Announcing changes to permissions for packages.
We are restricting the refs
REST API endpoint from accepting POSTs from users and apps that only have the permission to read and write packages. Previously, this endpoint accepted updates to both tags
and branches.
If that ability is critical to your development flows you will now be required to add explicit contents permissions to create refs.
- Users will need to add the
public_repo
scope to their PAT token.
- Apps will need to use the
read and write
contents permission.
- GitHub Actions customers will need to add
contents:write
to their workflow YAML.permissions: contents: write
A small cohort of customers relying on this flow have been notified of these changes and will have additional time to remediate.
We appreciate your feedback in GitHub's public feedback discussions.