Generating PATs for ghcr access via API

Alright, I’m at my wits end here.

We have a need to generate new personal access tokens for docker clients in our organization. We want these to be unique so if we have to we can revoke access granularly. To do this, I thought we could just hit something in the API. The related endpoints went away in Nov 2020, which, fair enough. I went through the webflow docs and while not 100% on them, I seem to understand the following:

  1. I would need a webserver of some kind because github just provides a code of some kind via redirects that then can be exchanged for an access_token. This seems to be similar to curl -s -X POST -H "Authorization: Bearer $JWT" -H "Accept: application/vnd.github.v3+json" https://api.github.com/app/installations/18705734/access_tokens where I use a JWT to get an access token via the installations endpoint. I can’t seem to find any way to create a specific (ghp_) Personal Access Token type token from here though.
  2. Any tokens from the API expire after 1 hour.

So my questions are:

  1. Is there any way to create tokens via the API (PAT or otherwise) that allow non-expiring pull access to ghcr.io containers?
  2. If no, is there another authentication mechanism I should be lookin at to grant that access?

Thanks for any insight!