Unauthorised when using secrets.GITHUB_TOKEN. Packages not pushed to Github Repository Packages when using PAT.

[mdmoura]

Description:

When pushing packages to GitHub Packages using Github Actions I get two behaviours:

1. When using a Personal Access Token (PAT) in dotnet push the package is pushed to the Github account.
   However it does not show on the Repository Packages ... Only in the Github Account packages tab.

2. When using secrets.GITHUB_TOKEN in dotnet push I get an unauthorised error.
   I tried a few code variations based on research I did on various issues but the error persists.

Note: I don't have a nuget.config inn the project's root or anywhere else.

Task version:
8.0.4

Platform:

• Ubuntu
• macOS
• Windows

Runner type:

• Hosted
• Self-hosted

Repro steps:

name: XYZ.Core

env:
  dotnet_version: '8.x' 
  gitversion_version: '6.x'
  packages_source: https://nuget.pkg.github.com/username/index.json
  packages_personal_access_token: ${{ secrets.PACKAGES_PERSONAL_ACCESS_TOKEN }}
  environment: production

on:
  push:
    branches: [ main ]

permissions: write-all
 
jobs:

  setup:

    runs-on: ubuntu-latest

    outputs:
      version: ${{ steps.versioning.outputs.semVer }}

    name: setup

    steps: 

      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Dotnet
        uses: actions/setup-dotnet@v4
        with:
          dotnet-version: ${{ env.dotnet_version }}
 
      - name: GitVersion
        uses: gittools/actions/gitversion/setup@v1
        with:
          versionSpec: ${{ env.gitversion_version }}
          includePrerelease: true

      - name: Versioning
        uses: gittools/actions/gitversion/execute@v1
        id: versioning
        with:
          useConfigFile: true
          configFilePath: gitversion.yml
          
  build:

    runs-on: ubuntu-latest
    needs: [ setup ]

    strategy:
      matrix:
        project: ['XYZ.Core', 'XYZ.Core.Web']

    name: build ${{ matrix.project }}

    steps:
    
      - name: Checkout
        uses: actions/checkout@v4

      - name: Build
        run:  dotnet build src/${{ matrix.project }} --configuration ${{ env.environment }} -p:Version=${{ needs.setup.outputs.version }}
  
  test:

    runs-on: ubuntu-latest
    needs: [ setup, build ]

    strategy:
      matrix:
        project: ['XYZ.Core', 'XYZ.Core.Web']

    name: test ${{ matrix.project }}

    steps:

      - name: Checkout
        uses: actions/checkout@v4

      - name: Test
        run: dotnet test test/${{ matrix.project }}.Test --configuration ${{ env.environment }} -p:Version=${{ needs.setup.outputs.version }}

  pack:

    runs-on: ubuntu-latest
    needs: [ setup, build, test ]

    strategy:
      matrix:
        project: ['XYZ.Core', 'XYZ.Core.Web']

    name: pack ${{ matrix.project }}

    steps:

      - name: Checkout
        uses: actions/checkout@v4

      - name: Pack
        run: 
          dotnet pack src/${{ matrix.project }} --configuration ${{ env.environment }} --output ${{ github.workspace }} -p:PackageVersion=${{ needs.setup.outputs.version }}

      - name: Upload
        uses: actions/upload-artifact@v4
        with:
          name: ${{ matrix.project }}
          path: ${{ github.workspace }}/${{ matrix.project }}*.nupkg
          if-no-files-found: error
          retention-days: 2

  deploy:

    runs-on: ubuntu-latest
    needs: [ setup, build, test, pack ]

    strategy:
      matrix:
        project: ['XYZ.Core', 'XYZ.Core.Web']

    name: deploy ${{ matrix.project }}

    steps:

      - name: Download
        uses: actions/download-artifact@v4
        with:
          name: ${{ matrix.project }}
          path: ${{ github.workspace }}

      - name: Publish
        # run: dotnet nuget push ${{ github.workspace }}/${{ matrix.project }}.${{ needs.setup.outputs.version }}.nupkg --source ${{ env.packages_source }} --api-key ${{ env.packages_personal_access_token }} --skip-duplicate --no-symbols

Expected behavior:

The packages should be pushed to the repository packages.
If possible using secrets.GITHUB_TOKEN instead of a Personal Access Token.

Actual behavior:

1. When using a Personal Access Token (PAT) in dotnet push the package is pushed to the Github account.
   However it does not show on the Repository Packages ... Only in the Github Account packages tab.

2. When using secrets.GITHUB_TOKEN in dotnet push I get an unauthorised error:

Your request could not be authenticated by the GitHub Packages service. 
Please ensure your access token is valid and has the appropriate scopes configured.
Forbidden https://nuget.pkg.github.com/username/ 93ms
error: Response status code does not indicate success: 403 (Forbidden).

I tried a few code variations based on research I did on various issues but the error persists.

Version 1

  run: dotnet nuget push ${{ github.workspace }}/${{ matrix.project }}.${{ needs.setup.outputs.version }}.nupkg --source ${{ env.packages_source }} --api-key ${{ secrets.GITHUB_TOKEN }} --skip-duplicate --no-symbols

Version 2

  run: |
    dotnet nuget add source ${{ env.packages_source }} --name github --username mdmoura --password ${{ secrets.GITHUB_TOKEN }} --store-password-in-clear-text
    dotnet nuget push ${{ github.workspace }}/${{ matrix.project }}.${{ needs.setup.outputs.version }}.nupkg --source github --skip-duplicate --no-symbols

[HarithaVattikuti]

Hello @mdmoura
Thank you for creating this issue. We will investigate it and get back to you as soon as we have some feedback.