Can't pull private ghcr.io Docker image using GITHUB_TOKEN

I’m having issues pulling a private ghcr.io Docker image, in a PR CI run.

I’ve been following this guide, and done the following steps:

  1. Updated actions access for the package in question, to include my repository.
  2. Set permissions for GITHUB_TOKEN, at the root level of my workflow file:
    permissions:
      packages: read
      contents: read
    
  3. Logged in with Docker:
      - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin
    Login Succeeded
    
  4. Pulled the image
     - run: docker pull ghcr.io/ORG/MY_IMAGE
    

This gives me an error message: repository does not exist or may require 'docker login': denied: installation not allowed to Read organization package

This is happening on a PR from a branch in the same repository. What should I do to be able to pull this image?

2 Likes

bump Me too, exactly same situation and setup.

Got it working by changing package visibility from “private” to “internal” in the “Danger zone” area of the package settings.

Don’t really understand what that means, though :frowning:

Same issue here.

Only two solutions that I’ve found to work are either:

  • Using a PAT instead of GITHUB_TOKEN (I’d rather avoid PATs if I can and the docs seem to indicate that the default token should work)
  • What @mpdude said, making the package internal instead of private seems to fix it (super unclear why this is the case though, especially since i’ve given my repo explicit access to the package in the package settings)

So either the docs need some clarification or there’s a bug here, just not sure which