Project Access Token does not work for GET /projects/:id/registry/repositories despite correct scopes
Summary
Our scopes explanation of Project Access Tokens says:
apiGrants complete read and write access to the scoped project API, including the Package Registry.
…
read_registryGrants read access (pull) to the Container Registry images if a project is private and authorization is required.
However, an API call to GET /projects/:id/registry/repositories in the project where that PAT was created, fails with 404, as one would expect when using no --header "PRIVATE-TOKEN: $pat or that of another project or one with insufficient scope.
Steps to reproduce
See script in katrinleinweber-kl-tests/zd-432450-tag-keep (admins only for now; I'll invite assignees of this issue.)
Example Project
See Steps section above.
What is the current bug behavior?
Even with api & both registry_ scopes the GET request fails with 404 Project Not Found.
What is the expected correct behavior?
The request should succeed, and no Personal Access Token should be needed.
Relevant logs and/or screenshots
Output of checks
This bug happens on GitLab.com
Results of GitLab environment info
Results of GitLab application Check
Possible fixes
Clarify in the docs, that api scope excludes the container registry, or that Project Access tokens generally don't work here.