Can't authenticate with Actions token for PR event

I’m trying to use GitHub Actions to push a container to the container registry on a pull request. However, push with the token (GITHUB_TOKEN) for GitHub Actions pull_request (or pull_request_target) event fails with the following error:

denied: installation not allowed to Write organization package

I’ve created a minimal reproducible repo in GitHub - ylemkimon/pull-request-container, and you can see it succeeds on push event, but fails on pull_request event.

Furthermore, it fails to pull the image with the specific tag with the following error:

pull access denied for ghcr.io/<org>/<name>, repository does not exist or may require 'docker login': denied: installation not allowed to Read organization package
2 Likes

Hi @ylemkimon,

Do you know if the following read also fails if you use pull_request_target ?

Yes, it fails: see Update README.md · ylemkimon/pull-request-container@7f995b1 · GitHub.

Correction: whether the tag is specified seems to not matter, rather the visibility of the package matters, i.e., it succeeds to pull a public container.

Thanks for the information. I’ll see if I can reproduce this!

i can reproduce it as well in my repositories. Back to using PAT unfortunately. Hope it can be fixed soon!

My issue is not exactly the same, but similar to the issue described here.

GitHub Actions triggered by a Pull Request fails to push container images to GitHub Container Registry (ghcr.io) with GITHUB_TOKEN. 403 Forbidden seems to be the cause (link).

However, GitHub Actions triggered by a commit directly to main branch successfully pushed the images to ghcr.io with GITHUB_TOKEN (link). I wonder why the two cases end with different results despite exactly the same code.

If I use PAT in GitHub Actions in Pull Request, pushing to ghcr.io is successfully finished.