ndejong
commented
3 months ago +1 on this request, and +1 on the kudos.
The ability to maintain separation between tokens/identities that can push to repo -vs- those that can pull from repo is an important capability - else it's not possible to use this project in the context of user-endpoints or build-pipelines because it implies you'd be giving the ability to modify your own trusted repo to those contexts.
[edited to add after reviewing code]
Looks like the JWT auth method does have a capabilities attribute that distinguishes push/pull - important to note that the JWT would need to be generated server-side with a probably long TTL - the implementation also looks like it provides an account-id attribute which is rather helpful.
If the JWT auth mechanism is stable are we just missing some documentation in that case?
Love where this project is going, happy days.
gabivlj
Great project you've done here!
Currently there's only the option to have a user/token that can pull and push images.
It would be great to have the ability to have a user/token that can only pull images so that it can be used in a safer way.