diff --git a/assets/images/help/package-registry/package-access-control-options.png b/assets/images/help/package-registry/package-access-control-options.png
new file mode 100644
index 0000000000..a4704a54a1
Binary files /dev/null and b/assets/images/help/package-registry/package-access-control-options.png differ
diff --git a/assets/images/help/package-registry/repository-permission-options-for-package-access-through-actions.png b/assets/images/help/package-registry/repository-permission-options-for-package-access-through-actions.png
deleted file mode 100644
index db895a4029..0000000000
Binary files a/assets/images/help/package-registry/repository-permission-options-for-package-access-through-actions.png and /dev/null differ
diff --git a/content/packages/learn-github-packages/about-permissions-for-github-packages.md b/content/packages/learn-github-packages/about-permissions-for-github-packages.md
index 8ffb5dbf97..b3338eedce 100644
--- a/content/packages/learn-github-packages/about-permissions-for-github-packages.md
+++ b/content/packages/learn-github-packages/about-permissions-for-github-packages.md
@@ -70,7 +70,9 @@ For example:
| `delete:packages` | {% ifversion fpt or ghes or ghec %} Delete packages from {% data variables.product.prodname_registry %} {% elsif ghae %} Delete specified versions of packages from {% data variables.product.prodname_registry %} {% endif %} | admin |
| `repo` | Upload and delete packages (along with `write:packages`, or `delete:packages`) | write or admin |
-When you create a {% data variables.product.prodname_actions %} workflow, you can use the `GITHUB_TOKEN` to publish and install packages in {% data variables.product.prodname_registry %} without needing to store and manage a {% data variables.product.pat_generic %}.
+{% data reusables.package_registry.delete-with-github-token-using-api-beta %}
+
+When you create a {% data variables.product.prodname_actions %} workflow, you can use the `GITHUB_TOKEN` to publish{% ifversion packages-delete-with-github-token-api %}, install, delete, and restore{% else %} and install{% endif %} packages in {% data variables.product.prodname_registry %} without needing to store and manage a {% data variables.product.pat_generic %}.
For more information, see:{% ifversion fpt or ghec %}
- "[Configuring a package’s access control and visibility](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility)"{% endif %}
@@ -93,9 +95,11 @@ To ensure your workflows will maintain access to your packages, ensure that you'
For more conceptual background on {% data variables.product.prodname_actions %} or examples of using packages in workflows, see "[Managing GitHub Packages using GitHub Actions workflows](/packages/managing-github-packages-using-github-actions-workflows)."
-### Access tokens
+### Access tokens
-- To publish packages associated with the workflow repository, use `GITHUB_TOKEN`.
+{% data reusables.package_registry.delete-with-github-token-using-api-beta %}
+
+- To publish{% ifversion packages-delete-with-github-token-api %}, install, delete, and restore{% else %} and install{% endif %} packages associated with the workflow repository, use `GITHUB_TOKEN`.
- To install packages associated with other private repositories that `GITHUB_TOKEN` can't access, use a {% data variables.product.pat_v1 %}
For more information about `GITHUB_TOKEN` used in {% data variables.product.prodname_actions %} workflows, see "[Authentication in a workflow](/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow)."
diff --git a/content/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility.md b/content/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility.md
index e6a18a925f..1994b0d612 100644
--- a/content/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility.md
+++ b/content/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility.md
@@ -37,7 +37,7 @@ If your package is private or internal and owned by an organization, then you ca
1. On the package settings page, click **Invite teams or people** and enter the name, username, or email of the person you want to give access. Teams cannot be given access to a container image owned by a personal account.
1. Next to the username or team name, use the "Role" drop-down menu to select a desired permission level.
- 
+ {% ifversion packages-delete-with-github-token-api %}{% else %}{% endif %}
The selected users will automatically be given access and don't need to accept an invitation first.
@@ -52,7 +52,7 @@ If your package is private or internal and owned by an organization, then you ca
1. On the package settings page, click **Invite teams or people** and enter the name, username, or email of the person you want to give access. You can also enter a team name from the organization to give all team members access.
1. Next to the username or team name, use the "Role" drop-down menu to select a desired permission level.
- 
+ {% ifversion packages-delete-with-github-token-api %}{% else %}{% endif %}
The selected users or teams will automatically be given access and don't need to accept an invitation first.
@@ -81,7 +81,7 @@ The specified repository does not need to be the repository where the source cod
{% endnote %}
-### {% data variables.product.prodname_actions %} access for user-account-owned container images
+### {% data variables.product.prodname_actions %} access for user-account-owned container images
{% data reusables.package_registry.package-settings-option %}
1. In the left sidebar, click **Actions access**.
@@ -89,11 +89,11 @@ The specified repository does not need to be the repository where the source cod
2. To ensure your workflow has access to your container package, you must add the repository where the workflow is stored. Click **Add repository** and search for the repository you want to add.
3. Using the "role" drop-down menu, select the default access level that you'd like the repository to have to your container image.
