From 4ae8d8faa79d6dbf9ae78f8d366a66ae85ee45ec Mon Sep 17 00:00:00 2001 From: Daniel George Holz Date: Wed, 17 Feb 2021 12:49:17 +0000 Subject: [PATCH] Call out how PATs with `write:packages` scope also require `repo` scope --- .../authenticate_with_pat_for_container_registry.md | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/data/reusables/package_registry/authenticate_with_pat_for_container_registry.md b/data/reusables/package_registry/authenticate_with_pat_for_container_registry.md index 3e17856823..8a9304385a 100644 --- a/data/reusables/package_registry/authenticate_with_pat_for_container_registry.md +++ b/data/reusables/package_registry/authenticate_with_pat_for_container_registry.md @@ -1,7 +1,13 @@ {% if currentVersion == "free-pro-team@latest" %} If you want to authenticate to {% data variables.product.prodname_github_container_registry %} in a {% data variables.product.prodname_actions %} workflow, then you must use a personal access token (PAT). The `GITHUB_TOKEN` does not currently have the required permissions. During the {% data variables.product.prodname_github_container_registry %} beta, the only supported form of authentication is the PAT. -PATs can grant broad access to your account. We recommend selecting only the necessary read, write, or delete `package` scope when creating a PAT to authenticate to the {% data variables.product.prodname_container_registry %}. Avoid including the `repo` scope in a PAT used by a GitHub Actions workflow because it gives unnecessary additional access. +PATs can grant broad access to your account. You should select only the necessary `read:packages`, `write:packages`, or `delete:packages` scope when creating a PAT to authenticate to the {% data variables.product.prodname_container_registry %}. + +{% warning %} + +**Note:** Granting the `write:packages` scope on the PAT also grants the `repo` scope! If you save this PAT for use from an Action, any collaborators can configure an Actions workflow to use this PAT to get full permissions to all repositories accessable from the PAT owner's account. We recommend creating a separate account with access only to the specific repositories that want to push Docker images (see "[Security hardening for GitHub Actions](/actions/getting-started-with-github-actions/security-hardening-for-github-actions#considering-cross-repository-access)"). + +{% endwarning %} If you'd like to use the {% data variables.product.prodname_container_registry %} in actions during the beta, follow our security best practices for PAT use at "[Security hardening for GitHub Actions](/actions/getting-started-with-github-actions/security-hardening-for-github-actions#considering-cross-repository-access)."