New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Do you really need a personal access token? #27
Comments
Things change all the time, but last time I checked a PAT was required. Definitely understand your hesitation though - not entirely comfortable with it either. |
Thanks for the quick reply. I will experiment and feedback just in case it has changed. |
Please do 🥇 And I guess we can leave this open for a while in case anyone else has relevant input 👍 |
It hasn't changed. A personal access token is still required 😢 Would be great to understand if packages/delete will make it to the GITHUB_TOKEN permissions anytime soon @NamrataJha et al. |
I can confirm that, at the moment, an own personal access token with
|
This GitHub blog post states GITHUB_TOKEN is supported in delete operations |
I just tried switching in one of my workflows, and it resulted in a 500 internal server error 🤔 |
The article is referring to a different type of API endpoint used by To delete private container images, you need access via api.github.com REST API endpoint, which as of now is not supported by |
According to snok/container-retention-policy#27 (comment) a PAT is needed.
I've opened a community discussion on this topic over here: Feel free to comment on or upvote the discussion to boost it's visibility/priority. |
Did anyone test fine-grained tokens https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/ for that? |
The other actions query the packages individually, and that operation works with the default token, as long as the repository can manage its own packages:
This action doesn't have an easy migration path to the latter, because it also supports regular expressions for package names. |
@0x2b3bfa0 this is also my observation. In case we can identify the special case of only completely specified package names, it should be possible to use without a PAT similar to what I did in Chizkiyahu/delete-untagged-ghcr-action@3202d05. |
This looks really useful although I'm very reluctant to create a PAT.
Have you experimented to see whether this can be replaced with a
packages: write
permission? i.e.This certainly lets you push and pull containers but I don't know if delete is included in
write
. I wondered if you knew one way or the other.The text was updated successfully, but these errors were encountered: