Skip to content

Support usage of Organization Access Tokens (OAT) #294

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dmohns opened this issue Dec 3, 2024 · 4 comments
Open

Support usage of Organization Access Tokens (OAT) #294

dmohns opened this issue Dec 3, 2024 · 4 comments

Comments

@dmohns
Copy link

dmohns commented Dec 3, 2024

Hey 👋

loving this Github Action so far!

Problem description:

Our org recently moved to use Organization Access Tokens (OAT) rather than Personal Access Tokens (PAT) in our deployment pipelines, see https://docs.docker.com/security/for-admins/access-tokens/

This works well for all other actions which Push images to DockerHub. However, the update-description action fails with

2024-12-03T09:06:54.3973709Z ##[group]Run peter-evans/dockerhub-description@v4
2024-12-03T09:06:54.3975152Z with:
2024-12-03T09:06:54.3976736Z   username: ***
2024-12-03T09:06:54.3977895Z   password: ***
2024-12-03T09:06:54.3979062Z   repository: ***/micropowermanager-backend
2024-12-03T09:06:54.3980973Z   short-description: Open Source Management Tool for Decentralized Utilities
2024-12-03T09:06:54.3982679Z ##[endgroup]
2024-12-03T09:06:54.4475667Z Reading description source file
2024-12-03T09:06:54.4491208Z Acquiring token
2024-12-03T09:06:54.7319170Z ##[error]Unexpected response: 401 Unauthorized

It would be great if we can use the update-description with OAT.

Additional information:

I don't fully understand where the issues is coming from. It might be related to the fact that OAT and PAT have slightly different permission levels. For example, for PAT I chose Read, Write, Delete as scope, while OAT have scope Push and Pull.
@peter-evans
Copy link
Owner

Hi @dmohns

It's not clear to me from the documentation whether these tokens support the API this action uses.

Push and Pull doesn't seem like the right scope to me. Is there a more permissive scope with Admin-like privilege?

I don't have access to this feature so I can't check. 😅

@dmohns
Copy link
Author

dmohns commented Dec 6, 2024

This looks a lot like some issue on DockerHub side with this new tokens. I guess they are in beta after all 😄

I did some testing here on my side. Actually the login call is already causing problems. Trying to run only the login from my local machine yields

{
  "detail": "Cannot log into an organization account"
}

I also noticed here in the Docker Hub API docs that

Note

As of Monday, September 16, 2024, this route requires a PAT instead of a password if your organization has SSO enforced.

Maybe this is interfering.

I will raise the issue to DockerHub. Let's see what the response is. Keeping this issue open for visibility.

@jspiewak
Copy link

jspiewak commented Apr 2, 2025

Looks like you are using the deprecated /v2/users/login endpoint.
I wonder if things will just work if you switch to the recommended /v2/auth/token endpoint instead.

@ianpittwood
Copy link

I created PR #311 for updating the endpoint as @jspiewak mentioned. This does fix the 401 issue when creating tokens using an OAT, but it would appear that OATs still lack sufficient permissions to use the /v2/repositories/ endpoint.

@peter-evans do you happen to know if there's any public documentation of that /v2/repositories/ endpoint? It's not in with the rest of the Docker Hub API and I was hoping any sort of documentation could clear up our issues with using OATs.

@ianpittwood ianpittwood mentioned this issue Apr 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jspiewak @ianpittwood @dmohns @peter-evans