How to use Installation Access Token in authorization?

I want to use Installation Access Token instead of Personal Access Token on GitHub Actions, but doesn’t work.

Example code

    runs-on: ubuntu-latest

      - uses: actions/checkout@v2

      - name: Generate token
        id: generate_token
        uses: tibdex/github-app-token@v1
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_PRIVATE_KEY }}

      - name: Log into GitHub Container Registry
        run: echo "${{ steps.generate_token.outputs.token }}" | docker login -u ${{ }} --password-stdin

My GitHub App (GH_APP_ID) has “Read & Write access” enabled in “Packages”.


Run echo "***" | docker login -u sue445 --password-stdin
  echo "***" | docker login -u sue445 --password-stdin
  shell: /bin/bash -e {0}
    IMAGE_NAME: awscli-all
Error response from daemon: Get denied
##[error]Process completed with exit code 1.

Is there a way to use Installation Access Token?


GHCR can’t accept App tokens, only PATs for now. We’re working on a solution to allow for the Actions GITHUB_TOKEN and then could look into this after.


Is support for Outside Collaborators on that list? Currently outside collabs can’t write (near as I can tell) to

@clarkbw Thank you. I’m waiting!

An outside collab would need to publish via a GitHub Actions workflow and a repository (or org) secret. They would to this by committing directly to the repo rather than using a fork.

You might also be able to use the new fork settings, see:

I hope that helps!


1 Like

@jcansdale We’re currently (correctly or incorrectly) using a PAT from a GitHub account we have setup as a service account, which is set as an outside collaborator to isolate it’s permissions so that doesn’t help unfortunately. Is there plans to allow publishing via Workflow tokens and/or more fine-grained PAT/service account permissions coming down the pipeline?

1 Like

We’re working on a system for workflow tokens, this will roll out before the end of the year.

Can you open up a separate topic about the outside collaborator? An OC who has write access to the container should have access with a PAT that has write scope. Thx!


Found this topic. Not sure if something was opened up, but the UI explicitly says this is not allowed for outside contributers on page {org}/settings/member_privileges

“Members will be able to publish only the selected visibility types of packages and containers. Outside collaborators can never publish packages or containers.”

@cep21 Opened a separate topic for that issue specifically here: Unable to Publish Image to Github Container Registry with Outside Contributer

1 Like