Skip to main content
We publish frequent updates to our documentation, and translation of this page may still be in progress. For the most current information, please visit the English documentation.
 

 

About permissions for GitHub Packages

In this article

Learn about how to manage permissions for your packages.

GitHub Packages está disponible con GitHub Free, GitHub Pro, GitHub Free para organizaciones, GitHub Team, GitHub Enterprise Cloud, GitHub Enterprise Server 3.0 o superior y GitHub AE.
GitHub Packages no está disponible para repositorios privados que pertenezcan a cuentas que utilicen planes tradicionales por repositorio. Las cuentas que utilicen los planes tradicionales por repositorio tampoco podrán acceder al Container registry ya que estas cuentas se facturan por repositorio. Para más información, vea "Productos de GitHub".

The permissions for packages can be scoped either to a user or an organization or to a repository.

Granular permissions for user/organization-scoped packages

Packages with granular permissions are scoped to a personal user or organization account. You can change the access control and visibility of the package separately from a repository that is connected (or linked) to a package.

The following GitHub Packages registries support granular permissions.

  • Container registry
  • npm registry
  • NuGet registry

Permissions for repository-scoped packages

A repository-scoped package inherits the permissions and visibility of the repository that owns the package. You can find a package scoped to a repository by going to the main page of the repository and clicking the Packages link to the right of the page. For more information, see "Connecting a repository to a package."

The following GitHub Packages registries only support repository-scoped permissions.

  • Docker registry (docker.pkg.github.com)

  • RubyGems registry

  • Apache Maven registry

  • Gradle registry

For other registries, you can choose to allow packages to be scoped to a user or an organization, or linked to a repository.

Visibility and access permissions for container images

Si tienes permisos administrativos en una imagen de contenedor, peudes configurar los permisos de acceso para la imagen de contenedor en privados o públicos. Las imágenes públicas permiten el acceso anónimo y pueden extraerse sin autenticación o ingresar a ellas através del CLI.

Como administrador, también puedes otorgar permisos de acceso para una imagen de contenedor que esté separada de los permisos que configuraste a nivel de organización y de repositorio.

Para las imágenes de contenedor publicadas y propiedad de una cuenta personal, puedes conceder a cualquier persona un rol de acceso. Puedes otorgar un rol de acceso a cualquier persona o equipo en la organización para las imágenes de contenedor que pertenecen a, o que publica una cuenta de usuario.

PermisoDescripción del acceso
LecturaPuede descargar el paquete.
Puede leer los metadatos del paquete.
EscrituraPuede cargar y descargar este paquete.
Puede leer y escribir metadatos del paquete.
AdministraciónPuede cargar, descargar, borrar y administrar este paquete.
Puede leer y escribir metadatos del paquete.
Puede conceder permisos de paquete.

For more information, see "Configuring a package's access control and visibility."

About scopes and permissions for package registries

GitHub Packages solo admite la autenticación mediante un personal access token (classic). Para obtener más información, consulta "Creación de un personal access token".

To use or manage a package hosted by a package registry, you must use a personal access token (classic) with the appropriate scope, and your personal account must have appropriate permissions.

For example:

  • To download and install packages from a repository, your personal access token (classic) must have the read:packages scope, and your user account must have read permission.
  • To delete a package on GitHub Enterprise Cloud, your personal access token (classic) must at least have the delete:packages and read:packages scope. The repo scope is also required for repo-scoped packages. For more information, see "Deleting and restoring a package."
ScopeDescriptionRequired permission
read:packagesDownload and install packages from GitHub Packagesread
write:packagesUpload and publish packages to GitHub Packageswrite
delete:packagesDelete packages from GitHub Packagesadmin
repoUpload and delete packages (along with write:packages, or delete:packages)write or admin

When you create a GitHub Actions workflow, you can use the GITHUB_TOKEN to publish and install packages in GitHub Packages without needing to store and manage a personal access token.

For more information, see:

Maintaining access to packages in GitHub Actions workflows

To ensure your workflows will maintain access to your packages, ensure that you're using the right access token in your workflow and that you've enabled GitHub Actions access to your package.

For more conceptual background on GitHub Actions or examples of using packages in workflows, see "Managing GitHub Packages using GitHub Actions workflows."

Access tokens

  • To publish packages associated with the workflow repository, use GITHUB_TOKEN.
  • To install packages associated with other private repositories that GITHUB_TOKEN can't access, use a personal access token (classic)

For more information about GITHUB_TOKEN used in GitHub Actions workflows, see "Authentication in a workflow."

GitHub Actions access for container images

To ensure your workflows have access to your container image, you must enable GitHub Actions access to the repositories where your workflow is run. You can find this setting on your package's settings page. For more information, see "Ensuring workflow access to your package."