Permissions for packages
A package inherits the permissions and visibility of the repository in which the package is published. You can find a package scoped to a repository by going to the main page of the repository and clicking the Packages link to the right of the page.
About scopes and permissions for package registries
To use or manage a package hosted by a package registry, you must use a personal access token with the appropriate scope, and your personal account must have appropriate permissions.
- To download and install packages from a repository, your personal access token must have the
read:packagesscope, and your user account must have read permission.
- To delete a specified version of a package on GitHub AE, your personal access token must have the
reposcope. For more information, see "Deleting and restoring a package."
|Download and install packages from GitHub Packages||read|
|Upload and publish packages to GitHub Packages||write|
|Delete specified versions of packages from GitHub Packages||admin|
|Upload and delete packages (along with ||write or admin|
When you create a GitHub Actions workflow, you can use the
GITHUB_TOKEN to publish and install packages in GitHub Packages without needing to store and manage a personal access token.
For more information, see:
- "Publishing and installing a package with GitHub Actions"
- "Managing your personal access tokens"
- "Scopes for OAuth Apps"
About repository transfers
You can transfer a repository to another personal account or organization. For more information, see "Transferring a repository."
When you transfer a repository, GitHub transfers the packages associated with a repository as part of the repository transfer. All billable usage associated with the packages will subsequently be billed to the new owner of the repository. If the previous repository owner is removed as a collaborator on the repository, they may no longer be able to access the packages associated with the repository.
Maintaining access to packages in GitHub Actions workflows
To ensure your workflows will maintain access to your packages, ensure that you're using the right access token in your workflow and that you've enabled GitHub Actions access to your package.
For more conceptual background on GitHub Actions or examples of using packages in workflows, see "Managing GitHub packages using GitHub Actions workflows."
- To publish and install packages associated with the workflow repository, use
- To install packages associated with other private repositories that
GITHUB_TOKENcan't access, use a personal access token
For more information about
GITHUB_TOKEN used in GitHub Actions workflows, see "Automatic token authentication."