docs/data/reusables/package_registry/authenticate-packages.md

You need an access token to publish, install, and delete private, internal, and public packages.

You can use a personal access token (PAT) to authenticate to {% data variables.product.prodname_registry %} or the {% ifversion fpt or ghec %}{% data variables.product.prodname_dotcom %}{% else %}{% data variables.product.product_name %}{% endif %} API. When you create a personal access token, you can assign the token different scopes depending on your needs. For more information about packages-related scopes for a PAT, see "About permissions for GitHub Packages."

To authenticate to a {% data variables.product.prodname_registry %} registry within a {% data variables.product.prodname_actions %} workflow, you can use:

• GITHUB_TOKEN to publish packages associated with the workflow repository.
• a PAT with at least packages:read scope to install packages associated with other private repositories (which GITHUB_TOKEN can't access).