Consider deploy token with write_registry scope automatic read access

In !88948 (merged), we document that for a deploy token to push images to the container registry, it needs both write_registry and read_registry scopes.

We might want to consider adjusting our project policy to grant the user the ability to read the registry if write_registry is enabled.