IBM Cloud: Least privileges for service ID that needs to update a Code Engine app?

I am using IBM Cloud Code Engine to deploy my containerized apps. Now, I would like to use a service ID (or its API key) to run a toolchain and within to update an already existing app. What privileges are needed to push the new container image to a private registry and to update the app from that image?

It seems the following privileges are needed. They can be created as access policies within an IBM Cloud IAM access group. The service ID is then added to that access group.

• Viewer on resources limited to the resource group with the Code Engine project. That way, the resource group can be set and the project be seen.
• Operator and Writer for Container Registry, to be able to push a new container image.
• Operator and Writer for Code Engine, scoped to just the project, to be able to update the app.

With the above privileges my pipeline could run successfully.