I have a private github repository and in that repository there are some collaborators. They can't create new packages but they can publish to existing packages created by me as I'm the creator of the repository.
Is there any way that my collaborators will be able to create new packages and publish.
I was facing the same "create_package" permission issue. I think external collaborators were able to publish new packages in the past. But this no longer works.
Here's the response from GitHub's support team: "In order to publish an org scoped package, the actor performing the publish should be a member of the organization."
So the short answer to your question seems to be "no", at least for scoped packages (which it was for my case)
I have created a demo organization in my personal github account and transferred the ownership of one of my pet-project repositories to that organization.
After that I have added one of my colleagues as a member in my newly created demo organization and tried publishing an npm-package.
Voilà it worked, we were able to successfully publish an npm-package after being a member of the organiztion.
Related
My organization has a paid version of GitHub. Hence, we have private repositories and we can publish GitHub packages.
Unfortunately, I do not know who published the package. It is only possible to know when it was published.
Context: this is especially relevant because traditionally packages were being published by a person and, now, I am creating continuous delivery via GitHub Actions so that packages will be automatically published after a certain file that holds the project version is changed.
Is there any way to find out on GitHub Packages who published the package?
There's no way to know that directly from the package itself - it only has the owner.
One way to do it will be to disable all current tokens that allow the publishing of the package and force everyone to go through the CI workflow.
So instead of publishing the API, they will be forced to trigger a certain workflow that does it for them through the "bot token".
That will allow you to see who triggered a workflow for a certain version.
I just signed up for GitLab, after learning about this cool feature where you can import your GitHub repositories and keep the two in sync. The import feature seems simple enough, but I paused when I got to the step where I authorize GitLab to my GitHub account. Why does it need so many permissions? Some make sense to me, others not so much. Specifically:
Personal user data
Full access
This application will be able to read and write all user data. This
includes the following:
Private email addresses
Private profile information
Followers
I understand why it needs to read and write to all public and private repository data. It's moving all that data to GitLab, and it needs to write to keep it in sync. What I don't understand is why it needs write permissions to my email and profile information?
I know that GitLab is a reputable company that didn't just pop up yesterday, but I am still wary when giving full access permissions to any service. If someone could help me understand, that would be appreciated.
You have two options when migrating a repository from GitHub to GitLab. You can migrate using only the url, in which case what you’ll have on GitLab is more similar to what you’d get if you simply added an additional remote in the repo - the full repo will be there, but everything specific to GitHub - the pull requests, comments, issues, etc, as well as all users tagged or participating - will be lost.
Alternatively, you can use the GitHub importer. This option fully migrates the GitHub repo to GitLab, setting up the GitLab equivalents of GitHub features (pull requests become merge requests, etc.). And part of this involves assigning users to each comment, mention, PR, etc.
From the gitlab docs:
When issues and pull requests are being imported, the importer attempts to find their GitHub authors and assignees in the database of the GitLab instance. Pull requests are called merge requests in GitLab.
For this association to succeed, each GitHub author and assignee in the repository must meet one of the following conditions prior to the import:
Have previously logged in to a GitLab account using the GitHub icon.
Have a GitHub account with a public-facing email address that matches their GitLab account’s email address.
GitLab content imports that use GitHub accounts require that the GitHub public-facing email address is populated. This means all comments and contributions are properly mapped to the same user in GitLab. GitHub Enterprise does not require this field to be populated so you may have to add it on existing accounts.
So yes, these are required if you want the full GitHub mirror or migration. If you just want the git repo contents, use the import from url tool, and the requirements will be much less extensive.
The project I'm working on currently deploys our private node packages via github packages. Our current workflow is for each developer to create and maintain their own personal access token, and then we use a central account's PAT for automation in AWS.
I was wondering if it's possible to authenticate with github packages without the use of Actions or PAT's?
As of 2022-07-30
No, it is not possible to use github packages without a personal access token (PAT):
It is not possible to upload without a PAT (which makes sense as it prevents random people to upload binaries to your package repo);
It is not possible to download without a PAT (not even publicly available packages can be used);
As early as 2019-10-20, people have requested github to remove PATs as a requirement for mainly downloading public packages.
The idea is that users of libraries should not need to have a github account to access a developer's package.
Sadly, the request for pat-less package downloads was not granted by Github to this day.
If you want a package registry without a hassle, it might be wise to look for other registries, such as MavenCentral or JitPack (not necessarily meant for node packages),
or host a service yourself.
I even had to link a cached webpage, as the original question has been removed from Github community along with a bunch of related questions.
Another question on github, stating pat-less access to packages is still on the roadmap for "fall 2021" is here.
I could not find what the current status of this feature is.
Edit: It is possible to download binaries without a PAT for public repositories using jitpack.io. Jitpack builds the given jar/aar on their servers.
You can add jitpack as a repository to your build system, and use the jitpack-specified URL to reference releases, branches, or specific commits.
Sadly, there is no way to refer to packages (yet).
However, this system allows your users to use your code without needing PATs nor a Github account.
I'd like to offer an alternative.
You may use a Gradle plugin of mine (magik, I was exactly in your shoes) to easier the consumption of artifacts from your Github Packages for Gradle clients.
It require you to save your read-only PAT on the repo itself, so that the users don't have to deal with any authentication (apart using the plugin above mentioned)
I followed the guide here https://docs.github.com/en/free-pro-team#latest/actions/learn-github-actions/sharing-workflows-with-your-organization.
I successfully created a GitHub Organization shared workflow and can access this shared workflow if I create a public repo under the organization or my account (I am a member of the organization).
However, if I create a private repo I do not see the shared workflow. I am using the free-tier for my membership account and organization, so I'm not sure if that is the issue. There was no documentation stating that was a requirement.
Only possible in GitHub Enterprise plan organizations:
to use templates to create workflows in private repositories, the organization must be part of an enterprise plan.
GitHub documentation
You can also create workflow templates in the .github repository and
share them with other users in your organization.
https://docs.github.com/en/actions/learn-github-actions/sharing-workflows-with-your-organization
You can also create workflow templates in the .github repository and
share them with other users in your organization.
We have the same enterprise app that we sell to multiple customers. The source for the app is hosted in a private Azure DevOps Repo. But we manage each customer's implementation using a separate project for each customer with it's own work items.
Currently we have no way of linking commits to the Source in the Repo project to work items in the implementation project.
We don't want to have the repo in each implementation since that would be redundant and challenging to keep in sync.
Is there a way to handle this inside DevOps?
Currently we have no way of linking commits to the Source in the Repo
project to work items in the implementation project.
For this issue, when you commit to the source in the Repo project, on the Commit page, you can choose to link to work items in other projects.
Or you can click Add link in the Development field of the work items in other projects.
Then on the Add link page, select the Commit link type, select your source repo, and select the commit you want to link.