New pakckages access via GITHUB_TOKEN impractical for forks

Yesterday, GitHub has announced that the container registry now supports GITHUB_TOKEN by giving repository access to packages:

I just tried it out, but I have to say, the way it works right now seems impractical:

In my case, we have a private repository with a few private forks. Two jobs in a workflow use images hosted on ghcr.io and until now I have configured a PAT to access which was fine.

Now I tried to change this and added the repo and changed our actions to use the GITHUB_TOKEN.

On the first PR (we’re doing PRs via private forks), this was met with failure:

repository does not exist or may require 'docker login': denied: installation not allowed to Read organization package

The problem seems to me that each individual fork would need to be listed for package access in order for this to work, but this is entirely impractical as forks come and go.

Worse: even if I was to willing to deal with this, here’s a screenshot of how the search window looks:

good luck picking the right one and making sure you find them all :slight_smile:

This should at least list the owner too so I have a chance if I ever want to go this route (which I don’t).

We went back to the PAT

1 Like

You are correct that you have to give a forked repo access explicitly to the container to pull if it’s private or to push in general.

We can definitely do a better job on that search window, I filed an issue to improve that result to include more information to make it easier to separate the various forks.

Shayne

1 Like

Update on the UI issue: we updated the repository selection screen to include more information about the repositories in the list to make them easier to find the specific one you are looking for.

What about branches in private repos? It appears that GITHUB_TOKEN only gives access to master branch, as also outlined here: Can't pull private ghcr.io image using GITHUB_TOKEN from non-default branch

We will have to go back to PAT, since GITHUB_TOKEN is simply not working in our workflow where branches have to have access to packages.

1 Like