I want to use Installation Access Token instead of Personal Access Token on GitHub Actions, but doesn’t work.

Example code

jobs:
  push:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - name: Generate token
        id: generate_token
        uses: tibdex/github-app-token@v1
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_PRIVATE_KEY }}

      - name: Log into GitHub Container Registry
        run: echo "${{ steps.generate_token.outputs.token }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin

My GitHub App (GH_APP_ID) has “Read & Write access” enabled in “Packages”.

image1502×134 13.7 KB

Error

Run echo "***" | docker login https://ghcr.io -u sue445 --password-stdin
  echo "***" | docker login https://ghcr.io -u sue445 --password-stdin
  shell: /bin/bash -e {0}
  env:
    IMAGE_NAME: awscli-all
Error response from daemon: Get https://ghcr.io/v2/: denied
##[error]Process completed with exit code 1.

Is there a way to use Installation Access Token?

GHCR can’t accept App tokens, only PATs for now. We’re working on a solution to allow for the Actions GITHUB_TOKEN and then could look into this after.

Is support for Outside Collaborators on that list? Currently outside collabs can’t write (near as I can tell) to ghcr.io

@clarkbw Thank you. I’m waiting!

An outside collab would need to publish via a GitHub Actions workflow and a repository (or org) secret. They would to this by committing directly to the repo rather than using a fork.

You might also be able to use the new fork settings, see:

I hope that helps!

Regards,
Jamie.

@jcansdale We’re currently (correctly or incorrectly) using a PAT from a GitHub account we have setup as a service account, which is set as an outside collaborator to isolate it’s permissions so that doesn’t help unfortunately. Is there plans to allow publishing via Workflow tokens and/or more fine-grained PAT/service account permissions coming down the pipeline?

We’re working on a system for workflow tokens, this will roll out before the end of the year.

Can you open up a separate topic about the outside collaborator? An OC who has write access to the container should have access with a PAT that has write scope. Thx!

Found this topic. Not sure if something was opened up, but the UI explicitly says this is not allowed for outside contributers on page {org}/settings/member_privileges

“Members will be able to publish only the selected visibility types of packages and containers. Outside collaborators can never publish packages or containers.”

@cep21 Opened a separate topic for that issue specifically here: Unable to Publish Image to Github Container Registry with Outside Contributer

Anyway to track these enhancements? e.g. a github issue we can follow?

Any progress on this @clarkbw ? Would really love this on our apache/airflow repo.

We are closer as we are testing GITHUB_TOKEN support internally right now. App tokens are in the backlog but I don’t have a timeline yet.

If ghcr.io supports GITHUB_TOKEN, App token is needless. Thank you!

Any ETA you could share (even a rough one)?

½ way through March we should be GA

Sounds great, thanks!

As an aside, it would be so much better if you hosted these kinds of discussions inside of GitHub issues instead of some random forum software. Then we could reference this discussion in our commits and be notified when its closed.