Dependabot docker failing with public ghcr.io image

devpow112 · October 5, 2020, 3:31am

Hello,

I recently started seeing dependabot failing to pull from ghcr.io for a public image. This used to work but seems to have stopped working recently. Package it’s trying to check https://github.com/users/devpow112/packages/container/package/base-ubuntu. The repository trying to run dependabot is private but it should be able to check if it needs updates for a public image. See below log snippet from dependabot logs.

  proxy | 2020/10/05 03:19:40 [017] GET https://ghcr.io:443/v2/devpow112/base-ubuntu/tags/list
  proxy | 2020/10/05 03:19:40 [017] 401 https://ghcr.io:443/v2/devpow112/base-ubuntu/tags/list
  proxy | 2020/10/05 03:19:40 [019] GET https://ghcr.io:443/token?scope=repository%3Auser%2Fimage%3Apull
  proxy | 2020/10/05 03:19:40 [019] 403 https://ghcr.io:443/token?scope=repository%3Auser%2Fimage%3Apull
updater | INFO <job_64590950> Handled error whilst updating devpow112/base-ubuntu: private_source_authentication_failure {:source=>"ghcr.io"}
updater | INFO <job_64590950> Finished job processing
updater | time="2020-10-05T03:19:41Z" level=info msg="task complete" container_id=job-64590950-updater exit_code=0 job_id=64590950 step=updater

Any help would be appreciated

devpow112 · March 28, 2021, 11:07pm

This is still occurring, wonder if anyone has any ideas

updater | INFO <job_102764568> Checking if devpow112/base-ubuntu focal-20210326 needs updating
  proxy | 2021/03/28 22:59:58 [012] GET https://ghcr.io:443/v2/devpow112/base-ubuntu/tags/list
  proxy | 2021/03/28 22:59:58 [012] 401 https://ghcr.io:443/v2/devpow112/base-ubuntu/tags/list
  proxy | 2021/03/28 22:59:58 [014] GET https://ghcr.io:443/token?service=ghcr.io&scope=repository%3Auser%2Fimage%3Apull
  proxy | 2021/03/28 22:59:58 [014] 403 https://ghcr.io:443/token?service=ghcr.io&scope=repository%3Auser%2Fimage%3Apull
updater | INFO <job_102764568> Handled error whilst updating devpow112/base-ubuntu: private_source_authentication_failure

jcansdale · March 29, 2021, 4:11pm

Hi @devpow112,

I think this might be the issue described here:

Could you let me know if this is related?

devpow112 · March 29, 2021, 4:32pm

Hey @jcansdale,

I don’t think so. The logs I’ve listed are directly from the Dependabot logs not from a GitHub Actions run. It’s also not trying to pull a private image. The docker image devpow112/base-ubuntu is a public image from the GitHub Container Registry. There are no secrets involved since it’s a public image from the public repository. The funny thing is that the GitHub Action workflows that try to grab the devpow112/base-ubuntu as part of a docker build work fine even without logging into ghcr.io. Only dependabot fails to check for updates with the log messages above.

devpow112 · March 31, 2021, 1:33pm

Lol, well as of last night this resolved itself without any changes on my side. Hopefully it stays fixed.

jcansdale · March 31, 2021, 3:06pm

Very strange. Please let me know if it starts happening again!