GHCR images not visible to organization owner

GitHub Packages
#1

I would expect that as an organization owner, I’d be able to see all container images under the organization, and I’d be able to change their visibility settings. That doesn’t seem to be the case and I wonder if this is a bug. Here’s what happened:

  • User A pushes a container image (e.g. docker push ghcr.io/aquasecurity/trivy:latest)
  • User B is an organization owner, but B can’t see this container image
    • it doesn’t appear in the list of packages at https://github.com/orgs/aquasecurity/packages
    • if user B is logged in and tries to pull the image they get Error response from daemon: pull access denied for ghcr.io/aquasecurity/trivy, repository does not exist or may require 'docker login': denied: permission_denied: read_package
  • If user A changes the visibility of the image to public, then it’s visible to user B in the UI, and can be pulled, but under the package settings for the image, user B sees the error message “You do not have permissions to administrate this package.”

Related, is there any relationship between permissions on a repo, and container image permissions with a matching name? For example, if user C is an admin on the aquasecurity/trivy repo, would you expect them to have visibility and management permissions on the ghcr.io/aquasecurity/trivy image? I think this would be helpful.

#2

Hello! We’re working on a complete fix for this but in the meantime you’re right that org owners can’t see private containers. There will be some options here but certain scenarios require private containers to be hidden even from owners. Again we’ll be addressing the default case you’re experiencing here.

If you want to keep the containers private but grant access you can add User B (or a Team that contains User B) in the container settings with read/write/admin access.

Currently there isn’t a direct relationship between a repo and a container for access control. The Docker service docker.pkg.github.com worked this way and we’re going to bring the good parts of that back while leaving the fine grained options.

You can use Teams to create a more manageable relationship where Team Admin has admin access to the repo and can also be granted admin access to the Container.

We’ll also have some refinements to this coming up as we workout the GITHUB_TOKEN support in Actions.