diff --git a/app/assets/javascripts/deploy_tokens/deploy_token_translations.js b/app/assets/javascripts/deploy_tokens/deploy_token_translations.js
index 0d3f92b2347b5767b882e34c480467c456ef0ae3..465a769626acc9adb7312075b057832cfb15c6cb 100644
--- a/app/assets/javascripts/deploy_tokens/deploy_token_translations.js
+++ b/app/assets/javascripts/deploy_tokens/deploy_token_translations.js
@@ -31,7 +31,9 @@ const translations = {
),
readRepositoryHelp: s__('DeployTokens|Allows read-only access to the repository.'),
readRegistryHelp: s__('DeployTokens|Allows read-only access to registry images.'),
- writeRegistryHelp: s__('DeployTokens|Allows read and write access to registry images.'),
+ writeRegistryHelp: s__(
+ 'DeployTokens|Allows write access to registry images. You need both read and write access to push images.',
+ ),
readPackageRegistryHelp: s__('DeployTokens|Allows read-only access to the package registry.'),
groupWritePackageRegistryHelp: s__(
'DeployTokens|Allows read and write access to the package registry.',
diff --git a/config/locales/doorkeeper.en.yml b/config/locales/doorkeeper.en.yml
index 85a4a84892d22aa8b8f6109cfccb41f65c2516e4..35c25854620a79b0d6a9a39f61869babba9d9c20 100644
--- a/config/locales/doorkeeper.en.yml
+++ b/config/locales/doorkeeper.en.yml
@@ -94,7 +94,7 @@ en:
read_registry:
Grants read-only access to container registry images on private projects.
write_registry:
- Grants write access to container registry images on private projects.
+ Grants write access to container registry images on private projects. You need both read and write access to push images.
read_observability:
Grants read-only access to GitLab Observability.
write_observability:
@@ -131,7 +131,7 @@ en:
read_registry:
Grants read access (pull) to the container registry images if any project within a group is private and authorization is required.
write_registry:
- Grants write access (push) to the container registry.
+ Grants write access (push) to the container registry. You need both read and write access to push images.
read_observability:
Grants read-only access to GitLab Observability.
write_observability:
@@ -164,7 +164,7 @@ en:
read_registry:
Grants read access (pull) to the Container Registry images if a project is private and authorization is required.
write_registry:
- Grants write access (push) to the Container Registry.
+ Grants write access (push) to the Container Registry. You need both read and write access to push images.
read_observability:
Grants read-only access to GitLab Observability.
write_observability:
diff --git a/doc/user/group/settings/group_access_tokens.md b/doc/user/group/settings/group_access_tokens.md
index 6667e1236d3e608a6b5094a17c3c2e5fd5e9220f..ee2cce991526dde38440f65e955c05a515b6e479 100644
--- a/doc/user/group/settings/group_access_tokens.md
+++ b/doc/user/group/settings/group_access_tokens.md
@@ -152,7 +152,7 @@ The scope determines the actions you can perform when you authenticate with a gr
| `api` | Grants complete read and write access to the scoped group and related project API, including the [container registry](../../packages/container_registry/index.md), the [dependency proxy](../../packages/dependency_proxy/index.md), and the [package registry](../../packages/package_registry/index.md). |
| `read_api` | Grants read access to the scoped group and related project API, including the [package registry](../../packages/package_registry/index.md). |
| `read_registry` | Grants read access (pull) to the [container registry](../../packages/container_registry/index.md) images if any project within a group is private and authorization is required. |
-| `write_registry` | Grants write access (push) to the [container registry](../../packages/container_registry/index.md). |
+| `write_registry` | Grants write access (push) to the [container registry](../../packages/container_registry/index.md). You need both read and write access to push images. |
| `read_repository` | Grants read access (pull) to all repositories within a group. |
| `write_repository` | Grants read and write access (pull and push) to all repositories within a group. |
| `create_runner` | Grants permission to create runners in a group. |
diff --git a/doc/user/packages/container_registry/authenticate_with_container_registry.md b/doc/user/packages/container_registry/authenticate_with_container_registry.md
index 4c0f2aadb4017452ee92e6841e40155dd84675e0..d2c8053c4c0ed03a9aff810519087041f4d94f3b 100644
--- a/doc/user/packages/container_registry/authenticate_with_container_registry.md
+++ b/doc/user/packages/container_registry/authenticate_with_container_registry.md
@@ -50,7 +50,7 @@ To use CI/CD to authenticate with the container registry, you can use:
- A [deploy token](../../project/deploy_tokens/index.md#gitlab-deploy-token) with the minimum scope of:
- For read (pull) access, `read_registry`.
