Hello, @dgholz ! Welcome to the GitHub Community Forum––we’re glad to see you post this question here.
Permissions on “packages” is not currently available for all1 GitHub Apps (see GitHub Apps Permissions for more details).
We’re always working to improve GitHub and the GitHub Support Community, and we consider every suggestion we receive. Would you mind submitting this through our official product feedback form so that our product team can track your request?
It may be worth noting that you can use either of these tokens to authenticate with GitHub Packages:
-
a personal access token with the
read:packagesscope. - the
GITHUB_TOKENthat GitHub automatically creates for your repository when you enable GitHub Actions (seeAbout GitHub Packages with GitHub ActionsandPermissions for the GITHUB_TOKENfor more details).
We hope this helps!
1 At this time of writing, the GITHUB_TOKEN from GitHub Actions is an installation token associated with a GitHub App owned by GitHub and is the only GitHub App with access to packages.
GitHub
docs.github.com › en › packages › learn-github-packages › about-permissions-for-github-packages
About permissions for GitHub Packages - GitHub Docs
In most registries, to pull a package, you must authenticate with a personal access token or GITHUB_TOKEN, regardless of whether the package is public or private. However, in the Container registry, public packages allow anonymous access and can be pulled without authentication or signing in via the CLI. ... If you publish a package that is linked to a repository, the package inherits its permissions from the linked repository by default...
GitHub
docs.github.com › en › packages › learn-github-packages › configuring-a-packages-access-control-and-visibility
Configuring a package's access control and visibility - GitHub Docs
... A package can inherit its visibility and access permissions from a repository, or, for registries that support granular permissions, you can set the visibility and permissions of the package separately from a repository.
GitHub
docs.github.com › en › github-ae@latest › packages › learn-github-packages › about-permissions-for-github-packages
About permissions for GitHub Packages - GitHub Enterprise Cloud Docs
In most registries, to pull a package, you must authenticate with a personal access token or GITHUB_TOKEN, regardless of whether the package is public or private. However, in the Container registry, public packages allow anonymous access and can be pulled without authentication or signing in via the CLI. ... If you publish a package that is linked to a repository, the package inherits its permissions from the linked repository by default...
GitHub
docs.github.com › en › packages › learn-github-packages › introduction-to-github-packages
Introduction to GitHub Packages - GitHub Docs
For more information, see Viewing packages. The permissions for a package are either inherited from the repository where the package is hosted, or can be defined for specific users or organizations.
GitHub
github.com › github › docs › blob › main › content › packages › learn-github-packages › about-permissions-for-github-packages.md
docs/content/packages/learn-github-packages/about-permissions-for-github-packages.md at main · github/docs
The permissions for packages can be scoped either to a user or an organization or to a repository.
Author github
GitHub
docs.github.com › en › enterprise-server@3.12 › packages › learn-github-packages › configuring-a-packages-access-control-and-visibility
Configuring a package's access control and visibility - GitHub Enterprise Server 3.12 Docs
However, in the Container registry, public packages allow anonymous access and can be pulled without authentication or signing in via the CLI. When you publish a package, you automatically get admin permissions to the package.
GitHub
docs.github.com › en › enterprise-server@3.17 › packages › learn-github-packages › about-permissions-for-github-packages
About permissions for GitHub Packages - GitHub Enterprise Server 3.17 Docs
However, in the Container registry, public packages allow anonymous access and can be pulled without authentication or signing in via the CLI. When you publish a package, you automatically get admin permissions to the package.
GitHub
github.blog › home › changelogs › packages: fine-grained permissions and organization-level publishing are now available for the github packages npm registry
Packages: Fine-grained permissions and organization-level publishing are now available for the GitHub Packages npm registry - GitHub Changelog
March 22, 2025 - You can now configure Actions and Codespaces repository access on the package’s settings page, or invite other users to access the package. Additionally, npm packages published to GitHub packages can still be configured to automatically inherit all permissions from a linked repositories.
Top answer 1 of 2
15
As of December 2022 there is a solution.
