Best practice for future proofed access tokens to an organisation's private GitHub registry packages?

[jschuur]

How can I give access to a GitHub private registry package without it inherently relying on a particular user being part of an organisation?

I've successfully published and installed private packages at npm.pkg.github.com via a personal access token for my account that is an owner of my work organisation. However, I would like to use these packages as part of a CI/CD process and not necessarily have them rely on an access token that I created (so that things don't break if I am no longer with the company and nobody migrates this over to a new PAT).

What's the best solution here? I've looked at a number of GitHub private registry permission articles, but none seem to mention how to give read:packages access to anything that is not directly tied to a user.

I realise that organisations aren't also user accounts, so I can't create a PAT for them. I thought I could use one of the new fine grained personal access tokens, but those don't let me specify the read:packages scope and simply giving it access to the monorepo from which I published the private packages wasn't sufficient. Plus they're still PATs.

The part that needs to access the packages also doesn't use GitHub Actions, so any integration there doesn't help.

The best solution I can come up with is to simply create a generic GitHub account, add that to the organisation and create a PAT under it and document it internally.

Are there any better solutions?

[tvthatsme]

Hi @jschuur, did you ever find a good solution for your question?

I believe that you should be able to use the GITHUB_TOKEN from within a CI process, if you are using GitHub actions.

I did have a question about your security model. Have you found having other developers generate their own PATs for accessing the private packages to work well? I am thinking of implementing the same, but have some concerns about the expanded thread surface with a bunch of PATs floating around. It doesn't seem like the organization has visibility as to what PATs are being used or the ability to revoke a rouge PAT, other than to remove a account from the organization. But without knowing what PAT is being used maliciously, how would you know what account to remove? 🤔

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[ShahriarKh]

did you find a solution?