I would expect that as an organization owner, I’d be able to see all container images under the organization, and I’d be able to change their visibility settings. That doesn’t seem to be the case and I wonder if this is a bug. Here’s what happened:
- User A pushes a container image (e.g.
docker push ghcr.io/aquasecurity/trivy:latest)
- User B is an organization owner, but B can’t see this container image
- it doesn’t appear in the list of packages at https://github.com/orgs/aquasecurity/packages
- if user B is logged in and tries to pull the image they get
Error response from daemon: pull access denied for ghcr.io/aquasecurity/trivy, repository does not exist or may require 'docker login': denied: permission_denied: read_package
- If user A changes the visibility of the image to public, then it’s visible to user B in the UI, and can be pulled, but under the package settings for the image, user B sees the error message “You do not have permissions to administrate this package.”
Related, is there any relationship between permissions on a repo, and container image permissions with a matching name? For example, if user C is an admin on the aquasecurity/trivy repo, would you expect them to have visibility and management permissions on the ghcr.io/aquasecurity/trivy image? I think this would be helpful.