1

According to the GitHub docs, you can only authenticate to the GitHub Container Registry via a personal access token or via the GITHUB_TOKEN (only available in GitHub actions). The GITHUB_TOKEN is an installation access token of a GitHub App.

When you enable GitHub Actions, GitHub installs a GitHub App on your repository. The GITHUB_TOKEN secret is a GitHub App installation access token. [source]

Is it possible to use the installation access token of another GitHub App to authenticate to the GitHub Container registry?


EDIT 08-30-2023: According to a GitHub employee, this feature is missing as of now, but they are working on it.
crimbler2
  • 23
  • 7
  • Realized when I answered the question that I assumed you wanted to authenticate and use it outside of a github actions workflow. Would be good if you specified in your question if this is in a github action workflow or not. – Pär Berge Aug 14 '23 at 06:24

1 Answers1

1

I was successful in authenticating to the github container registry. However I can't get it to pull or push any container images.

Looking at the REST API documentation: https://docs.github.com/en/rest/packages/packages?apiVersion=2022-11-28#get-a-package-for-an-organization

It doesn't say that it works with github apps, like it does for this endpoint for instance: https://docs.github.com/en/rest/repos/repos?apiVersion=2022-11-28#list-organization-repositories

From my experience some of the things in github isn't well documented so I did try, but in the end I couldn't get it to work.

I managed to successfully login using docker login with a github app token, but still getting blocked by packages permissions when trying to push an image.

This is what I did to be able to login at least:

  1. Generate JWT for github app: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-a-json-web-token-jwt-for-a-github-app
  2. Create access token: https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/generating-an-installation-access-token-for-a-github-app
  3. Login via docker: docker login ghcr.io -u <YOUR_GITHUB_APP_ID> and when prompted for password enter the token from the response in step 2.

My problem might be that the app is installed on the organization and I don't have enough permissions. When you generate your access token in the response you will see what kind of permissions it has. For it to work I guess it should have "packages" in the "permissions"

This is what I got in my response:

{
  "token": "<redacted>",
  "expires_at": "2023-08-11T08:44:17Z",
  "permissions": {
    "contents": "read",
    "metadata": "read",
    "packages": "write"
  },
  "repository_selection": "all"
}

But still failed with this when trying to push an image:

denied: permission_denied: installation not allowed to Create organization package
Pär Berge
  • 196
  • 12
  • Yes, I was able to get to this point as well. I've got a response from GitHub today: this feature is simply missing, but they are working on it. – crimbler2 Aug 30 '23 at 14:21