logoalt Hacker News

cyberax01/15/20262 repliesview on HN

> Said tokens didn't have admin access, but had enough privileges to invite other users to become full admins.

Ah... Github permissions. What fun.

Github actually has a way to federate with AWS for short-lived credentials, but then it screws everything up by completely half-assing the ghcr.io implementation. It's only available using the old deprecated classic access tokens.

Replies

catlifeonmars01/16/2026

Right? How is it that you still need a PAT or a custom app installation to access a registry?

fowl201/18/2026

Yeah wow! Even most "trusted" contributors shouldn't have this level of access. Is there really no way of scoping tokens with more granularity?

show 1 reply