Table of Contents

The Core Bug (Issue #982)

Current logic:   Is user a member of org?  →  yes  →  grant org publish
Correct logic:   Is user authorized to publish for this namespace?

When a user authenticates with scope read:org, read:user, the registry calls GET /user/orgs and grants publish access to every org namespace returned. That API returns zero role or permission information — a read-only contractor, intern etc are all members. None of them should have publish rights.

Authentication ≠ Authorization.

<aside> 💡

Recommended Approach: Approach A OR Approach B(B2)

</aside>

Proposed Solutions from Issue #982

Solution 1 — User-Scoped Default

What it does: Remove GET /user/orgs entirely. PAT/OAuth grants only io.github.<username>/*. Org publishing pushed to OIDC only.

Flow:

User
  │
  │  PAT or OAuth token
  ▼
Registry
  │── GET /user ──────────────────────▶ GitHub
  │◀── { login: "alice" } ─────────────
  │
  │  mint JWT:
  │  { namespaces: ["io.github.alice/*"] }
  │  (org namespaces never granted)
  │
  ▼
JWT returned to user

Pros

• Eliminates the bug class entirely with one code change
• Zero new infrastructure
• Correct semantics — PAT proves identity, nothing more
• Fewer GitHub API calls at auth time