Clarify Authenticating to the Container Registry with CI/CD details

doc/user/packages/container_registry/index.md

@@ -201,10 +201,7 @@ Before diving into the details, some things you should be aware of:
 ### Authenticating to the Container Registry with GitLab CI/CD
 
 There are three ways to authenticate to the Container Registry via
-[GitLab CI/CD](../../../ci/yaml/README.md) which depend on the visibility of
-your project.
-
-Available for all projects, though more suitable for public ones:
+[GitLab CI/CD](../../../ci/yaml/README.md):
 
 - **Using the special `CI_REGISTRY_USER` variable**: The user specified by this variable is created for you in order to
   push to the Registry connected to your project. Its password is automatically
@@ -216,14 +213,22 @@ Available for all projects, though more suitable for public ones:
   docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
   ```
 
-For private and internal projects:
+- **Using the GitLab Deploy Token**: You can create and use a
+  [special deploy token](../../project/deploy_tokens/index.md#gitlab-deploy-token)
+  with your projects.
+  Once created, you can use the special environment variables, and GitLab CI/CD
+  fills them in for you. You can use the following example as-is:
+
+  ```shell
+  docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
+  ```
 
 - **Using a personal access token**: You can create and use a
   [personal access token](../../profile/personal_access_tokens.md)
   in case your project is private:
 
   - For read (pull) access, the scope should be `read_registry`.
-  - For read/write (pull/push) access, use `api`.
+  - For write (push) access, the scope should be `write_registry`.
 
   Replace the `<username>` and `<access_token>` in the following example:
 
@@ -231,16 +236,6 @@ For private and internal projects:
   docker login -u <username> -p <access_token> $CI_REGISTRY
   ```
 
-- **Using the GitLab Deploy Token**: You can create and use a
-  [special deploy token](../../project/deploy_tokens/index.md#gitlab-deploy-token)
-  with your private projects. It provides read-only (pull) access to the Registry.
-  Once created, you can use the special environment variables, and GitLab CI/CD
-  fills them in for you. You can use the following example as-is:
-
-  ```shell
-  docker login -u $CI_DEPLOY_USER -p $CI_DEPLOY_PASSWORD $CI_REGISTRY
-  ```
-
 ### Container Registry examples with GitLab CI/CD
 
 If you're using Docker-in-Docker on your Runners, this is how your `.gitlab-ci.yml`

doc/user/profile/personal_access_tokens.md

@@ -60,6 +60,7 @@ the following table.
 | `api`              | [GitLab 8.15](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/5951)   | Grants complete read/write access to the API, including all groups and projects, the container registry, and the package registry. |
 | `read_api`           | [GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28944)  | Grants read access to the API, including all groups and projects, the container registry, and the package registry. |
 | `read_registry`    | [GitLab 9.3](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/11845)   | Allows to read (pull) [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. |
+| `write_registry`    | [GitLab 12.10](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28958)   | Allows to write (push) [container registry](../packages/container_registry/index.md) images if a project is private and authorization is required. |
 | `sudo`             | [GitLab 10.2](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/14838)  | Allows performing API actions as any user in the system (if the authenticated user is an administrator). |
 | `read_repository`  | [GitLab 10.7](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/17894)  | Allows read-only access (pull) to the repository through `git clone`. |
 | `write_repository` | [GitLab 11.11](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/26021) | Allows read-write access (pull, push) to the repository through `git clone`. Required for accessing Git repositories over HTTP when 2FA is enabled. |