Thanks for this. Brilliant post

as for “Create one, with the “Editor” permission set for your project (you may want to be more fine-grained with permissions, but I’m not confident in recommending anything more granular).”, the correct permission is “roles/storage.admin”. See https://cloud.google.com/container-registry/docs/access-control

Editor is a disaster from a security point of view. Also, you might want to suggest to use a project only dedicated to holding the repository.