Add read_package_registry and write_package_registry access scopes to Personal and Group/Project Access Tokens
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Description
The current scope of Personal, Group and Project Access Token includes; api, read_api, read_repository, write_repository, read_registry and write_registry. The api scope grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry.
Problem Statement
There is currently no way to restrict Personal, Group/Project Access from publishing to the package registry, therefore any Group/Project Access Tokens with a developer role or higher, and a write api access scope can publish to the package registry by default. If any user with a developer role or higher generates a Personal Access Token with “Write api” access, it will come with the ability to publish to the package registry as well. Deploy Tokens are the only tokens that can be scoped to write_package_registry and thus scoped to not write to the package registry.
Proposal
Add read_package_registry and write_package_registry scopes to Personal and Group/Project Access Tokens, so as to restrict access to publish to the Package Registry, much like we can granularly restrict access tokens from publishing to the container registry.