I have a private GitHub repository.
GitHub allows to create releases and publish them, including binaries (e.g. .msi).
However I don't know how to (and this is my question):
Give public access to the releases, even though the repo is private
Only the binaries (.msi) should be publicly accessible and not the source code zip (added to the releases by default)
In other words, I want everyone to be able to download and install the application, maintaining private the sources.
Is this possible?
Related
A Github release has been made whose repository is private.
Anybody can download that release (source code as tar files) using wget or curl command.
Should wget or curl embed personal access token(authorization) associated with theprivate repo in order to download the tar files every time?
Thanks in advance.
If a repository is set to private, then its releases are also private.
If your objective is to provide public releases while maintaining private source code, then you'll need to publish the releases using a different channel (a mechanism separate from that private repository).
One way is to maintain a separate public repository just for the release artifacts. Another way is to use GitHub's dedicated packages feature (if it applies to your artifacts).
In response to the question in your comment:
Now, the question is that someone wants to download the release from that private repository. Should he need the personal access token in order to download the tar files?
Yes. See Creating a personal access token in the docs.
The project I'm working on currently deploys our private node packages via github packages. Our current workflow is for each developer to create and maintain their own personal access token, and then we use a central account's PAT for automation in AWS.
I was wondering if it's possible to authenticate with github packages without the use of Actions or PAT's?
As of 2022-07-30
No, it is not possible to use github packages without a personal access token (PAT):
It is not possible to upload without a PAT (which makes sense as it prevents random people to upload binaries to your package repo);
It is not possible to download without a PAT (not even publicly available packages can be used);
As early as 2019-10-20, people have requested github to remove PATs as a requirement for mainly downloading public packages.
The idea is that users of libraries should not need to have a github account to access a developer's package.
Sadly, the request for pat-less package downloads was not granted by Github to this day.
If you want a package registry without a hassle, it might be wise to look for other registries, such as MavenCentral or JitPack (not necessarily meant for node packages),
or host a service yourself.
I even had to link a cached webpage, as the original question has been removed from Github community along with a bunch of related questions.
Another question on github, stating pat-less access to packages is still on the roadmap for "fall 2021" is here.
I could not find what the current status of this feature is.
Edit: It is possible to download binaries without a PAT for public repositories using jitpack.io. Jitpack builds the given jar/aar on their servers.
You can add jitpack as a repository to your build system, and use the jitpack-specified URL to reference releases, branches, or specific commits.
Sadly, there is no way to refer to packages (yet).
However, this system allows your users to use your code without needing PATs nor a Github account.
I'd like to offer an alternative.
You may use a Gradle plugin of mine (magik, I was exactly in your shoes) to easier the consumption of artifacts from your Github Packages for Gradle clients.
It require you to save your read-only PAT on the repo itself, so that the users don't have to deal with any authentication (apart using the plugin above mentioned)
We created a public .github repository in our organization in order to create custom starter workflows as per:
https://docs.github.com/en/enterprise-cloud#latest/actions/using-workflows/creating-starter-workflows-for-your-organization
but can't seem to see them when creating a new repo.
Here is our github repo https://github.com/pepsico-ecommerce/.github
but can't seem to see them when creating a new repo.
Check if the new repository created is a public or private one, and test it for a user (outside an organization).
The documentation does mention:
Starter workflows created by users can only be used to create workflows in public repositories.
Organizations using GitHub Enterprise Cloud can also use starter workflows to create workflows in private repositories.
Your use-case seems to match the first scenario, since you are not using GitHub Enterprise Cloud.
Meaning a .github/workflow-templates would not work on github.com.
It would on a GitHub Enterprise Cloud instance.
I'm a contractor developing an app for a client and the code and exes are stored in a private github repository. They plan to sell the app through a WordPress-based store. I assumed or thought I read somewhere that files could be hosted on GitHub and in my tests it seemed to work – except it only worked because I was logged in to GitHub, with access to the private repo.
Is there some setting or "feature" on GitHub which will allow us to link to an exe (or zip) from another site or from a link in a "purchase confirmation" type email?
I've seen Hosting executable on github but it is quite old now and not really about private repos.
GitHub does allow you to host release assets as part of a release based on a tag, but these assets are controlled with the permissions of the repository. If the repository is public, then the release assets will also be public; if it is private, then they will also be private, with the same permissions of the repository.
If what you're trying to do is use GitHub with a custom access control system to allow only people who have purchased the software to download it, then that's not possible, and you'll need to set up your own server with the binaries. GitHub provides release assets so that folks can distribute binaries and other compiled stuff without needing to check them in, but it's not designed to be your CDN or web store.
Is it possible to change package visibility from private to public and vice versa?
In documentation there is a statement:
Private and public software packages: You can host packages privately or make them public. You can host packages privately and share them with your coworkers or organization, or make them public for the entire world.
But I can't find any setting in the repo or info in documentation on how to make the package public.
Use case I'm trying to achieve: Private repository with SDK source code and public (stable releases) / private (internal testing) packages.
We can just make a separate public repo with public releases, but it's a bit overhead and breaks the main idea of hosting code and packages in one place:
GitHub Package Registry is a software package hosting service, similar to npmjs.org, rubygems.org, or hub.docker.com, that allows you to host your packages and code in one place.
Will appreciate any help and information.
As you suspected there is no way to set the visibility on a package basis at the moment. It is based on the visibility of the repo.
From the launch notes:
Packages on GitHub inherit the visibility and permissions associated with the repository, and organizations no longer need to maintain a separate package registry and mirror permissions across systems.
There are restrictions in place, mostly oriented around public packages. Github doesn't want people to delete or make private, packages that are public as others may be dependent on them. So you can't delete a public package, even via the GraphQL API (private packages only may be deleted)
If the repo has been forked from a public repo, you can't change the repo to a private one (and thus make the package private). You would have to duplicate the repository and so it becomes a different repo.
So, try not to make mistakes when publishing :-)
There are organization level permissions for packages. When under organization, make sure to enable what you need.
Settings -> Packages -> Packages Permissions -> Package Creation
After that go back to organization home, Packages tab -> Click the package you want to change visibility -> Package Settings (See picture below)