Pull image from container registry using fine-grained access token #38467
-
Hello, is it possible to pull image from ghcr.io using fine-grained personal access token? I've tried to use the token with read permissions but image pull fails with 403 Forbidden status. |
Beta Was this translation helpful? Give feedback.
Replies: 21 comments 10 replies
-
Hi there @mkniazuk123 and welcome to our community! Thank you for asking a great question 🙂 To get started, introduce yourself in our official introduction thread |
Beta Was this translation helpful? Give feedback.
-
Was just looking into this myself. From the docs, fine-grained tokens are not supported. |
Beta Was this translation helpful? Give feedback.
-
I am also having this issue, seems like over the past few days PAT (classic) is now broken for NPM registry also. |
Beta Was this translation helpful? Give feedback.
-
Is this on the road map? It's one of our main use cases for tokens and I'd love to use a finer grained token approach for this. |
Beta Was this translation helpful? Give feedback.
-
Same here. We're looking to enforce fine-grained tokens so we can take advantage of the Enterprise management of the tokens. This will be a blocker to enforcing the removal of classic tokens. |
Beta Was this translation helpful? Give feedback.
-
Fine-grained access token is also not working for me for accessing the Docker registry gchr.io :( This would be great once it works though |
Beta Was this translation helpful? Give feedback.
-
Does GitHub have any plans on fixing this? I think that access token with access only to packages in specific repository is one of the most basic security features they could offer. For example GitLab allows access token generation for individual repo and I think that is much cleaner solution for deployment tokens. |
Beta Was this translation helpful? Give feedback.
-
Any update on this @github? It seems crazy that in order to publish container images to the Github registry you must use a classic token that has full write access to the repo. |
Beta Was this translation helpful? Give feedback.
-
Any updates on this? 🙏 |
Beta Was this translation helpful? Give feedback.
-
So looking into this a bit more: I can understand why the devs didn't initially add package support, because packages themselves are tied to an account, or an organization, and not to a specific repository. In our cases, if a package is linked to a repo (And permissions are inherited), it should be fairly trivial to check permission from a fine-grained access token if they have access to read packages that are linked to that repository. I implore github to add functionality for fine-grained access tokens, as security is important: I don't want to give PAT tokens to my cluster which have more access than what is needed. |
Beta Was this translation helpful? Give feedback.
-
Okay, so "repository contents" in fine-grained tokens wasn't it, and I'm never getting back the time I wasted... |
Beta Was this translation helpful? Give feedback.
-
Hi guys, I was able to pull successfully from Github Registry using Fine-Grained token Repository permissions Can you please try again on your end and let me know how it works? Thanks, |
Beta Was this translation helpful? Give feedback.
-
@dummy-andra Can it work for pushing? I tried to set read-write to all permissions, but actions can't push image to github registry. Got 403. |
Beta Was this translation helpful? Give feedback.
-
Thank you to everyone that has shared how to grant "package read permission" using the fine-grained access token. With that in mind, I was reminded how the "classic" provides the precise access rights - ironic. Until there is what I would call "direct support" for providing read access to the organization's packages using the fine-grained access token, I might recommend sticking with |
Beta Was this translation helpful? Give feedback.
-
Has this worked for anyone recently? I'm trying to get a docker pull working with a fine-grain token but I am having no luck. This is a repo in an org setup. |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
Any update on this? I refuse to use classic PAT in our organization for security purposes. |
Beta Was this translation helpful? Give feedback.
-
Any updates on this? |
Beta Was this translation helpful? Give feedback.
-
this is such an important feature, it's crazy there hasn't been any response from GitHub on this for 2 years |
Beta Was this translation helpful? Give feedback.
-
I also need this feature. Anyone here from github who can place this request higher in the agenda? How long are fine-grained tokens in beta state now? Really annoying... |
Beta Was this translation helpful? Give feedback.
-
This is trivial thing. We have restriction on org level to use classic tokens, from the other hand there is an ArgoCD that need to pull helm charts from ghcr.... |
Beta Was this translation helpful? Give feedback.
Was just looking into this myself. From the docs, fine-grained tokens are not supported.
https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry