I have noticed that in a Github runner if I run cat ~/.docker/config.json before the build-push-action setup there is an auth object already present for https://index.docker.io/v1/.

It seems like if I attempt to push an image to a public repository that I own with the Github runner's default Docker user added as a collaborator I get the following error message related to scope permissions.

ERROR: unauthorized: access token has insufficient scopes

1. Does anyone know if this auth context is only setup for read-only permissions by default in a public Github runner?
2. For any Docker push commands would I need to create my own PAT and use the docker/login-action first?
3. I am trying to determine what would happen if I were to incorrectly tag an image and attempted to push it to someone else's repository. Is this possible without being added as a collaborator on someone's public repository?

I could also run a docker logout https://index.docker.io/v1/ as a precautionary shell command before using the build-push-action.