Deploy token fails to pull image when a project is public and the Container Registry is set to "Only Project Members"

Reproduction steps: Set up a project with:

• Project visibility: Public
• Container registry: Only Project Members

Then under "Repository", create a Deploy Token with read_registry scope access and add it as a secret to your Kubernetes cluster. Then try to use this secret with a deployment, etc.

Actual behaviour:

Failed to pull image "...": rpc error: code = Unknown desc = failed to pull and unpack image "...": failed to resolve reference "...": pull access denied, repository does not exist or may require authorization: server message: insufficient_scope: authorization failed

and the pod remains in ImagePullBackOff

Expected behaviour: The image should pull successfully.

Workaround:

• Option 1: Changing the project visibility to Private makes image pulling work again (but this means the repository is then not public like you want).
• Option 2: Use a different token with registry access, such as a project access token or a personal access token (but be mindful of the security implications of personal access tokens!)

Affected version: 15.7.3