Home > Enterprise >  How to identify who published a package to GitHub package registry?
How to identify who published a package to GitHub package registry?

Time:11-19

My organization has a paid version of GitHub. Hence, we have private repositories and we can publish GitHub packages.

Unfortunately, I do not know who published the package. It is only possible to know when it was published.

Context: this is especially relevant because traditionally packages were being published by a person and, now, I am creating continuous delivery via GitHub Actions so that packages will be automatically published after a certain file that holds the project version is changed.

Is there any way to find out on GitHub Packages who published the package?

CodePudding user response:

There's no way to know that directly from the package itself - it only has the owner.

One way to do it will be to disable all current tokens that allow the publishing of the package and force everyone to go through the CI workflow. So instead of publishing the API, they will be forced to trigger a certain workflow that does it for them through the "bot token".

That will allow you to see who triggered a workflow for a certain version.

  • Related