Unauthorised when using `secrets.GITHUB_TOKEN`. Packages not pushed to Github Repository Packages when using PAT.

[mdmoura]

Description:

When pushing packages to GitHub Packages using Github Actions I get two behaviours:

1. When using a Personal Access Token (PAT) in dotnet push the package is pushed to the Github account. However it does not show on the Repository Packages ... Only in the Github Account packages tab.

2. When using secrets.GITHUB_TOKEN in dotnet push I get an unauthorised error. I tried a few code variations based on research I did on various issues but the error persists.

Note: I don't have a nuget.config inn the project's root or anywhere else.

Task version: 8.0.4

Platform:

• [ ] Ubuntu
• [x] macOS
• [ ] Windows

Runner type:

• [x] Hosted
• [ ] Self-hosted

Repro steps:

name: XYZ.Core

env:
  dotnet_version: '8.x' 
  gitversion_version: '6.x'
  packages_source: https://nuget.pkg.github.com/username/index.json
  packages_personal_access_token: ${{ secrets.PACKAGES_PERSONAL_ACCESS_TOKEN }}
  environment: production

on:
  push:
    branches: [ main ]

permissions: write-all

jobs:

  setup:

    runs-on: ubuntu-latest

    outputs:
      version: ${{ steps.versioning.outputs.semVer }}

    name: setup

    steps: 

      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Dotnet
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.dotnet_version }}

      - name: GitVersion
        uses: gittools/actions/gitversion/setup@v1
        with:
          versionSpec: ${{ env.gitversion_version }}
          includePrerelease: true

      - name: Versioning
        uses: gittools/actions/gitversion/execute@v1
        id: versioning
        with:
          useConfigFile: true
          configFilePath: gitversion.yml

  build:

    runs-on: ubuntu-latest
    needs: [ setup ]

    strategy:
      matrix:
        project: ['XYZ.Core', 'XYZ.Core.Web']

    name: build ${{ matrix.project }}

    steps:

      - name: Checkout
        uses: actions/checkout@v4

      - name: Build
        run:  dotnet build src/${{ matrix.project }} --configuration ${{ env.environment }} -p:Version=${{ needs.setup.outputs.version }}

  test:

    runs-on: ubuntu-latest
    needs: [ setup, build ]

    strategy:
      matrix:
        project: ['XYZ.Core', 'XYZ.Core.Web']

    name: test ${{ matrix.project }}

    steps:

      - name: Checkout
        uses: actions/checkout@v4

      - name: Test
        run: dotnet test test/${{ matrix.project }}.Test --configuration ${{ env.environment }} -p:Version=${{ needs.setup.outputs.version }}

  pack:

    runs-on: ubuntu-latest
    needs: [ setup, build, test ]

    strategy:
      matrix:
        project: ['XYZ.Core', 'XYZ.Core.Web']

    name: pack ${{ matrix.project }}

    steps:

      - name: Checkout
        uses: actions/checkout@v4

      - name: Pack
        run: 
          dotnet pack src/${{ matrix.project }} --configuration ${{ env.environment }} --output ${{ github.workspace }} -p:PackageVersion=${{ needs.setup.outputs.version }}

      - name: Upload
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.project }}
          path: ${{ github.workspace }}/${{ matrix.project }}*.nupkg
          if-no-files-found: error
          retention-days: 2

  deploy:

    runs-on: ubuntu-latest
    needs: [ setup, build, test, pack ]

    strategy:
      matrix:
        project: ['XYZ.Core', 'XYZ.Core.Web']

    name: deploy ${{ matrix.project }}

    steps:

      - name: Download
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.project }}
          path: ${{ github.workspace }}

      - name: Publish
        # run: dotnet nuget push ${{ github.workspace }}/${{ matrix.project }}.${{ needs.setup.outputs.version }}.nupkg --source ${{ env.packages_source }} --api-key ${{ env.packages_personal_access_token }} --skip-duplicate --no-symbols

Expected behavior:

The packages should be pushed to the repository packages. If possible using secrets.GITHUB_TOKEN instead of a Personal Access Token.

