Cannot push image to ghcr via workflow but cli works


I’m using a bot account to push images to ghcr.

When I use the pat created for the bot, I can log into ghcr and then successfully push image manually in cli.

But if I try to use the same user and pat in a github workflow, it fails with denied: permission_denied: write_package

In org settings, users are allowed to push packages as public, private and internal (@clarkbw had turned on the internal flag for our org). And the pat has the read and write package perms enabled.

With the same user/pat, cli push works just fine and the new package is marked internal as expected. But a push from workflow with the same credentials fails:

Any ideas?


1 Like

It turns out another org member had pushed the same package, which was private by default and was owned by that org member.

Since nobody else could even see the package as existing, we were very confused.

I think this default behavior of new packages being privately owned by the user uploading and not being visible to even the org owners is quite confusing.

1 Like

:wave: Hi there – Yes, we’ve received this feedback and are working on a fix to make this more intuitive for the end user. :heart: