How to use Installation Access Token in ghcr.io authorization?

sue445 · September 8, 2020, 8:24am

I want to use Installation Access Token instead of Personal Access Token on GitHub Actions, but doesn’t work.

Example code

jobs:
  push:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - name: Generate token
        id: generate_token
        uses: tibdex/github-app-token@v1
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_PRIVATE_KEY }}

      - name: Log into GitHub Container Registry
        run: echo "${{ steps.generate_token.outputs.token }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin

My GitHub App (GH_APP_ID) has “Read & Write access” enabled in “Packages”.

Error

Run echo "***" | docker login https://ghcr.io -u sue445 --password-stdin
  echo "***" | docker login https://ghcr.io -u sue445 --password-stdin
  shell: /bin/bash -e {0}
  env:
    IMAGE_NAME: awscli-all
Error response from daemon: Get https://ghcr.io/v2/: denied
##[error]Process completed with exit code 1.

Is there a way to use Installation Access Token?

clarkbw · September 5, 2020, 3:03pm

GHCR can’t accept App tokens, only PATs for now. We’re working on a solution to allow for the Actions GITHUB_TOKEN and then could look into this after.

richicoder1 · September 5, 2020, 6:55pm

Is support for Outside Collaborators on that list? Currently outside collabs can’t write (near as I can tell) to ghcr.io

sue445 · September 6, 2020, 11:04am

@clarkbw Thank you. I’m waiting!

jcansdale · September 7, 2020, 5:43pm

An outside collab would need to publish via a GitHub Actions workflow and a repository (or org) secret. They would to this by committing directly to the repo rather than using a fork.

You might also be able to use the new fork settings, see:

I hope that helps!

Regards,
Jamie.

richicoder1 · September 7, 2020, 7:28pm

@jcansdale We’re currently (correctly or incorrectly) using a PAT from a GitHub account we have setup as a service account, which is set as an outside collaborator to isolate it’s permissions so that doesn’t help unfortunately. Is there plans to allow publishing via Workflow tokens and/or more fine-grained PAT/service account permissions coming down the pipeline?

clarkbw · September 8, 2020, 8:22am

We’re working on a system for workflow tokens, this will roll out before the end of the year.

Can you open up a separate topic about the outside collaborator? An OC who has write access to the container should have access with a PAT that has write scope. Thx!