- - For write (push) access, `write_registry`.
+ - For write (push) access, `read_registry` and `write_registry`.
```shell
docker login $CI_REGISTRY -u $CI_DEPLOY_USER --password-stdin <<<$CI_DEPLOY_PASSWORD
@@ -58,7 +58,7 @@ To use CI/CD to authenticate with the container registry, you can use:
- A [personal access token](../../profile/personal_access_tokens.md) with the minimum scope of:
- For read (pull) access, `read_registry`.
- - For write (push) access, `write_registry`.
+ - For write (push) access, `read_registry` and `write_registry`.
```shell
docker login $CI_REGISTRY -u <username> -p <access_token>
diff --git a/doc/user/project/deploy_tokens/index.md b/doc/user/project/deploy_tokens/index.md
index 8c821140fb12ca3320c989a656f216249a56ac16..770729b090fe570358bc0ab652fd95c1a2811d42 100644
--- a/doc/user/project/deploy_tokens/index.md
+++ b/doc/user/project/deploy_tokens/index.md
@@ -52,7 +52,7 @@ A deploy token's scope determines the actions it can perform.
|--------------------------|--------------------------------------------------------------------------------------------------------------|
| `read_repository` | Read-only access to the repository using `git clone`. |
| `read_registry` | Read-only access to the images in the project's [container registry](../../packages/container_registry/index.md). |
-| `write_registry` | Write access (push) to the project's [container registry](../../packages/container_registry/index.md). |
+| `write_registry` | Write access (push) to the project's [container registry](../../packages/container_registry/index.md). You need both read and write access to push images. |
| `read_package_registry` | Read-only access to the project's package registry. |
| `write_package_registry` | Write access to the project's package registry. |
@@ -170,7 +170,7 @@ You can use a deploy token to push images to a container registry.
Prerequisites:
-- A deploy token with the `write_registry` scope.
+- A deploy token with the `read_registry` and `write_registry` scope.
Example of using a deploy token to push an image to a container registry:
diff --git a/doc/user/project/settings/project_access_tokens.md b/doc/user/project/settings/project_access_tokens.md
index eb211a35b96f8412c93ced1546c8f38266b01e5e..04532f99ef70090ece4eedd7f57d15b322890137 100644
--- a/doc/user/project/settings/project_access_tokens.md
+++ b/doc/user/project/settings/project_access_tokens.md
@@ -92,7 +92,7 @@ See the warning in [create a project access token](#create-a-project-access-toke
| `api` | Grants complete read and write access to the scoped project API, including the [container registry](../../packages/container_registry/index.md), the [dependency proxy](../../packages/dependency_proxy/index.md), and the [package registry](../../packages/package_registry/index.md). |
| `read_api` | Grants read access to the scoped project API, including the [package registry](../../packages/package_registry/index.md). |
| `read_registry` | Grants read access (pull) to the [container registry](../../packages/container_registry/index.md) images if a project is private and authorization is required. |
-| `write_registry` | Grants write access (push) to the [container registry](../../packages/container_registry/index.md). |
+| `write_registry` | Grants write access (push) to the [container registry](../../packages/container_registry/index.md). You need both read and write access to push images. |
| `read_repository` | Grants read access (pull) to the repository. |
| `write_repository` | Grants read and write access (pull and push) to the repository. |
| `create_runner` | Grants permission to create runners in the project. |
diff --git a/locale/gitlab.pot b/locale/gitlab.pot
index 64f01de90c49b9e5655691f0381e775a81b487a1..dc50605423eb20d5fbb4acec98edf8674ac2d15a 100644
--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -17053,9 +17053,6 @@ msgstr ""
msgid "DeployTokens|Active deploy tokens"
msgstr ""
-msgid "DeployTokens|Allows read and write access to registry images."
-msgstr ""
-
msgid "DeployTokens|Allows read and write access to the package registry."
msgstr ""
@@ -17074,6 +17071,9 @@ msgstr ""
msgid "DeployTokens|Allows write access to registry images."
msgstr ""
+msgid "DeployTokens|Allows write access to registry images. You need both read and write access to push images."
+msgstr ""
+
msgid "DeployTokens|Cancel"
msgstr ""