I am exploring the use of GitHub Container Registry (ghcr) for storing docker images built in my Continuous Integration (CI) pipelines that are built in GitHub Actions.
I am reading Migrating to GitHub Container Registry for Docker images which states:
Add your new container registry authentication personal access token (PAT) as a GitHub Actions secret. GitHub Container Registry does not support using GITHUB_TOKEN for your PAT so you must use a different custom variable, such as
CR_PAT.
Earlier in that article though there is a link to Security hardening for GitHub Actions which states:
You should never use personal access tokens from your own account. These tokens grant access to all repositories within the organizations that you have access to, as well as all personal repositories in your user account. This indirectly grants broad access to all write-access users of the repository the workflow is in. In addition, if you later leave an organization, workflows using this token will immediately break, and debugging this issue can be challenging.
If a personal access token is used, it should be one that was generated for a new account that is only granted access to the specific repositories that are needed for the workflow. Note that this approach is not scalable and should be avoided in favor of alternatives, such as deploy keys.
Those quotes seem contradictory. The first is telling me to use PATs to authenticate to ghcr in my CI pipelines, the other seems to be telling me that I shouldn't.
Am I correct that they are contradictory or have I misunderstood?
What is the correct course of action for authenticating to ghcr from a GitHub Action workflow?
From: https://github.community/t/should-i-use-a-personal-access-token-for-accessing-ghcr-from-github-actions/165381