Fine-grained personal access tokens

[waldirborbajr]

Behaviour

I've create a PAT from Beta Fine-grained token, and maked ALL User and Repository permissions options to READ-WRITE, copied generated token.

Into my project repository I've created an Action Token called GH_PAT and copied token generatated from Fine-grained than executed action to generate a deploy do GHCR.io

After that I've executed that action to deploy, but I got a permission error when actions tries to deploy to GHCR.io

With Classic version of token Token (Classic) works perfectly without errors.

Repository permissions

• Read access to codespaces metadata and metadata
• Read and Write access to Dependabot alerts, actions, administration, code, codespaces, codespaces lifecycle admin, codespaces secrets, commit statuses, dependabot secrets, deployments, discussions, environments, issues, merge queues, pages, pull requests, repository hooks, secret scanning alerts, secrets, security events, and workflows

User Permission

• Read access to plan and private repository invitations
• Read and Write access to blocking, codespaces user secrets, email addresses, followers, gists, git signing ssh public keys, gpg keys, interaction limits, keys, profile, starring, and watching

Action to deploy

  - name: "Login to GitHub Container Registry"
    uses: docker/login-action@v1
    with:
      registry: ghcr.io
      username: ${{ github.repository_owner }}
      password: ${{ secrets.GH_PAT }}

Steps to reproduce this issue

1. Generate a Fine-grained token with ALL permission to READ-WRITE
2. Generate a Project PAT with token generated from Fine-grained
3. Try to deploy

Expected behaviour

Tell us what should happen

Should made deploy to GHCR.io

Actual behaviour

Tell us what happens instead

• publishing
• docker images
• pushing image=ghcr.io//kvstok:0.2.1-arm64
⨯ release failed after 1m20s error=docker images: failed to publish artifacts: failed to push ghcr.io//kvstok:0.2.1-arm64: exit status 1: The push refers to repository [ghcr.io/***/kvstok]
4a793d9ee315: Preparing
ff8e7336f73c: Preparing
c4d4f60bd31b: Preparing
de51348d431b: Preparing
denied: permission_denied: The token provided does not match expected scopes.

Error: The process '/opt/hostedtoolcache/goreleaser-action/1.12.3/x64/goreleaser' failed with exit code 1

Configuration

• Repository URL (if public): https://github.com/waldirborbajr/kvstok
• Build URL (if public): https://github.com/waldirborbajr/kvstok/blob/main/.github/workflows/goreleaser.yaml

# paste your YAML workflow file here and remove sensitive data
name: Build & Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write # needed to write releases
  id-token: write # needed for keyless signing
  packages: write # needed for ghcr access
  issues: write

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"

    steps:
      - name: "Checkout"
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: "Fetch all tags"
        run: git fetch --force --tags

      - name: "Setup Go"
        uses: actions/setup-go@v3
        with:
          go-version: ">=1.19.0"
          cache: true

      - name: "Setup Qemu"
        uses: docker/setup-qemu-action@v2

      - name: "Setup Docker BuildX"
        uses: docker/setup-buildx-action@v2

      - name: "Login to DockerHub"
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: "Login to GitHub Container Registry"
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GH_PAT }}

      - name: "Release a new version"
        id: release
        uses: goreleaser/goreleaser-action@v3
        if: success() && startsWith(github.ref, 'refs/tags/')
        with:
          distribution: goreleaser
          version: latest
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GH_PAT }}

Logs

Download the log file of your build
and attach it to this issue.
logs_429.zip

[boxofyellow]

@waldirborbajr I know this is an old issue, but I wanted to call out this part of GitHub Packages documentation
https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages#about-scopes-and-permissions-for-package-registries

GitHub Packages only supports authentication using a personal access token (classic). For more information, see "Creating a personal access token."