When setting "packages: write" permission in Github Action to publish the cache to Github Nuget Registry, reading from the registry fails with 403

[GasimGasimzada]

Select Topic Area

Question

Body

This question is related to both Github Actions and Github Packages

I have a job in Github actions where I am building packages using vcpkg and publishing the generated packages to Github Nuget Registry. So, I have set the following in my job:

  build-dependencies:
    name: Build dependencies
    permissions:
      packages: write
   # ...

I initially thought that when I set write, read is implied from it but after testing it out, I realized that if I set the permission to write, I cannot read from the packages. Here is how I am trying to install and and publish to the registry:

# Github action
inputs:
  triplet:
    description: Triplet
    required: true
  mono:
    description: Mono prefix for linux
    required: true
  token:
    description: Github token
    required: true
env:
  NUGET_SOURCE: "https://nuget.pkg.github.com/${{ github.repository_owner }}/index.json"
run: |
  alias nuget="${{ inputs.mono }} `./vcpkg/vcpkg fetch nuget | tail -n 1`"
  nuget sources remove -name nuget.org

  nuget sources add \
    -name "GitHub" \
    -source "$NUGET_SOURCE" \
    -username "${{ github.repository_owner }}" \
    -password "${{ inputs.token }}" \
    -storepasswordincleartext 

  nuget setapikey "${{ inputs.token }}" -source "$NUGET_SOURCE"

  ./vcpkg/vcpkg Install --triplet ${{ inputs.triplet }} --debug 
  
# Usage
runs-on: ${{ matrix.os }}
steps:
  - uses: actions/checkout@v4
  - uses: ./.github/actions/install-dependencies
    with:
      triplet: ${{ matrix.triplet }}
      mono: ${{ matrix.mono }}
      token: ${{ secrets.GITHUB_TOKEN }}

If I change to permissions: read, read works but write fails.

[amineamdouni]

The issue you're encountering with GitHub Actions and GitHub Packages permissions is related to the difference between read and write permissions.

When you set permissions: write for a GitHub token in your GitHub Actions workflow, it indeed grants the token the permission to write packages to the GitHub Package Registry. However, it does not implicitly grant read access.

To resolve this issue and ensure that you can both read and write packages to the GitHub NuGet Registry, you need to modify your GitHub token permissions. Specifically, you should ensure that your GitHub token has both read and write permissions.

Here's how you can modify your GitHub Actions workflow to include both read and write permissions for the token:

build-dependencies:
  name: Build dependencies
  permissions:
    packages: write

    `
Make sure your GitHub token has the necessary permissions:

Go to your GitHub repository.
Click on "Settings" in the right-hand menu.
Select "Secrets" from the options on the left.
Locate the secret that you're using as the token (in this case, it appears to be "${{ inputs.token }}") and ensure that it has the necessary permissions for both reading and writing packages in GitHub Packages.
By granting the token both read and write permissions, you should be able to successfully read and write packages to the GitHub NuGet Registry using your GitHub Actions workflow.

[GasimGasimzada]

@amineamdouni this makes sense when I use a custom token, which I am doing right now since. However, ideally I would want to use the token that is provided by Github Actions (i.e the token that is accessibly via GITHUB_TOKEN env var), which is not visible in Settings > Secret. My understanding is that, permissions field is used grant permissions and scopes for the GITHUB_TOKEN. However, it looks like a bug that write permission does not implicitly set read permission and there is no way to set read+write permission.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[mrmodojosr]

This is still an issue. The workaround appears to be to use your own token, but I'd like to see something more permanent.