AppSec expert Niroshan Rajadurai says putting developers at the center of everything will enable you to meet your security goals.
Today, we’re excited to introduce GitHub Package Registry, a package management service that makes it easy to publish public or private packages next to your source code.
You can try GitHub Package Registry today in limited beta. It will always be free to use for open source—more pricing details will be announced soon.
Packages, together, with your code
When you work on a project that has dependencies on packages, it’s important for you to trust them, understand their code, and connect with the community who built them. And inside organizations, you need to be able to quickly find what’s been approved for your use. GitHub Package Registry makes it easy to use the same familiar GitHub interface to find public packages anywhere on GitHub, or private packages within your organization or repositories.
GitHub Package Registry is compatible with common package management clients, so you can publish packages with your choice of tools. If your repository is more complex, you’ll be able to publish multiple packages of different types. And, with webhooks or with GitHub Actions, you can fully customize your publishing and post-publishing workflows.
Publishing an open source package? Most open source projects have their code on GitHub, so you can publish prerelease versions of your packages for testing within your community, and then easily promote specific versions to the public registry of your choice.
Unified identity and permissions
If you’re using different systems for your code and packages today, you have to maintain different sets of user credentials and permissions. Now you can use a single set of credentials across both, and manage access permissions with the same tools. Packages on GitHub inherit the visibility and permissions associated with the repository, and organizations no longer need to maintain a separate package registry and mirror permissions across systems.
Packages hosted on GitHub include details and download statistics, along with their entire history, so you know exactly what’s included. This makes it easy to find and use the right package as a dependency for your project, and increase your confidence that it only contains what’s advertised. With more insights into the packages you publish, you can understand exactly how other people and repositories are using them.
GitHub Package Registry is currently in limited public beta.
We hope you’re as excited as we are about this new release. Try it out—we can’t wait to see how you use it and learn how we can make it better.