Deploy token with read_package_registry scope should be able to list generic packages

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Proposal

Deploy tokens with the read_package_registry scope can be used to download generic packages:

$ curl -s --user '<DEPLOY_TOKEN_USER>:<DEPLOY_TOKEN>' "https://gitlab.example.com/api/v4/projects/<PROJECT_PATH_OR_ID>/packages/generic/<PACKAGE>/<VERSION>/<FILE>"
// works as expected ✅

However, one requires a PAT to list the available generic packages:

$ curl -si --user '<DEPLOY_TOKEN_USER>:<DEPLOY_TOKEN>' "https://gitlab.example.com/api/v4/projects/<PROJECT_PATH_OR_ID>/packages
HTTP/2 404 🔥
$ curl -si -H 'PRIVATE-TOKEN: <PRIVATE-TOKEN>' "https://gitlab.example.com/api/v4/projects/<PROJECT_PATH_OR_ID>/packages
// works as expected ✅

This would be useful for, e.g., implementing self-updating binaries that can check the availability of updates (leaving supply-chain security considerations aside in this context)

Edited Jul 23, 2025 by 🤖 GitLab Bot 🤖