Add read_package_registry and write_package_registry access scopes to Personal and Group/Project Access Tokens
Description
The current scope of Personal, Group and Project Access Token includes; api
, read_api
, read_repository
, write_repository
, read_registry
and write_registry
. The api
scope grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.
Problem Statement
There is currently no way to restrict Personal, Group/Project Access from publishing to the package registry, therefore any Group/Project Access Tokens with a developer role or higher, and a write api access scope can publish to the package registry by default. If any user with a developer role or higher generates a Personal Access Token with “Write api” access, it will come with the ability to publish to the package registry as well. Deploy Tokens are the only tokens that can be scoped to write_package_registry and thus scoped to not write to the package registry.
Proposal
Add read_package_registry
and write_package_registry
scopes to Personal and Group/Project Access Tokens, so as to restrict access to publish to the Package Registry, much like we can granularly restrict access tokens from publishing to the container registry.