Is it possible to access Github private container images via Github application?

[aloforte]

Select Topic Area

Question

Body

Hi all,
an old discussion from 2020 (https://github.com/orgs/community/discussions/26921) left open future possibility of allowing github registry packages access via application tokens.

Fast-forward to late 2023: is this still not possible?

I'm looking for alternatives to a "classic" Personal Access token to allow an in-house application download rights to a container image from ghcr.io.

What I have is an application with a JWT privkey and permissions for repository:contents, registered in my organization and whith package:write access to my repository.
I'm able to docker login to ghcr.io with an access token generated for that application, but if I then attempt a docker pull for an image from that very same repository I get:

Error response from daemon: Get "https://ghcr.io/v2/ORG/REPO/manifests/sha256:SHA": denied: denied

Did anyone achieve container registry images pulling via github application tokens? If so, how?

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[aloforte]

No-one on this? Is any additional detail needed?

[aleneum]

Hi @aloforte,

did you find out how to pull private images from ghcr.io? My app has package read permissions and also access to the repository that stores the images but no luck so far.

[aloforte]

Hi @aleneum:
As far as I know ghcr is still not accepting app oidc tokens.
Only alternative I found is by letting application use an old-style Personal Access Token, shared as a secret and used for docker local operations.

[aleneum]

Thank you for the feedback, @aloforte. I guess I will create a read-only "CI user" as a workaround.