Actual behavior:

1. When using a Personal Access Token (PAT) in dotnet push the package is pushed to the Github account. However it does not show on the Repository Packages ... Only in the Github Account packages tab.

2. When using secrets.GITHUB_TOKEN in dotnet push I get an unauthorised error:

Your request could not be authenticated by the GitHub Packages service. 
Please ensure your access token is valid and has the appropriate scopes configured.
Forbidden https://nuget.pkg.github.com/username/ 93ms
error: Response status code does not indicate success: 403 (Forbidden).

I tried a few code variations based on research I did on various issues but the error persists.

Version 1

  run: dotnet nuget push ${{ github.workspace }}/${{ matrix.project }}.${{ needs.setup.outputs.version }}.nupkg --source ${{ env.packages_source }} --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate --no-symbols

Version 2

  run: |
    dotnet nuget add source ${{ env.packages_source }} --name github --username mdmoura --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text
    dotnet nuget push ${{ github.workspace }}/${{ matrix.project }}.${{ needs.setup.outputs.version }}.nupkg --source github --skip-duplicate --no-symbols

[HarithaVattikuti]

Hello @mdmoura Thank you for creating this issue. We will investigate it and get back to you as soon as we have some feedback.

[priya-kinthali]

Hello @mdmoura 👋, Thank you for the detailed description and reproduction steps:) I've attempted to replicate the behaviour you've detailed using both a Personal Access Token (PAT) and secrets.GITHUB_TOKEN. In both instances, I was able to successfully publish the package.

and also the packages are being visible in the repository packages section

Please review the GitHub documentation on Viewing and managing your packages and also ensure your tokens have the requisite permissions for push operations, including account-specific permissions.

If the issue remains unresolved, kindly provide a minimal reproduction repository link for further investigation. Thanks:)

[priya-kinthali]

Hello @mdmoura 👋, Just checking in to see if you had a chance to review the documentation and verify your token permissions as per my previous comment. If you're still experiencing issues, please share a minimal reproduction repository link which would be really helpful for further investigation. Your response is greatly appreciated. Thank you!

[mdmoura]

Hello @mdmoura 👋, Just checking in to see if you had a chance to review the documentation and verify your token permissions as per my previous comment. If you're still experiencing issues, please share a minimal reproduction repository link which would be really helpful for further investigation. Your response is greatly appreciated. Thank you!

@priya-kinthali Sorry for the delay of my answer! Didn't have time yet to check but I will do it by the end of next week and post here. Thank you.

[priya-kinthali]

Hello @mdmoura! Just giving you a gentle ping to see if there are any updates on your end regarding this issue? Thank you!

[priya-kinthali]

Hello @mdmoura , Just a gentle reminder!

[priya-kinthali]

Hello @mdmoura , Due to inactivity, I'm going to close this issue for now. Please feel free to reopen this issue or create a new one if necessary. Thank you!

[mdmoura]

@priya-kinthali Really sorry for the delayed answer but I was working in a project and couldn't find the time.

So I got back to this yesterday and after a while I found out what was happening ...

In the beginning the workflow might had a few errors related to token and dotnet commands. But after some fixes the problem was not with the Token configuration but with versioning.

So the workflow was trying to create a package with a version that already existed. But the error provided by Github Actions is misleading:

Pushing MyPackage.8.0.0.nupkg to 'https://nuget.pkg.github.com/xyx'...
  PUT https://nuget.pkg.github.com/xyz/
warn : Your request could not be authenticated by the GitHub Packages service. Please ensure your access token is valid and has the appropriate scopes configured.
 Forbidden https://nuget.pkg.github.com/xyz/ 135ms
error: Response status code does not indicate success: 403 (Forbidden).

It would be nice that Github would provide more information in the error message.

[priya-kinthali]

Hello @mdmoura 👋, Thank you for the update:) Please note that the warning message is related to GitHub Packages and not specifically to the actions/setup-dotnet repository.