How to have PRs read from Nuget GitHub Packages cache?

[MarkCallow]

I have set up my workflows to use NuGet with GitHub Packages. Now 3rd party PRs are failing when adding the NuGet sources with

Both UserName and Password must be specified.

This is not surprising as these items are in repository secrets which are not available to PRs. (I was surprised though, because the PRs I created while setting up the caching worked so I forgot about secrets not usually being available).)

At a minimum I need to stop the error so the workflow will proceed. However, since the vast majority of PRs do not update the versions of packages used and therefore have no need to write to the cache I would like to make it possible for them to read from the cache.

Does anyone know how to do this? The documentation on setting up caching has nothing to say.

I am thinking of making the username public - there is nothing secret about it as it is the repo group's name - and changing the workflow to use the GITHUB_TOKEN when building a PR, that is made available to any workflow and which the documentation says gives read-only access to packages, as the "password". Will this work?

To determine when building a PR is there a better way than checking the existence of GITHUB_BASE_REF in the environment?

[MarkCallow]

I found the answer myself. Just use GITHUB_TOKEN instead of a creating a classic personal access token.

https://learn.microsoft.com/en-us/vcpkg/consume/binary-caching-github-packages?pivots=linux-runner is WRONG when it implies that you cannot use GITHUB_TOKEN by saying

"The built-in PAT provided by GITHUB_TOKEN only has the packages:read permission, you can use it if you plan to have a read-only binary cache in your workflow."

after describing how to create a classic PAT.

You can use GITHUB_TOKEN. Just add

   permissions:
      packages: write

to the jobs in your workflow, or to the entire workflow, and you will have a read-write cache. The permission will not be elevated when building from a fork, i.e. a PR.