Cannot pull docker image from Github Package Registry by digest

First build, tag and push an image:

$ docker push docker.pkg.github.com/org/repo/image:latest
The push refers to repository [docker.pkg.github.com/org/repo/image]
056157488f63: Layer already exists
556bd7954f59: Layer already exists
bc8ba74a019b: Layer already exists
9b33b8316bd2: Layer already exists
c99984bb0f35: Layer already exists
99add98f81ea: Layer already exists
17cf356f41cc: Layer already exists
4fd9fad7a009: Layer already exists
c9581514d6d0: Layer already exists
46ed3d879948: Layer already exists
fbeeb71995b3: Layer already exists
bb9e1c111e49: Layer already exists
ac3ac7a153b5: Layer already exists
3bfeb766f97b: Layer already exists
ea1227feeccb: Layer already exists
9cae1895156d: Layer already exists
52dba9daa22c: Layer already exists
78c1b9419976: Layer already exists
latest: digest: sha256:2571e10a9946752074aa996358f1cded5bfd707f5517c17317a86e2986eb69c7 size: 4100

then pulling the same image by digest directly:

$ docker pull docker.pkg.github.com/org/repo/image:latest@sha256:2571e10a9946752074aa996358f1cded5bfd707f5517c17317a86e2986eb69c7
Error response from daemon: manifest for docker.pkg.github.com/org/repo/image@sha256:2571e10a9946752074aa996358f1cded5bfd707f5517c17317a86e2986eb69c7 not found: manifest unknown: Docker image reference image:sha256:2571e10a9946752074aa996358f1cded5bfd707f5517c17317a86e2986eb69c7 not found under repo "org/repo"

this works with docker.io as well as other private registries.

11 Likes

HI @michaelbeaumont,

Thank you for being here! We don’t support pulling an image by digest currently, only by tag.

Here is a link to our docs:

https://help.github.com/en/articles/configuring-docker-for-use-with-github-package-registry#installing-a-package

3 Likes

We don’t support pulling an image by digest currently, only by tag.

Currently means there’s plans to support it in the future? Do you have any updates?
Thanks

5 Likes

It would be great to be notified of when that would be available. Due to this, Google Cloud Run is currently not compatible with GitHub Packages. That forces us to use Google’s container registry.

3 Likes

Hi!

Does this mean that github packages’ docker registry cannot be used with docker swarm? When I attempt to (re)-deploy our docker swarm services, which use images hosted on our package registry, I get this error:


image docker.pkg.github.com/konversion/myrepo/myimage:mytag could not be accessed on a registry to record  
its digest. Each node will access docker.pkg.github.com/konversion/myrepo/myimage:mytag independently,  
possibly leading to different nodes running different  
versions of the image.

5 Likes

I think this would be a very helpful feature to support. Pulling an image by digest allows you to be very precise about the specific deployment you want. The lack of this feature also means the github registry isn’t compatible with a number of existing tools that assume pulling by digest is possible.

11 Likes

I beleive this is the underlying cause of incompatibilities such as https://github.com/portainer/portainer/issues/3192

1 Like

Adding on - this makes the Github Package Registry noncompliant with the OCI Distribution spec, and is making buildpacks/pack unable to support publishing to GPR, as mentioned here.

Are there any updates on a timeline for this?

1 Like

This makes the GitHub Docker Registry almost useless.

1 Like

:wave: As noted here in the containerd issue our Docker service doesn’t currently support pulling by digest. However we have a new service under private beta which does support pull by digest. The new service also supports the OCI spec which allows for buildpacks etc. Please reach out if you’d like to participate. We have been adding users into the private beta over the past several weeks.

3 Likes

Hi clarkbw, where do i sign up?

Email me. The containerd issue has the required info.

So basically if you deploy with Kubernetes and use digests in logic, you cannot use Github’s Registry. Am I understanding this correctly?

Hi @iMerica,

Yes, you’re understanding correctly.

Could you see the comments at the end of this issue and request access to the private Bata?