Limiting token access scope to specific packages (containers) on repo?

[oerp-odoo]

Select Topic Area

Question

Body

Is there a way to have more fine grained scope for packages using same user (or org) to generate multiple tokens? We have many packages (docker images) related with single repository. Classic token only gives read access to all packages and I don't see a way to limit that scope.

We need each token to have scope for specific package only and to not need to use multiple users for that (ideally to just generate token from org, but not sure if its even possible).

Currently we workaround this by creating separate github user and granting that user access only to specific package. And then generate classic PAT to have package read access (which does not have more fine grained scope than just read to all possible packages user can access). But this way each "bot" user costs money, yet it is not used as real user..

That new fine grained Token, does not seem to even work properly with users, because if you have some user that has access to org and its resources, that user is not an owner. And to specify access via that TOKEN, it must be an owner, so you can't even choose repository from org.

[barishaxxer]

what about using GitHub Apps.this can provide more fine grained control over repository and package access.you can install it at the organization level and configure with specific permissions.
thus it can be scoped to specific repositories or package.
"Developer settings" > "GitHub Apps" > "New GitHub App". Under "Repository permissions" you can adjust the permissions over packages,repositories and users.

[oerp-odoo]

But it looks like it has the same scope limitations as PAT:

I can only select read access without any more specificity. Or is there some way to later define "narrower" scope or something? Like I would initially specify read access for packages and then when I install an "app" I would be able to give access only to those packages I want?

[barishaxxer]

When you create app,you set the maximum permissions it can have. So yes at this stage you give it read access to packages without more specificity.
The real fine grained control happens during installation
choose repositories where the app is installed. The app will only have access to packages in these repositories.
Choose to accept all or only a subset of the permissions the app is requesting.

You can create multiple installations of the same app, each with access to different sets of repositories. This effectively allows you to create "package groups"with separate access tokens.
1.create a GitHub App with read access to packages.
2.create an installation that only has access to repositories that you want.
3.generate an installation token for this installation.R
4.this token would only have access to packages in repositories you have choosen
when you generate an installation access token it is scoped to the permissions and repositories of that specific installation.

if this solves your problem dont forget to mark this comment as answer to close topic and if you have further questions dont hesitate to reach me via mail/telegram

[oerp-odoo]

Unfortunately as I said all my packages are related with single repository (as it would be redundant to create new repository for each new package, because we use monorepo). So the scope is still the same as you can't specify to which packages you give access to, only which repository, which then means you give access to all packages or no packages at all. At least I only was able to select repository when installing an app and nothing more

[barishaxxer]

i understand.i dont know what to do in this situation try to create a [REQUEST] topic.