It is possible to provide our maven packages to everyone without PAT?

[PavelTurk]

We have an open-source project and we would like to build a snapshot and provide it via GitHub Packages. We managed to deploy our package, but it seems that anyone who wants to use it must provide a PAT. It is clear that this is not what we want. Could anyone tell us if it is possible to let users access our GitHub Packages repository without a PAT?

[Raihanhn]

Yes, it’s possible — but it depends on whether your GitHub Packages repository is public or private:

Public repo + public package → You don’t need a Personal Access Token (PAT). Anyone can pull your Maven package without authentication.

Private repo or private package → You must use a PAT (or GitHub Actions/GitHub App tokens) to authenticate.

📌 So if you want to make your Maven package available to everyone without PAT, you need to publish it as a public package in a public repository.

[PavelTurk]

Thank you for your answer. Could you say how we can make GitHub Packages repository public? In organization settings -> packages we have:

Members will be able to publish only the selected visibility types for packages and containers. Outside collaborators can never publish packages or containers: Public SELECTED

This setting will be applied to new Container, npm, rubygems and NuGet packages.
Inherit access from source repository SELECTED

[Raihanhn]

Yes! Here’s how it works:

Package visibility follows the repository visibility by default.

If your repository is public, you can make packages public so anyone can download them without a PAT.

If your repository is private, all packages are private too, and users will need a PAT to access them.

Settings you mentioned:

“Members will be able to publish only the selected visibility types for packages and containers” → this controls what visibility contributors can set when publishing.

“Inherit access from source repository” → if this is selected, the package visibility will automatically match the repository visibility.

✅ So to make your package public:

Ensure your repository is public.

Keep “Inherit access from source repository” selected when publishing the package.

Once published, the package will be public, and anyone can use it without a PAT.

💡 Note: GitHub Packages don’t have a separate “public/private” toggle for already published packages; the visibility is tied to the repository at the time of publishing.

[PavelTurk]

So, bad news, our repository public, so, our our package repo also should be public. The only problem that it requires PAT to access it :). Have you ever tried it?

[Raihanhn]

I see what you mean 👍. Yes, I’ve run into that before — even with a public repo, GitHub Packages (especially npm/Maven/Docker registries) still sometimes require authentication with a PAT, which feels counter-intuitive.

From what I know:

GitHub Container Registry (ghcr.io) supports truly anonymous pulls for public images if you set the package visibility to public.

npm, Maven, NuGet via GitHub Packages currently still require some form of auth, even for public packages.

So it depends on the ecosystem:

If you’re publishing Docker images, you can make them fully public.

If you’re publishing npm/Maven/etc. packages, GitHub unfortunately still enforces PAT or at least GITHUB_TOKEN for installs.

👉 If anonymous access is a must for your use case, one workaround is to mirror the package on a registry that supports public unauthenticated access (like npmjs.com for JS packages, Docker Hub, Maven Central, etc.).

[johnpauljohn25176-collab]

GitHub Packages for private registries always requires authentication, so users need a PAT or other token to pull packages. For public access without a PAT, the only option is to make the package public and host it in a repository that supports anonymous downloads, like npm registry for npm packages or GitHub Releases for binaries. Essentially, GitHub Packages doesn’t allow completely unauthenticated access for packages, so if you want anyone to download it without a token, you’ll need to either make the package public or distribute it through a different channel like GitHub Releases.

[PavelTurk]

Thank you for your answer. Could you say how to make the package public? In package settings there is only possibility to Delete this package

[RamprakashRP]

Currently, it's not possible to access public Maven packages from GitHub Packages without authentication. This is a common point of friction for open-source projects using GitHub's package registry. Most GitHub Packages registries, including the one for Maven, require a Personal Access Token (PAT) for both publishing and installing packages, regardless of their public or private status.

Why Authentication is Required
GitHub's model for most of its package registries is based on a security-first approach where all access, even for public artifacts, is tied to a user account. This prevents anonymous abuse and allows GitHub to track usage and enforce its terms of service. The only exception to this is the Container registry (ghcr.io), which allows for anonymous access to public container images.

Your Options
Since you want to provide your open-source package without requiring a PAT, here are two viable alternatives to consider:

JitPack.io: This is a popular service for open-source projects that can automatically build and host Maven artifacts from your GitHub repository. Users can simply add the JitPack repository and a dependency to their pom.xml file, and JitPack handles the rest without requiring any authentication.

Maven Central Repository: The gold standard for open-source Java projects is to publish to the central Maven repository. This requires a one-time setup and a more formal release process, but it's the most common and trusted way for users to consume your artifacts. It ensures your packages are widely accessible and easily integrated into any Maven project.

While GitHub Packages is a convenient solution, for open-source projects that need to be easily consumable by a broad audience, these alternatives are better suited to meet your goal of providing a PAT-free experience.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