Changes to token permission on packages

Announcing changes to permissions for packages.

We are restricting the refs REST API endpoint from accepting POSTs from users and apps that only have the permission to read and write packages. Previously, this endpoint accepted updates to both tags and branches.

If that ability is critical to your development flows you will now be required to add explicit contents permissions to create refs.

• Users will need to add the public_repo scope to their PAT token.
  
• Apps will need to use the read and write contents permission.
  
• GitHub Actions customers will need to add contents:write to their workflow YAML.

  permissions:
       contents: write

A small cohort of customers relying on this flow have been notified of these changes and will have additional time to remediate.

We appreciate your feedback in GitHub's public feedback discussions.