English
No results found.

Explore by product

GitHub Packages
  • Get started
  • Account and profile
  • Authentication
  • Repositories
  • GitHub
  • Enterprise administrators
  • Billing and payments
  • Organizations
  • Code security
  • GitHub Issues
  • GitHub Actions
  • GitHub Codespaces
  • GitHub Packages
  • Search on GitHub
  • Developers
  • REST API
  • GraphQL API
  • GitHub CLI
  • GitHub Discussions
  • GitHub Sponsors
  • Building communities
  • GitHub Pages
  • Education
  • GitHub Desktop
  • Atom
  • Electron
  • CodeQL
  • npm
    • English
  • English
  • 简体中文 (Simplified Chinese)
  • 日本語 (Japanese)
  • Español (Spanish)
  • Português do Brasil (Portuguese)

    • This version of GitHub Enterprise was discontinued on 2021-09-23. No patch releases will be made, even for critical security issues. For better performance, improved security, and new features, upgrade to the latest version of GitHub Enterprise. For help with the upgrade, contact GitHub Enterprise support.

    Article version

    In this article

    About permissions for GitHub Packages

    Learn about how to manage permissions for your packages.

    GitHub Packages is available with GitHub Free, GitHub Pro, GitHub Free for organizations, GitHub Team, GitHub Enterprise Cloud, GitHub Enterprise Server, and GitHub AE.

    Permissions for repository-scoped packages

    A repository-scoped package inherits the permissions and visibility of the repository that owns the package. You can find a package scoped to a repository by going to the main page of the repository and clicking the Packages link to the right of the page.

    The GitHub Packages registries below use repository-scoped permissions:

    • Docker registry (docker.pkg.github.com)
    • npm registry
    • RubyGems registry
    • Apache Maven registry
    • NuGet registry

    About scopes and permissions for package registries

    To use or manage a package hosted by a package registry, you must use a token with the appropriate scope, and your user account must have appropriate permissions.

    For example:

    • To download and install packages from a repository, your token must have the read:packages scope, and your user account must have read permission.
    • To delete a specified version of a private package on GitHub Enterprise Server, your token must have the delete:packages and repo scope. Public packages cannot be deleted. For more information, see "Deleting a package."
    ScopeDescriptionRequired permission
    read:packagesDownload and install packages from GitHub Packagesread
    write:packagesUpload and publish packages to GitHub Packageswrite
    delete:packagesDelete specified versions of private packages from GitHub Packagesadmin
    repoUpload and delete packages (along with write:packages, or delete:packages)write or admin

    When you create a GitHub Actions workflow, you can use the GITHUB_TOKEN to publish and install packages in GitHub Packages without needing to store and manage a personal access token.

    For more information, see:

    Maintaining access to packages in GitHub Actions workflows

    To ensure your workflows will maintain access to your packages, ensure that you're using the right access token in your workflow and that you've enabled GitHub Actions access to your package.

    For more conceptual background on GitHub Actions or examples of using packages in workflows, see "Managing GitHub Packages using GitHub Actions workflows."

    Access tokens

    • To publish packages associated with the workflow repository, use GITHUB_TOKEN.
    • To install packages associated with other private repositories that GITHUB_TOKEN can't access, use a personal access token

    For more information about GITHUB_TOKEN used in GitHub Actions workflows, see "Authentication in a workflow."