GITHUB_TOKEN does not have the correct rights to publish to private repos

[scottdickerson]

Code of Conduct

• I have read and agree to the GitHub Docs project's Code of Conduct

What article on docs.github.com is affected?

https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry#authenticating-with-a-personal-access-token

What changes are you suggesting?

We have Github workflows where we've tried to use the GITHUB_TOKEN to publish packages to github packages. These are scoped packages that point to repositories owned by our organization. We do not want to use a PAT.

We have given packages: write permissions to the Github workflows. We get 403 errors saying this token doesn' t have permissions to publish the package.
https://github.com/Contrast-Security-Inc/skeletor/actions/runs/3198674064/jobs/5223496673

This section of the documentation says that a PAT is required to write those packages:
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry#authenticating-with-a-personal-access-token

But according to this issue and blog post, reading and writing a scoped package should now be supported by adding permissions to the GITHUB_TOKEN:

https://github.blog/changelog/2022-08-31-packages-fine-grained-permissions-and-organization-level-publishing-are-now-available-for-the-github-packages-npm-registry/

actions/setup-node#49 (comment)

Can this conflicting information in the documentation be resolved and added to the original article?

Additional information

No response

[welcome]

Thanks for opening this issue. A GitHub docs team member should be by to give feedback soon. In the meantime, please check out the contributing guidelines.

[github-actions]

Thanks for opening an issue! We've triaged this issue for technical review by a subject matter expert 👀

[steveward]

Thanks for the issue @scottdickerson! I'll get this triaged for review.

[bodograumann]

I think you also need to configure write access for the repository in the settings page of the package. If you had originally published the package from a workflow in the repository this would have been setup automatically iinm. The most up-to-date information that I found is here: https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package

I also summarized my findings here: actions/setup-node#49 (comment)
It would be great if that information could be verified and incorporated into the docs.

[scottdickerson]

Based on our testing, this is what APPEARS to be the case. It would be good if y'all can confirm on your side:

If the package was originally published with a PAT. We cannot publish a new version of the package to our organization repository using the OOTB GITHUB_TOKEN, even if we explicitly set these permissions

permissions:
  packages: write # needed for push of package
  contents: write # needed for push of tags
  pull-requests: read # needed to view the PR for the slack
  repository-projects: read # needed for view the PR for the slack https://github.com/cli/cli/issues/6274

We receive a 403 error.

If we change the publish to use the exact PAT that published the package initially, the new versions can be published.

If we change the PAT to a different persons PAT that did not publish the package initially, we cannot publish any new versions of the package. We get another 403 error.

[scottdickerson]

this new document: is getting REALLY close to telling us this publish package permissions behavior:
https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens
But it is silent on those package permissions, and also doesn't cover initial package creation versus management for an organization package.

[bodograumann]

Have you looked at the configuration page for your package, @scottdickerson ?
As described in the docs you can configure which pipelines can have access to it (using their GITHUB_TOKEN I assume).

[scottdickerson]

@bodograumann I think this might be getting close to the issue. We just created a new package as part of a npm publish running from a workflow in the skeletor repo (I believe using a PAT for the npm publish). However, the package doesn't seem to have been linked to the repo with any permissions automatically. For my old packages I think we manually added these extra permissions. Is that correct? Should the package be automatically linking the repo when it gets published?

This is what the package settings page looked like after the new package was created:

[bodograumann]

The first box "Repository source" actually shows that the package has been linked correctly with the repository. (You could remove the link with the trash icon)
No explicit permissions have been defined though. That is what the second box "Manage Actions access" is for.
I thought this was required to publish updates, so I am unsure why it wasn't added automatically.
There is more thing further down though, which says "inherit permissions from linked repository".
So it could also be that when the pipeline is run on the linked repository, it automatically inherits the write permissions from there.

[scottdickerson]

yeah you're even closer I think to the issue, this one is also set false by default for that new repo

AND I see an explicit grant that matches ME which was the PAT used to create the package: