Access private npm.pkg.github.com package from GitHub App's permission

[hi120ki]

Select Topic Area

Product Feedback

Body

We are publishing proprietary internal npm packages with GitHub Packages on Enterprise Cloud Organization.
However, there are two publication options for these npm packages: "internal" and "private." "Internal" packages are unconditionally exposed within the Organization, making them accessible from GitHub Actions in any repository.
To make this situation more secure, we are working on publishing packages as "private" and establishing restricted access methods.
In other words, we are attempting to restrict access to a "private" npm package published from a certain repository to a specific GitHub repository and Action that has access to a particular GitHub App Private Key.

Specifically, we tried to use the GitHub App Installation Token with actions/create-github-app-token to retrieve "private" npm packages from another repository.

Here is the overall workflow.

name: private-npm-package-install

on:
  workflow_dispatch:

jobs:
  private-npm-package-install:
    runs-on: ubuntu-latest
    permissions:
      contents: read

    steps:
      - name: checkout
        uses: actions/checkout@v4

      - name: setup node
        uses: actions/setup-node@v3
        with:
          node-version: 20

      - uses: actions/create-github-app-token@v1
        id: app-token
        with:
          app-id: ${{ vars.APP_ID }}
          private-key: ${{ secrets.PRIVATE_KEY }}

      - name: setup custom registry
        run: |
          echo "@<organization>:registry=https://npm.pkg.github.com" >> .npmrc
          echo "//npm.pkg.github.com/:_authToken=${{ steps.app-token.outputs.token }}" >> ~/.npmrc

      - run: npm install @<organization>/<package>@1.0.0

We have granted the GitHub App read permissions for Repository Package. When we tried this, we encountered the following error:

Permission installation not allowed to Read organization package

This doesn't seem to be the intended behavior. We certainly granted the GitHub App reading permissions for packages published in a certain repository. It is expected to work even if the package's publication status is Private.

However, internally, GitHub is likely using the "Organization Package" permissions. Since this has not been fully implemented yet, it's not documented, nor does it actually work for GitHub App's permission control.

This issue is blocking the challenge of securely using GitHub Package in an enterprise environment. Could you provide a solution for this or prioritize the implementation of "Organization Package" permissions?

Thank you.

[github-actions[bot]]

💬 Your Product Feedback Has Been Submitted 🎉

Thank you for taking the time to share your insights with us! Your feedback is invaluable as we build a better GitHub experience for all our users.

Here's what you can expect moving forward ⏩

• Your input will be carefully reviewed and cataloged by members of our product teams. 
  • Due to the high volume of submissions, we may not always be able to provide individual responses.
  • Rest assured, your feedback will help chart our course for product improvements.
• Other users may engage with your post, sharing their own perspectives or experiences. 
• GitHub staff may reach out for further clarification or insight. 
  • We may 'Answer' your discussion if there is a current solution, workaround, or roadmap/changelog post related to the feedback.

Where to look to see what's shipping 👀

• Read the Changelog for real-time updates on the latest GitHub features, enhancements, and calls for feedback.
• Explore our Product Roadmap, which details upcoming major releases and initiatives.

What you can do in the meantime 💻

• Upvote and comment on other user feedback Discussions that resonate with you.
• Add more information at any point! Useful details include: use cases, relevant labels, desired outcomes, and any accompanying screenshots.

As a member of the GitHub community, your participation is essential. While we can't promise that every suggestion will be implemented, we want to emphasize that your feedback is instrumental in guiding our decisions and priorities.

Thank you once again for your contribution to making GitHub even better! We're grateful for your ongoing support and collaboration in shaping the future of our platform. ⭐