# GitHub Container Registry (GHCR)

1. Generate a GitHub Personal Access Token (PAT)

   A GitHub PAT is required because GitHub doesn't currently support GitHub Apps access to container-type packages.

   Please create a [Classic PAT ](https://github.com/settings/tokens)with the following permissions:

   * **read:org** — Required to list organizations the PAT has access to
   * **read:packages** — Required to list and access packages in these organizations
   * **repo** — Required to access packages linked to private repositories

   [Learn more about creating GitHub PATs](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token)

   <div data-gb-custom-block data-tag="hint" data-style="warning" class="hint hint-warning"><p>A classic PAT grants access to <strong>all</strong> GitHub organizations you belong to. When you connect GHCR, Arnica automatically discovers every organization the token can reach and adds a separate registry integration for each one that has container packages. If you only want to connect specific organizations, use a fine-grained PAT scoped to those organizations instead.</p></div>

   If your GitHub organization uses SAML single sign-on (SSO), you must authorize the PAT for SSO access. In GitHub, go to **Settings > Developer settings > Personal access tokens**, find your token, and click **Configure SSO** to authorize it for the relevant organization. [Learn more about authorizing a PAT for SSO](https://docs.github.com/en/enterprise-cloud@latest/authentication/authenticating-with-saml-single-sign-on/authorizing-a-personal-access-token-for-use-with-saml-single-sign-on).

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>If you belong to multiple SSO organizations but only authorize the PAT for one, Arnica will only add that authorized organization. Unauthorized organizations are skipped silently — you won't see an error for them. To add more organizations later, update your PAT's SSO authorization in GitHub and reconnect.</p></div>
2. In Arnica, click Connect next to **GitHub Container Registry (GHCR)**\
   ![](https://4035514934-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FMxc1Ek3qoIZi5t2Sx7do%2Fuploads%2Fgit-blob-8039c8d36c6107d88a97c85a4c0d3cf9f1265096%2Fimage.png?alt=media)
3. Enter an Alias (optional) and the PAT and click OK