In your organization, go to packages and select the packages you want access to. Under Package settings on the right you can add other repositories under "Manage Actions access". The other repositories only need read access.
In your YAML workflow file, add permissions for the workflow like so: Permissions example The workflow needs read access to contents and packages
Now you can use GITHUB_TOKEN to download packages in other private repositories
Workflow permissions: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs
Repository access: https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#github-actions-access-for-organization-owned-container-images
2 of 2
8
You should be able to follow this post: https://www.schakko.de/2020/12/19/using-github-workflow-with-maven-dependencies-from-a-private-github-package-registry/
It is important to note that the GITHUB_TOKEN will only work for uploads and downloads within the same repository.
If you want to access a package from another repository, you have to create a personal access token and use username/token as authentication.
So basically your step 2. including your username should work.
GitHub
docs.github.com › en › packages › learn-github-packages
Learn GitHub Packages - GitHub Docs
Introduction to GitHub Packages · About permissions for GitHub Packages · Configuring a package's access control and visibility · Connecting a repository to a package · Publishing a package · Viewing packages · Installing a package ·
Stack Overflow
stackoverflow.com › questions › 75871736 › when-using-fine-grained-access-in-github-how-to-give-permission-to-packages-of
When using fine-grained access in Github, how to give permission to packages of specific repo - Stack Overflow
Its not documented at https://docs.github.com/en/rest/overview/permissions-required-for-fine-grained-personal-access-tokens?apiVersion=2022-11-28 · Giving Read access to repo is not enough. ... Seems like it's not possible atm with GitHub fine-grained access tokens. The current documentation specifically mentions using classic tokens: https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages#about-scopes-and-permissions-for-package-registries
GitHub
github.com › orgs › community › discussions › 56419
Private packages access permissions per repository or organisation · community · Discussion #56419
May 25, 2023 - In each package's settings, you can set permissions for the entire organization, allowing any repository in the organization to have read access. 3. Automate Permissions Configuration To avoid manually setting permissions for each package, you ...
GitHub
docs.github.com › en › packages › working-with-a-github-packages-registry › working-with-the-npm-registry
Working with the npm registry - GitHub Packages
The GitHub Packages registry stores ... a package with a repository. You can choose whether to inherit permissions from a repository, or set granular permissions independently of a repository....
GitHub
docs.github.com › en › packages › learn-github-packages › viewing-packages
Viewing packages - GitHub Docs
You can choose to use granular permissions or connect the package to a repository and inherit the repository's permissions. For more information, see Connecting a repository to a package and Configuring a package's access control and visibility. On the package page, GitHub provides metadata for each version, such as the publication date.
GitHub
docs.github.com › en › packages › working-with-a-github-packages-registry › working-with-the-container-registry
Working with the Container registry - GitHub Docs
A personal access token (classic) with at least read:packages scope to install packages associated with other private repositories (GITHUB_TOKEN can be used if the repository is granted read access to the package. See Configuring a package's access control and visibility). This registry supports granular permissions.
Rajnishkumarjha
rajnishkumarjha.com › exploring-package-access-control-and-visibility-in-github-packages
Exploring Package access control and visibility in GitHub Packages - Rajnish Kumar Jha, MCT: DevOps, Azure, Microsoft Certified Trainer
March 20, 2025 - If a repository is public, the package hosted in GitHub Packages is also public. This means anyone can install, download, or view the package. ... If a repository is private, the package is private as well, and only users who have appropriate ...
GitHub
docs.github.com › en › packages
GitHub Packages documentation - GitHub Docs
Choose who has read, write, or admin access to your package and the visibility of your packages on GitHub. ... You can connect a repository to a package on GitHub.
GitHub
docs.github.com › en › packages › managing-github-packages-using-github-actions-workflows › publishing-and-installing-a-package-with-github-actions
Publishing and installing a package with GitHub Actions - GitHub Docs
Repositories that publish packages using a workflow, and repositories that you have explicitly connected to packages, are automatically granted admin permission to packages in the repository. For more information about the GITHUB_TOKEN, see Use GITHUB_TOKEN for authentication in workflows.