- 
+ {% ifversion packages-delete-with-github-token-api %}{% else %}{% endif %}
To further customize access to your container image, see "[Configuring access to container images for your personal account](#configuring-access-to-container-images-for-your-personal-account)."
-### {% data variables.product.prodname_actions %} access for organization-owned container images
+### {% data variables.product.prodname_actions %} access for organization-owned container images
{% data reusables.package_registry.package-settings-from-org-level %}
{% data reusables.package_registry.package-settings-option %}
@@ -102,7 +102,7 @@ To further customize access to your container image, see "[Configuring access to
2. Click **Add repository** and search for the repository you want to add.
3. Using the "role" drop-down menu, select the default access level that you'd like repository members to have to your container image. Outside collaborators will not be included.
- 
+ {% ifversion packages-delete-with-github-token-api %}{% else %}{% endif %}
To further customize access to your container image, see "[Configuring access to container images for an organization](#configuring-access-to-container-images-for-an-organization)."
@@ -120,7 +120,7 @@ Once you've selected the package you're interested in sharing with codespaces in
1. In the right sidebar, click **Package settings**.
-
+
2. Under "Manage Codespaces access", click **Add repository**.
@@ -128,7 +128,7 @@ Once you've selected the package you're interested in sharing with codespaces in
3. Search for the repository you want to add.
-
+
4. Repeat for any additional repositories you would like to allow access.
5. If the codespaces for a repository no longer need access to an image, you can remove access.
diff --git a/content/packages/learn-github-packages/deleting-and-restoring-a-package.md b/content/packages/learn-github-packages/deleting-and-restoring-a-package.md
index 4c3c7cae8a..a9c6792cff 100644
--- a/content/packages/learn-github-packages/deleting-and-restoring-a-package.md
+++ b/content/packages/learn-github-packages/deleting-and-restoring-a-package.md
@@ -45,6 +45,12 @@ On {% data variables.product.prodname_dotcom %}, you can also restore an entire
You can use the REST API to manage your packages. For more information, see the "[{% data variables.product.prodname_registry %} API](/rest/reference/packages)."
+{% data reusables.package_registry.delete-with-github-token-using-api-beta %}
+
+{% ifversion packages-delete-with-github-token-api %}
+With registries that support granular permissions, you can use a `GITHUB_TOKEN` in a {% data variables.product.prodname_actions %} workflow to delete or restore packages using the REST API. The token must have `admin` permission to the package. If your workflow publishes a package, the `admin` role is granted by default to the repository where the workflow is stored. For existing packages not published by a workflow, you need to grant the repository the `admin` role to be able to use a {% data variables.product.prodname_actions %} workflow to delete or restore packages using the REST API. For more information, see "[Ensuring workflow access to your package](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package)."
+{% endif %}
+
{% endif %}
{% data reusables.package_registry.about-graphql-support %}
diff --git a/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md b/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md
index 7c5d2ef1f4..a5b1d2a19b 100644
--- a/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md
+++ b/content/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions.md
@@ -74,7 +74,7 @@ These are more examples of how default permissions work for workflows that manag
|----|----|
| Download an existing container | - If the container is public, any workflow running in any repository can download the container.
- If the container is internal, then all workflows running in any repository owned by the Enterprise account can download the container. For enterprise-owned organizations, you can read any repository in the enterprise
- If the container is private, only workflows running in repositories that are given read permission on that container can download the container.
| Upload a new version to an existing container | - If the container is private, internal, or public, only workflows running in repositories that are given write permission on that container can upload new versions to the container.
-| Delete a container or versions of a container | - If the container is private, internal, or public, only workflows running in repositories that are given delete permission can delete existing versions of the container.
+| Delete a container or versions of a container | - If the container is private, internal, or public, only workflows running in repositories that are given admin permission can delete existing versions of the container.
You can also adjust access to containers in a more granular way or adjust some of the default permissions behavior. For more information, see "[Configuring a package’s access control and visibility](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility)."
@@ -147,7 +147,7 @@ jobs:
build-and-push-image:
runs-on: ubuntu-latest
needs: run-npm-test {% ifversion ghes or ghae %}
- permissions:
+ permissions:
contents: read
packages: write {% endif %}
steps:
@@ -300,16 +300,16 @@ build-and-push-image:
{% raw %}
```yaml
-permissions:
+permissions:
contents: read
- packages: write
+ packages: write
```
{% endraw %}
|
Sets the permissions granted to the GITHUB_TOKEN for the actions in this job.
|
-
+
{% ifversion fpt or ghec %}
@@ -508,7 +508,7 @@ Using the `GITHUB_TOKEN`, instead of a {% data variables.product.pat_v1 %} with
{% endnote %}
1. Optionally, using the "role" drop-down menu, select the default access level that you'd like the repository to have to your container image.
- 
+ {% ifversion packages-delete-with-github-token-api %}{% else %}{% endif %}
1. Open your workflow file. On the line where you log in to the registry, replace your {% data variables.product.pat_generic %} with {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %}.
For example, this workflow publishes a Docker image to the {% data variables.product.prodname_container_registry %} and uses {% raw %}`${{ secrets.GITHUB_TOKEN }}`{% endraw %} to authenticate.
