Needs and benefits
Currently, packages are scoped to user or organization and inherit all permissions and visibility from them. As such, currently:
- All packages within public organization are visible, even if they are attached to private repository
- Every member of organization that is in a team with Write access to Packages unit can overwrite any package in organization, even if said package is attached to repository that they do not have access to.
Feature Description
I propose that we take some liberal inspiration from GitHub implementation of permissions for packages. Specifically, for team permissions (organization-specific) we would do the following:
- Allow organization admins to change visibility of each package, with new packages defaulting to visibility of organization.
- When package is linked to repository, automatically inherit visibility of repository as new default for this package (unless manually changed beforehand as above).
- When package is linked to repository, only allow pushes from organization members within a team that have Write permission to "Packages" unit AND access to linked repository.
- When package is linked to repository which has private visibility, only allow pulls from organization members within a team that have Read permission to "Packages" unit AND access to linked repository.
- Allow teams to be configured on whether their members can push NEW packages to organization. This would work similarly to "Create repositories" option we already have there.
Following should be done on Actions side:
- Allow organization admins/users to configure whether to grant Action tokens permission to push new packages to organization/user that is owner of repository under which Action is running.
- Allow repository admin to configure whether to grant Action token full Write permissions to all packages that are linked to repository under which Action is running, regardless of package visibility configuration.
Screenshots
No response
### Needs and benefits
Currently, packages are scoped to user or organization and inherit all permissions and visibility from them. As such, currently:
- All packages within public organization are visible, even if they are attached to private repository
- Every member of organization that is in a team with Write access to Packages unit can overwrite any package in organization, even if said package is attached to repository that they do not have access to.
### Feature Description
I propose that we take some liberal inspiration from GitHub implementation of permissions for packages. Specifically, for team permissions (organization-specific) we would do the following:
- Allow organization admins to change visibility of each package, with new packages defaulting to visibility of organization.
- When package is linked to repository, automatically inherit visibility of repository as new default for this package (unless manually changed beforehand as above).
- When package is linked to repository, only allow pushes from organization members within a team that have Write permission to "Packages" unit AND access to linked repository.
- When package is linked to repository which has private visibility, only allow pulls from organization members within a team that have Read permission to "Packages" unit AND access to linked repository.
- Allow teams to be configured on whether their members can push NEW packages to organization. This would work similarly to "Create repositories" option we already have there.
Following should be done on Actions side:
- Allow organization admins/users to configure whether to grant Action tokens permission to push new packages to organization/user that is owner of repository under which Action is running.
- Allow repository admin to configure whether to grant Action token full Write permissions to all packages that are linked to repository under which Action is running, regardless of package visibility configuration.
### Screenshots
_No response_