PAT scope for ghcr.io/v2 api

TL;DR

I am trying to find out how and if i can use a personal access token or similar to authenticate request on the https://ghcr.io/vs/[org-name]/[image-name]/manifests/[version] api endpoint

My issue

I have a number of tools to help manage my containers and k8s cluster, most notably in this case keel.sh for auto updating my k8s deployments when a new container is pushed.

In order for this to work keel needs to make requests to the above endpoint (this is done regardless of if keel is polling or using webhooks). Currently no matter what i do with a PAT i always get a 403 Denied response from that endpoint.

More Info

If i send a curl request to the manifests endpoint i get the following www-authenticate header:
Bearer realm="https://ghcr.io/token",service="ghcr.io",scope="repository:[org-name]/[repo-name]:pull"

As far as i can tell there is no way (from the ui at least) to generate a PAT with a repository:pull score so this might just not be possible.

Any help on this would be greatly appreciated.