Update personal access token scope descriptions to reflect registry permissions
Problem to solve
The GitLab Container Registry allows users to build, push and pull images/tags from GitLab CI. In order to authenticate to the Container Registry via GitLab CI/CD with private and internal projects, users must use a personal access token.
There are two scopes for the personal access token with regards to the Container registry:
-
api
: Grants complete access to the API and Container Registry (read/write). -
read_registry
: Allows to read (pull) container registry images if a project is private and authorization is required.
In the documentation, it clearly states that the api
scope grants Container Registry read/write access, but in the app at /profile/personal_access_tokens
it says "Grants complete read/write access to the API, including all groups and projects." which is confusing for users and has resulted in several issues being opened.
Intended users
Proposal
Update the copy at /profile/personal_access_tokens
for the api
scope to say: "Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry." to reflect that api
scope allows registry read/write access.
Further Details
There are other requests to create a new scope that only allows for pushing to the container registry and a request to create more granular permissions for the container registry.
Permissions and Security
There are no permissions or security concerns for this issue.
Documentation
Testing
There are no special testing requirements.