Creating a token that has _only_ write permissions results in a token
that can't do anything: In order to push an image, you also need to be
able to read. This is mentioned in one place in the docs, but wrong or
misleading in others, as well as in the application itself.