403 error on container registry push from GitHub Action

Any ETA on a fix for this?

Best

1 Like

Problem still persists. Interestingly enough pushing does sometimes work, but it errors out with a 403 more often than not.

Is this when pushing multiple tags to ghcr.io using docker/build-push-action@v2?

Tried it with multiple tags (:latest and :${{ github.sha }}) and just a single tag (:${{ github.sha }}):

Timestamp Tags Failed
8 June 2021 15:51:39 GMT Multiple No
8 June 2021 15:51:43 GMT Multiple Yes
8 June 2021 16:01:32 GMT Single No
8 June 2021 16:09:19 GMT Single No
8 June 2021 16:09:21 GMT Single Yes
8 June 2021 16:26:33 GMT Single Yes

Is it a single platform image?

Yes. Don’t know if it matters, but it does use multi-stage building.

The issue I thought this might be appears to be fixed :confused: .

Could you send a link to the workflow where this is failing?

It’s a private repo, so here are the contents of the workflow file:


name: Publish Docker image

on:
  push:
    branches:
      - master
  pull_request:
    branches:
      - master

jobs:
  push_to_registry:
    name: Push Docker image to GitHub Packages
    runs-on: ubuntu-latest
    env:
      TAG_LATEST: ${{ github.event_name == 'push' && github.ref == 'refs/heads/master' }}
    permissions:
      packages: write
      contents: read
    steps:
      - uses: actions/checkout@v2
      - name: Reconfigure authentication
        env:
          TOKEN: ${{ secrets.ACCESS_TOKEN }}
        run: |
          git config --global \
            url."https://${TOKEN}:x-oauth-basic@github.com/".insteadOf \
            "git@github.com:"
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Cache Docker layers
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-
      - name: Docker build prerequisites
        run: make setup-docker-build
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build container image (and tag as `latest`)
        if: ${{ env.TAG_LATEST == 'true' }}
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: |
            ghcr.io/${{ github.repository }}:latest
            ghcr.io/${{ github.repository }}:${{ github.sha }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new
      - name: Build container image
        if: ${{ env.TAG_LATEST == 'false' }}
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: |
            ghcr.io/${{ github.repository }}:${{ github.sha }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache-new
      # https://github.com/docker/build-push-action/issues/252
      # https://github.com/moby/buildkit/issues/1896
      - name: Move cache
        run: |
          rm -rf /tmp/.buildx-cache
          mv /tmp/.buildx-cache-new /tmp/.buildx-cache

Here’s a link to the PR that introduces said workflow regardless of public / private status (assuming GitHub employees can access private repositories): https://github.com/cybertec-postgresql/migrator/pull/199 (if not I can add you to the repo as well)

Thanks so much for looking into this :pray:

I just re-ran the action from this issue’s description a couple of times, and it succeeded in pushing to the container registry with no problems, so I think this has been fixed.

1 Like

We can with a little help. Please check your email for an unlock request from support@github.com. Could you let me know when it’s unlocked?

That’s neat, already granted access :slightly_smiling_face:

@PhilipTrauner,

Thanks for unlocking! I can see the failing workflow runs.

If you re-run the failing workflow does it sometimes pass?

Tried it at least 10 times today (with a single tag and multiple tags) and never ran into the issue.
Sorry for wasting your time :pensive:

No problem, I appreciate you letting me know!