Inherit repo permissions by default?

[watson13j]

Is there a way we can set "Inherit access from source repository" by default either organization-wide or as a flag on the creation of a new package? This setting is buried and appears to be unchecked by default even though it's labeled "Recommended".

It also seems to be a recent change, as the dozens of NPM packages in my org are just now starting to run into permissions problems because inheritance isn't enabled. The only remedy appears to have an organization admin manually search for and mark individual packages for inheritance, which is tedious and error-prone.

[wyardley]

Agree!
I don't think it was this way always, because don't recall having this issue when I'd previously used GH packages. Spent a good hour tearing my hair out over this until I found that buried setting.
At least being able to set that default at the org level would be ideal IMO

Further, it's very unexpected (to me) that this even applies to someone with admin permissions on the repo (as an owner, I think I can still see the package regardless), and it even applies to being able to see the package's existence via the web UI.

[giltayar]

This is a very recent change, and applies only to packages created after some date. This is VERY frustrating, as there seems no way to change the default, or to programmatically turn it on.

[Hobart2967]

The organization owner can still turn it on. In our case, our help desk is at least able to :) if it's not the organization owner, it's definitely the user that was used to deploy the package.

[Hobart2967]

+1

[sanjeevh93]

It also seems to be a recent change, as the dozens of NPM packages in my org are just now starting to run into permissions problems because inheritance isn't enabled. The only remedy appears to have an organization admin manually search for and mark individual packages for inheritance, which is tedious and error-prone.

@watson13j
Are these packages newly created or existing old ones?

[Hobart2967]

For us, it's newly created ones. https://github.com/orgs/community/discussions/33237

To us, it does not make any sense at all, that repo admins should not be able to access the packages initially. To us, this sounds like a major bug in system design.

[giltayar]

@sanjeevh93 only newly created packages.

[bogedal]

https://github.com/orgs/{{org}}/packages/npm/{{repo}}/settings/change_active_sync_perms is the url used by github.com when changing this setting, but so far haven't found an equivalent operation in the cli, rest api or graphql :/

[Hobart2967]

That is nice to know. Do you know the access requirements? Maybe that's worth creating a cli npm package. This could be useful executing in the CI after publishing :)

Would go for a try this afternoon. I am also working on some cli for managing GitHub packages ( moving them from repo a to b and so on)

[bogedal]

Any success? :-)

[Hobart2967]

Kinda. GitHub replied to us that they plan to re-change this in the next rollouts. Inhertiting permissions from the repository should be re-enabled by default then. But I guess, it will take some time, as they rollout in bunches and we are supposed to be one of the first to test this. Though, as of today, it's not the case yet (just tested)

[adrian-gierakowski]

do you have any updates regarding this? It's still not working for me

[ashleynexvelsolutions]

Any updates on this?

[cosst]

We just had a newly created package that by default inherited permissions and was truly public ... so perhaps they've resolved/changed the default behavior? 🤞

[ArveSystad]

I just came across this now after having being annoyed by it many times in the past, but hey, I just found a new setting in the Packages settings under organization settings: Default package settings, inherit access from source repository. Woho! Pretty sure that's somewhat recent, because I've been looking for that many times. 🚀

[ElectroluxV2]

For anyone interested in automating this checkbox:

#!/usr/bin/env bash

# REQUIREMENTS:
# - GitHub classic token with `read:packages`, `write:packages`, `delete:packages` scopes, MUST NOT BE GRAINED!
# - GitHub.com cookies from browser
# - gh (GitHub CLI) installed
# - jq installed
# - curl installed
# - perl installed

# How to extract cookies from browser:
# 1. Open GitHub.com in your browser
# 2. Open Developer Tools (F12)
# 3. Go to the "Network" tab
# 4. Refresh the page (F5)
# 5. Filter by "DOC" requests
# 6. Right click on the first request
# 7. Choose "Copy as cURL"
# 8. Paste the cURL command in a text editor
# 9. Extract the `-b` option value as `COOKIES` variable value

# Run this script with:
# GITHUB_TOKEN="<your classic PAT>" COOKIES="<your cookies>" ./.sh

org="some-org"

package_names=$(gh api --paginate \
  -H "Accept: application/vnd.github+json" \
  -H "X-GitHub-Api-Version: 2022-11-28" \
  "/orgs/$org/packages?package_type=container" | jq --raw-output '
    map(.name | @uri) |
    join(" ")
  ')

for current_package_name in $package_names; do
    echo "Current package: $current_package_name"

    # This is not public API we have to extract CSRF token before each request
    get_csrf_token() {
      # Edit regex online: https://regex101.com/r/jR6rpU/1
      csrf_token=$(curl "https://github.com/orgs/$org/packages/container/$1/settings" \
        -H 'accept: text/html' \
        -b "$COOKIES" | perl -nE 'print "$1\n" if /<form[^>]*action="[^"]*change_active_sync_perms[^"]*"[^>]*>.*?<input[^>]*name="authenticity_token"[^>]*value="([^"]*)"[^>]*>/s')

      echo "$csrf_token"
    }


    csrf_token=$(get_csrf_token "$current_package_name")
    echo "CSRF token for $current_package_name is $csrf_token, setting sync permissions to false"

    curl "https://github.com/orgs/$org/packages/container/$current_package_name/settings/change_active_sync_perms" \
      -H 'content-type: application/x-www-form-urlencoded' \
      -b "$COOKIES" \
      --data-raw "_method=put&authenticity_token=$csrf_token"

    echo "Sync permissions for $current_package_name set to false, setting to true"

    curl "https://github.com/orgs/$org/packages/container/$current_package_name/settings/change_active_sync_perms" \
      -H 'content-type: application/x-www-form-urlencoded' \
      -b "$COOKIES" \
      --data-raw "_method=put&authenticity_token=$csrf_token&active_sync_perms=true"

    echo "Sync permissions for $current_package_name set to true, done"
done

[reecuepatt-dot]

Godsfavoritelosangeles@gmail