GitHub Community
Allow for "internal" packages accessible to any action within an org without having to specify consuming repos #169492
Replies: 2 comments
-
|
💬 Your Product Feedback Has Been Submitted 🎉 Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users. Here's what you can expect moving forward ⏩
Where to look to see what's shipping 👀
What you can do in the meantime 💻
As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities. Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐ |
Beta Was this translation helpful? Give feedback.
-
|
This use-case makes a lot of sense. We have a similar setup (dozens of internal packages consumed by many apps), and the per-repo “Manage Actions access” allow-list doesn’t scale. What you can do today (without making anything public): 1. If you’re using GitHub Container Registry (GHCR) Publish images under the org namespace and set them to Internal (ghcr.io// permissions:
contents: read
packages: read
steps:
- name: Authenticate to GHCR
run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
- name: Pull image
run: docker pull ghcr.io/<org>/<image>:<tag>This avoids per-repo allow-listing and keeps access org-scoped. 2. For non-container package registries (npm/Maven/NuGet/RubyGems) where cross-repo reads still require explicit access Use a GitHub App installed at org scope with permissions:
contents: read
steps:
- id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ secrets.ORG_APP_ID }}
private-key: ${{ secrets.ORG_APP_PRIVATE_KEY }}
owner: <your-org>
# npm example
- name: Configure npm for GitHub Packages
run: echo "//npm.pkg.github.com/:_authToken=\${NODE_AUTH_TOKEN}" > ~/.npmrc
- name: Install deps from GitHub Packages
run: npm ci
env:
NODE_AUTH_TOKEN: ${{ steps.app-token.outputs.token }}This scales better than long-lived PATs, rotates automatically, and can be installed for “All repositories” in the org. 3. Last resort (what you’re doing today): a fine-grained PAT Works, but it’s long-lived and has more risk/overhead. If you must use it, store it as an org secret and standardize on a single env var name across repos (e.g., Why an org-level option would help (feature request):
Acceptance criteria (what would solve this for us):
Migration tips that helped us:
Until there’s a first-class org-wide toggle, option (1) for GHCR and (2) with a GitHub App have been the most maintainable/secure paths for us. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Select Topic Area
Product Feedback
Body
Somewhat similar to: https://github.com/orgs/community/discussions/66098 but the answer there suggests making the repo public which isn't a valid solution for our use case.
Within our org we have around 20 packages being consumed both by each other & by around 30-40 apps. For obvious reasons this makes the current
Manage Actions accessworkflow (where you have to specifically allow consuming repos) untenable.Ideally we'd like an org-level option which says "all repos can read all packages" since we (and likely others) are small enough that we have no intra-organisation privacy concerns.
Failing that, an option on each package which specifies that all organisation repos can read it using actions would work - ideally that'd inherit from
internalrepos.As workarounds we've had to generate PAT tokens which has never felt like a great solution & presents its own issues.
Beta Was this translation helpful? Give feedback.
All reactions