@@ -516,7 +516,7 @@ For example, this workflow publishes a Docker image to the {% data variables.pro
```yaml{:copy}
name: Demo Push
-on:
+on:
push:
# Publish `master` as Docker `latest` image.
branches:
diff --git a/data/features/packages-delete-with-github-token-api.yml b/data/features/packages-delete-with-github-token-api.yml
new file mode 100644
index 0000000000..ead93b723d
--- /dev/null
+++ b/data/features/packages-delete-with-github-token-api.yml
@@ -0,0 +1,5 @@
+# Issue 8950
+# Support delete/restore fo GHPR Packages with REST API using GITHUB_TOKEN
+versions:
+ fpt: '*'
+ ghec: '*'
diff --git a/data/reusables/package_registry/authenticate_with_pat_for_v2_registry.md b/data/reusables/package_registry/authenticate_with_pat_for_v2_registry.md
index 8c740afb38..66461c70e9 100644
--- a/data/reusables/package_registry/authenticate_with_pat_for_v2_registry.md
+++ b/data/reusables/package_registry/authenticate_with_pat_for_v2_registry.md
@@ -1,3 +1,9 @@
-For registries that support granular permissions, if your workflow is using a {% data variables.product.pat_generic %} to authenticate to a registry, we highly recommend you update your workflow to use the `GITHUB_TOKEN`. For guidance on updating your workflows that authenticate to a registry with a {% data variables.product.pat_generic %}, see "[Upgrading a workflow that accesses a registry using a {% data variables.product.pat_generic %}](/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-a-registry-using-a-personal-access-token)."
+For registries that support granular permissions, if your {% data variables.product.prodname_actions %} workflow is using a {% data variables.product.pat_generic %} to authenticate to a registry, we highly recommend you update your workflow to use the `GITHUB_TOKEN`. For guidance on updating your workflows that authenticate to a registry with a {% data variables.product.pat_generic %}, see "[Upgrading a workflow that accesses a registry using a {% data variables.product.pat_generic %}](/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-a-registry-using-a-personal-access-token)."
+
+{% data reusables.package_registry.delete-with-github-token-using-api-beta %}
+
+{% ifversion packages-delete-with-github-token-api %}
+You can use a `GITHUB_TOKEN` in a {% data variables.product.prodname_actions %} workflow to delete or restore a packages using the REST API, if the token has `admin` permission to the package. Repositories that publish packages using a workflow, and repositories that you have explicitly connected to packages, are automatically granted `admin` permission to packages in the repository.
+{% endif %}
For more information about the `GITHUB_TOKEN`, see "[Authentication in a workflow](/actions/reference/authentication-in-a-workflow#using-the-github_token-in-a-workflow)." For more information about the best practices when using a registry in actions, see "[Security hardening for GitHub Actions](/actions/getting-started-with-github-actions/security-hardening-for-github-actions#considering-cross-repository-access)."
diff --git a/data/reusables/package_registry/delete-with-github-token-using-api-beta.md b/data/reusables/package_registry/delete-with-github-token-using-api-beta.md
new file mode 100644
index 0000000000..36e0b89d29
--- /dev/null
+++ b/data/reusables/package_registry/delete-with-github-token-using-api-beta.md
@@ -0,0 +1,9 @@
+{% ifversion packages-delete-with-github-token-api %}
+
+{% note %}
+
+**Note:** The ability for {% data variables.product.prodname_actions %} workflows to delete and restore packages using the REST API is currently in public beta and subject to change.
+
+{% endnote %}
+
+{% endif %}
diff --git a/data/reusables/package_registry/visibility-and-access-permissions.md b/data/reusables/package_registry/visibility-and-access-permissions.md
index 67a368745b..8ecd25c453 100644
--- a/data/reusables/package_registry/visibility-and-access-permissions.md
+++ b/data/reusables/package_registry/visibility-and-access-permissions.md
@@ -4,8 +4,14 @@ As an admin, you can also grant access permissions for a container image that ar
For container images published and owned by a personal account, you can give any person an access role. For container images published and owned by an organization, you can give any person or team in the organization an access role.
+{% ifversion packages-delete-with-github-token-api %}
+If you are using a {% data variables.product.prodname_actions %} workflow to manage your container images, you can grant an access role to the repository the workflow is stored in by using the **Actions access** option in the package's settings. For more information, see "[Ensuring workflow access to your package](/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package)."
+{% endif %}
+
| Permission | Access description |
|------------|--------------------|
| Read | Can download package.
Can read package metadata. |
| Write | Can upload and download this package.
Can read and write package metadata. |
-| Admin | Can upload, download, delete, and manage this package.
Can read and write package metadata.
Can grant package permissions.
+| Admin | Can upload, download{% ifversion packages-delete-with-github-token-api %}{% else %}, delete{% endif %}, and manage this package.
Can read and write package metadata.
Can {% ifversion packages-delete-with-github-token-api %}delete and restore packages{% else %}grant package permissions{% endif %}.
+
+{% data reusables.package_registry.delete-with-github-token-using-api-beta %}