Announcing changes to permissions for packages.
We are restricting the
refs REST API endpoint from accepting POSTs from users and apps that only have the permission to read and write packages. Previously, this endpoint accepted updates to both
If that ability is critical to your development flows you will now be required to add explicit contents permissions to create refs.
- Users will need to add the
public_reposcope to their PAT token.
- Apps will need to use the
read and writecontents permission.
- GitHub Actions customers will need to add
contents:writeto their workflow YAML.
permissions: contents: write
A small cohort of customers relying on this flow have been notified of these changes and will have additional time to remediate.
We appreciate your feedback in GitHub's public feedback discussions.