403 error on container registry push from GitHub Action

I’m building an image for multiple architectures like this:

name: Build Docker image

on:
  workflow_dispatch:
  release:
    types: [published]

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: docker/setup-qemu-action@v1
      - uses: docker/setup-buildx-action@v1
      - uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - uses: docker/build-push-action@v2
        with:
          platforms: linux/amd64,linux/arm64
          push: true
          tags: ghcr.io/${{ github.repository }}:latest

The workflow fails near the end of the docker/build-push-action step, when pushing to the container registry:

#13 ERROR: unexpected status: 403 Forbidden
------
 > exporting to image:
------
error: failed to solve: rpc error: code = Unknown desc = unexpected status: 403 Forbidden
Error: buildx call failed with: error: failed to solve: rpc error: code = Unknown desc = unexpected status: 403 Forbidden

If I look in the repository’s packages, I can see one of the images and no manifest.

Sometimes, when the workflow is re-run, it completes successfully and publishes everything to the container registry - I haven’t been able to detect a pattern to when it succeeds.

9 Likes

I’ve been running into this too now. It worked for a while and then suddenly stopped working at all

1 Like

Hello, i think i have similar issue. I also get 403 while trying to push/export image to ghcr.io via GitHub Action. Below is the link to my logs:

What’s weird for me is that i can log to ghcr.io via docker login ghcr.io from the terminal on my local environment as well as using tmate session on GH Action workflow. Therefore i am confused why i receive 403, because i theoretically am able to log in to that service.

I have enabled “Improved container support” feature on my GH profile.

I managed to publish the package via command docker push ghcr.io/[owner]/[repository]:latest from terminal on local environment, which i suppose means that there is something wrong with GitHub Action itself. The disadvantage i noticed is that package is private by default, so i had to make it public from GitHub visibility settings. There probably might be a way to do it from CLI as well.

I’m seeing the exact same thing (login works, push fails) and, just to highlight this, I’ve already modified by package image repository settings to grant Write permissions to the github actions running in the github repository that houses my application’s source code.

We are also facing the exact same issue. In a public open source repo. We can push the image manually but the issue happens when trying to push it from a GH Action.

Please see this PR logs: Eden webapp and contracts builders containers by sparkplug0025 · Pull Request #41 · eoscommunity/Eden · GitHub

This is the latest 403 build: push containers · eoscommunity/Eden@530b9bc · GitHub

Is there anything wrong that we are doing?

1 Like

Another example: explicit action versioning · factorio-builds/factorio-builds-tech@c7a1fc2 (github.com)

I’ve granted the repo write access to all packages.

1 Like

We are also seeing this issue.

1 Like

Also having this issue - I’m using the docker-build-push action and have granted access to my repository’s actions through the package’s settings. This exact set up was working 4 days ago but now is throwing a 403 error. Yesterday, I changed from repository_owner to actor for the username, which worked for a run or two, but now I’m getting 403s again. I am using the GH token env variable provided to the Action, which is what the documentation recommends to use. I’m not really sure what the issue is.

So it seems like this works on the default branch, but not on any feature branches.

The only way I’ve been able to get around this is by still going the route of creating a PAT that has read/write/delete package access (using the odd URL parameter hack from the documentation to ensure it doesn’t also have repo scopes) and logging in using this. I have not had issues so far with that, so I’m thinking the GITHUB_TOKEN method, though recommended, is not stable.

1 Like

We did the same thing.

1 Like

I fixed my issue by manually giving my repository (and thus its secrets.GITHUB_TOKEN) permission in my package settings

https://github.com/users/{username}/packages/container/{package_name}/settings/actions_access

It’s listed under your Profile Page > Packages > image-name > “View all N versions” > Actions Access

Seems really silly the repo that the image is from (via LABEL in my Dockerfile) doesn’t automatically have permission to write to it. It’s even worse that this setting is buried under so many obscure links.

1 Like

There is a know issue when multiple images or platforms are published using the GITHUB_TOKEN for the first time. You should find it works consistently after the container package has been created. Would that be consistent with what you’re seeing?

1 Like

I’ve done that and it still doesn’t work on PRs. Only on the default branch.

Is the error you’re seeing denied: installation not allowed to Write organization package?

1 Like

I was getting a 403 Forbidden error on non-default branches.

1 Like

Same thing happening to me… I am trying to use my organization $GITHUB_TOKEN to push images from GH Actions but 403 error code is appearing on PRs. It works on default branch

1 Like

I’m afraid the pull_request event won’t work at the moment. Could you change your trigger events to simply this?

on:
  workflow_dispatch:
  push:
2 Likes

Just found that pull does not work on non default brancher either…