Support automatic GitHub Packages permissions with platform token

[rarkins]

What would you like Renovate to be able to do?

The Renovate App currently doesn't ask for Packages permissions:

Before we ask for that permission (which will trigger a lot of permission notification emails) I want to make sure it works, ideally for both github.com and self-hosted GHES at the same time.

For github.com, it seems like *.pkg.github.com and ghcr.io are the relevant hosts which users would like to work. Do github tokens typically work for both? e.g. can we assume that if we have a github.com token it also might be valid for ghcr.io too?

If you have any ideas on how this should be implemented, please tell us here.

Might need addition of new hostRules as part of initPlatform()

Is this a feature you are interested in implementing yourself?

Maybe

[mbrevda]

can we assume that if we have a github.com token it also might be valid for ghcr.io too?

The docs would seem to indicate that yes (unless they are referring to Actions only?)

[mbrevda]

Should this be reopened in the meantime?

[fhaertig]

Hi, I'm wondering what the actual status of this is right now, since the relevant feature apparently was merged, reverted and merged again. Should this work now for the Github hosted renovate app (mend)? Because I'm unable to find a valid configuration for checking images hosted on ghcr.io, pushed from a private repository. I tried with/without username, with/without explicitly added PAT (encrypted) and with packageRules only.

Thanks in advance!

[PhilipAbed]

we rolled back the changes after some flows failed because of this feature.
it's hard to support automatic authentication with current design, it has big impact.

if you set the right packageRules configurations manually it should work fine, but this is not the place to ask such a question try in discussions and we may help you.

[rarkins]

The app now requests read-only access to Packages:

However Renovate still doesn't apply a package rule automatically for this.

Looking at GHCR docs:

I think this implies:

• Username is kind of ignored
• Token is used as password

I wonder in that case if we can automatically create a hostRule which reuses the same token passed to initToken and set matchHost=ghcr.io, hostType=docker, username=USERNAME, password=

[rarkins]

Working on #25016 for ghcr.io first

[rarkins]

Rubygems

From https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-rubygems-registry

So it looks like we'd need to configure a username/password hostRules entry.

npm

From https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry

So this looks like Basic auth with a token hostRules entry

Maven

From https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-apache-maven-registry

So this looks like Rubygems - username/password

NuGet

From https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-nuget-registry

So this also appears to be username/password

[rarkins]

To keep this simple, we can perhaps configure a username/password hostRules entry for pkg.github.com and then a Basic token hostRules entry for npm.pkg.github.com and check if that works.

[rarkins]

PR: #25214

[renovate-release]

🎉 This issue has been resolved in version 37.25.0 🎉

The release is available on:

• GitHub release
• 37.25.0

Your semantic-release bot 📦🚀