GitHub App as Image Registry-Specific Authentication Option

[joaoestrela]

Checklist

• I've searched the issue queue to verify this is not a duplicate feature request.
• I've pasted the output of kargo version, if applicable.
• I've pasted logs, if applicable.

Proposed Feature

Support GitHub App auth as Image Registry-Specific Authentication Option

Motivation

Some users might be using GHCR as their image registry, currently it is only possible to use Kargo with public ghcr.io or use username/password which isn't a best practice for machine to machine auth

[Dhouib-Mohamed]

@krancour If possible I would like to take this issue
Can you provide me with more information about the related files to start with since this is my first contribution

[krancour]

@Dhouib-Mohamed it might be as simple as a small change here to allow this helper to work for image repos in addition to git repos:

kargo/internal/credentials/kubernetes/github/app.go

Line 59 in a01f049

if credType != credentials.TypeGit || secret == nil {

You'll want to test it out a bit though to verify it works as intended in case I am overlooking something.

[krancour]

With major thanks to @Dhouib-Mohamed who did a fair amount of work on this issue in #2391, we have come to the conclusion that this requested feature is not technically possible at the moment.

Despite all appearances (a package permissions option when configuring a GitHub App), an App installation token simply cannot enable access to a private ghcr.io package repository.

And here is an existing, 2+ year old thread about this very topic:

https://github.com/orgs/community/discussions/34324

I am tentatively closing this issue, but if anyone knows something that we don't -- if you have seen this work or personally done it -- please do feel free to share your experience or even re-open the issue.