions are not supported in our other package registries, such as the RubyGems registry.
For more information about permissions for repository-scoped packages, packages-related scopes for PATs, or managing permissions for your actions workflows, see "About permissions for GitHub Packages."
Visibility and access permissions for container images
如果您对容器映像具有管理员权限,可以将容器映像的访问权限设置为私有或公有。 公有映像允许匿名访问,无需身份验证或通过 CLI 登录即可进行拉取。
作为管理员,您还可以授予容器映像的访问权限,该权限与在组织和仓库级别设置的权限不同。
对于个人帐户发布和拥有的容器映像,你可以为任何人提供访问角色。 对于组织发布和拥有的容器映像,您可以为组织中的任何人或团队授予访问角色。
| 权限 | 访问描述 |
|---|---|
| 读取 | 可以下载包。 可以读取包元数据。 |
| 写入 | 可以上传和下载此包。 可以读取和写入包元数据。 |
| 管理员 | 可以上传、下载、删除和管理此包。 可以读取和写入包元数据。 可以授予包权限。 |
Configuring access to container images for your personal account
If you have admin permissions to a container image that's owned by a personal account, you can assign read, write, or admin roles to other users. For more information about these permission roles, see "Visibility and access permissions for container images."
If your package is private or internal and owned by an organization, then you can only give access to other organization members or teams.
- 搜索并选择您的包。
- 在包登录页的右上角,单击“包设置”。
- On the package settings page, click Invite teams or people and enter the name, username, or email of the person you want to give access. Teams cannot be given access to a container image owned by a personal account.
- Next to the username or team name, use the "Role" drop-down menu to select a desired permission level.
The selected users will automatically be given access and don't need to accept an invitation first.
Configuring access to container images for an organization
If you have admin permissions to an organization-owned container image, you can assign read, write, or admin roles to other users and teams. For more information about these permission roles, see "Visibility and access permissions for container images."
If your package is private or internal and owned by an organization, then you can only give access to other organization members or teams.
- 在 GitHub 上,导航到组织的主页面。
- 在组织名称下,单击“包”。
- 搜索并选择您的包。
- 在包登录页的右上角,单击“包设置”。
- On the package settings page, click Invite teams or people and enter the name, username, or email of the person you want to give access. You can also enter a team name from the organization to give all team members access.
- Next to the username or team name, use the "Role" drop-down menu to select a desired permission level.
The selected users or teams will automatically be given access and don't need to accept an invitation first.
Inheriting access for a container image from a repository
To simplify package management through GitHub Actions workflows, you can enable a container image to inherit the access permissions of a repository by default.
If you inherit the access permissions of the repository where your package's workflows are stored, then you can adjust access to your package through the repository's permissions.
Once a repository is synced, you can't access the package's granular access settings. To customize the package's permissions through the granular package access settings, you must remove the synced repository first.
- 在 GitHub 上,导航到组织的主页面。
- 在组织名称下,单击“包”。
- 搜索并选择您的包。
- 在包登录页的右上角,单击“包设置”。
- Under "Repository source", select Inherit access from repository (recommended).
Ensuring workflow access to your package
To ensure that a GitHub Actions workflow has access to your package, you must give explicit access to the repository where the workflow is stored.
The specified repository does not need to be the repository where the source code for the package is kept. You can give multiple repositories workflow access to a package.
Note: Syncing your container image with a repository through the Actions access menu option is different than connecting your container to a repository. For more information about linking a repository to your container, see "Connecting a repository to a package."
GitHub Actions access for user-account-owned container images
- 搜索并选择您的包。
- 在包登录页的右上角,单击“包设置”。
- In the left sidebar, click Actions access.
- To ensure your workflow has access to your container package, you must add the repository where the workflow is stored. Click Add repository and search for the repository you want to add.
- Using the "role" drop-down menu, select the default access level that you'd like the repository to have to your container image.
To further customize access to your container image, see "Configuring access to container images for your personal account."
GitHub Actions access for organization-owned container images
- 在 GitHub 上,导航到组织的主页面。
- 在组织名称下,单击“包”。
- 搜索并选择您的包。
- 在包登录页的右上角,单击“包设置”。
- In the left sidebar, click Actions access.
- Click Add repository and search for the repository you want to add.
- Using the "role" drop-down menu, select the default access level that you'd like repository members to have to your container image. Outside collaborators will not be included.
To further customize access to your container image, see "Configuring access to container images for an organization."
Configuring visibility of container images for your personal account
When you first publish a package, the default visibility is private and only you can see the package. You can modify a private or public container image's access by changing the access settings.
A public package can be accessed anonymously without authentication. Once you make your package public, you cannot make your package private again.
-
搜索并选择您的包。
-
在包登录页的右上角,单击“包设置”。
-
Under "Danger Zone", choose a visibility setting:
-
To make the container image visible to anyone, click Make public.
Warning: Once you make a package public, you cannot make it private again.
-
To make the container image visible to a custom selection of people, click Make private.
-
Container creation visibility for organization members
You can choose the visibility of containers that organization members can publish by default.
- 在 GitHub Enterprise Server 的右上角,单击你的个人资料照片,然后单击“你的组织”。
- 在组织旁边,单击“设置”。
- On the left, click Packages.
- Under "Container creation", choose whether you want to enable the creation of public, private, or internal container images.
- To enable organization members to create public container images, click Public.
- To enable organization members to create private container images that are only visible to other organization members, click Private. You can further customize the visibility of private container images.
- To enable organization members to create internal container images that are visible to all organization members, click Internal. If the organization belongs to an enterprise, the container images will be visible to all enterprise members.
Configuring visibility of container images for an organization
When you first publish a package, the default visibility is private and only you can see the package. You can grant users or teams different access roles for your container image through the access settings.
A public package can be accessed anonymously without authentication. Once you make your package public, you cannot make your package private again.
-
在 GitHub 上,导航到组织的主页面。
-
在组织名称下,单击“包”。
-
搜索并选择您的包。
-
在包登录页的右上角,单击“包设置”。
-
Under "Danger Zone", choose a visibility setting:
-
To make the container image visible to anyone, click Make public.
Warning: Once you make a package public, you cannot make it private again.
-
To make the container image visible to a custom selection of people, click Make private.
-