Skip to content

Commit 4ae8d8f

Browse files
dgholzdgholz
authored
Call out how PATs with write:packages scope also require repo scope
1 parent 4a92ff1 commit 4ae8d8f

1 file changed

Lines changed: 7 additions & 1 deletion

File tree

data/reusables/package_registry/authenticate_with_pat_for_container_registry.md

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,13 @@
11
{% if currentVersion == "free-pro-team@latest" %}
22
If you want to authenticate to {% data variables.product.prodname_github_container_registry %} in a {% data variables.product.prodname_actions %} workflow, then you must use a personal access token (PAT). The `GITHUB_TOKEN` does not currently have the required permissions. During the {% data variables.product.prodname_github_container_registry %} beta, the only supported form of authentication is the PAT.
33

4-
PATs can grant broad access to your account. We recommend selecting only the necessary read, write, or delete `package` scope when creating a PAT to authenticate to the {% data variables.product.prodname_container_registry %}. Avoid including the `repo` scope in a PAT used by a GitHub Actions workflow because it gives unnecessary additional access.
4+
PATs can grant broad access to your account. You should select only the necessary `read:packages`, `write:packages`, or `delete:packages` scope when creating a PAT to authenticate to the {% data variables.product.prodname_container_registry %}.
5+
6+
{% warning %}
7+
8+
**Note:** Granting the `write:packages` scope on the PAT also grants the `repo` scope! If you save this PAT for use from an Action, any collaborators can configure an Actions workflow to use this PAT to get full permissions to all repositories accessable from the PAT owner's account. We recommend creating a separate account with access only to the specific repositories that want to push Docker images (see "[Security hardening for GitHub Actions](/actions/getting-started-with-github-actions/security-hardening-for-github-actions#considering-cross-repository-access)").
9+
10+
{% endwarning %}
511

612
If you'd like to use the {% data variables.product.prodname_container_registry %} in actions during the beta, follow our security best practices for PAT use at "[Security hardening for GitHub Actions](/actions/getting-started-with-github-actions/security-hardening-for-github-actions#considering-cross-repository-access)."
713

0 commit comments

Comments
 (0)