Skip to content

Instantly share code, notes, and snippets.

@flavio

flavio/README.md

Created March 24, 2026 12:12
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save flavio/3b86495d3f7a6c219b03849762122819 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save flavio/3b86495d3f7a6c219b03849762122819 to your computer and use it in GitHub Desktop.
Download ZIP
Obtain list of Kubewarden policies
Raw
README.md

gh-query

Lists all container image registries published under ghcr.io/kubewarden/policies.

Requirements

  • uv
  • gh — logged in with the read:packages scope

Setup

If your gh token is missing the read:packages scope, the script will tell you. Fix it with:

gh auth refresh --hostname github.com --scopes read:packages

Usage

uv run query_packages.py

Example output

ghcr.io/kubewarden/policies/allow-privilege-escalation-psp
ghcr.io/kubewarden/policies/apparmor-psp
ghcr.io/kubewarden/policies/pod-privileged
...
Raw
query_packages.py
#!/usr/bin/env -S uv run --script
# /// script
# requires-python = ">=3.11"
# dependencies = ["requests"]
# ///
import subprocess
import sys
import requests
def get_token() -> str:
result = subprocess.run(
["gh", "auth", "token"],
capture_output=True,
text=True,
check=True,
)
return result.stdout.strip()
def iter_org_packages(session: requests.Session, org: str, package_type: str):
page = 1
while True:
resp = session.get(
f"https://api.github.com/orgs/{org}/packages",
params={"package_type": package_type, "per_page": 100, "page": page},
)
resp.raise_for_status()
data = resp.json()
if not data:
break
yield from data
page += 1
def check_token_scopes(session: requests.Session) -> None:
"""Verify the token has the read:packages scope by inspecting response headers."""
resp = session.get("https://api.github.com/user")
resp.raise_for_status()
scopes = resp.headers.get("X-OAuth-Scopes", "")
granted = {s.strip() for s in scopes.split(",")}
if "read:packages" not in granted:
print(
"error: the current GitHub token is missing the 'read:packages' scope.\n"
"\n"
"To fix this, re-authenticate with the required scope:\n"
"\n"
" gh auth refresh --hostname github.com --scopes read:packages\n"
"\n"
"Then run this script again.",
file=sys.stderr,
)
sys.exit(1)
def main() -> None:
try:
token = get_token()
except subprocess.CalledProcessError as e:
print(
f"error: could not retrieve GitHub token via 'gh auth token': {e.stderr.strip()}\n"
"\n"
"Make sure you are logged in:\n"
"\n"
" gh auth login",
file=sys.stderr,
)
sys.exit(1)
session = requests.Session()
session.headers.update(
{
"Authorization": f"Bearer {token}",
"Accept": "application/vnd.github+json",
"X-GitHub-Api-Version": "2022-11-28",
}
)
check_token_scopes(session)
for pkg in iter_org_packages(session, "kubewarden", "container"):
name: str = pkg["name"]
if name.startswith("policies/"):
print(f"ghcr.io/kubewarden/{name}")
if __name__ == "__main__":
main()
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment