How to use Installation Access Token in ghcr.io authorization?

sue445 · September 8, 2020, 8:24am

I want to use Installation Access Token instead of Personal Access Token on GitHub Actions, but doesn’t work.

Example code

jobs:
  push:
    runs-on: ubuntu-latest

    steps:
      - uses: actions/checkout@v2

      - name: Generate token
        id: generate_token
        uses: tibdex/github-app-token@v1
        with:
          app_id: ${{ secrets.GH_APP_ID }}
          private_key: ${{ secrets.GH_PRIVATE_KEY }}

      - name: Log into GitHub Container Registry
        run: echo "${{ steps.generate_token.outputs.token }}" | docker login https://ghcr.io -u ${{ github.actor }} --password-stdin

My GitHub App (GH_APP_ID) has “Read & Write access” enabled in “Packages”.

Error

Run echo "***" | docker login https://ghcr.io -u sue445 --password-stdin
  echo "***" | docker login https://ghcr.io -u sue445 --password-stdin
  shell: /bin/bash -e {0}
  env:
    IMAGE_NAME: awscli-all
Error response from daemon: Get https://ghcr.io/v2/: denied
##[error]Process completed with exit code 1.

Is there a way to use Installation Access Token?

clarkbw · September 5, 2020, 3:03pm

GHCR can’t accept App tokens, only PATs for now. We’re working on a solution to allow for the Actions GITHUB_TOKEN and then could look into this after.

richicoder1 · September 5, 2020, 6:55pm

Is support for Outside Collaborators on that list? Currently outside collabs can’t write (near as I can tell) to ghcr.io

sue445 · September 6, 2020, 11:04am

@clarkbw Thank you. I’m waiting!

jcansdale · September 7, 2020, 5:43pm

An outside collab would need to publish via a GitHub Actions workflow and a repository (or org) secret. They would to this by committing directly to the repo rather than using a fork.

You might also be able to use the new fork settings, see:

I hope that helps!

Regards,
Jamie.

richicoder1 · September 7, 2020, 7:28pm

@jcansdale We’re currently (correctly or incorrectly) using a PAT from a GitHub account we have setup as a service account, which is set as an outside collaborator to isolate it’s permissions so that doesn’t help unfortunately. Is there plans to allow publishing via Workflow tokens and/or more fine-grained PAT/service account permissions coming down the pipeline?

clarkbw · September 8, 2020, 8:22am

We’re working on a system for workflow tokens, this will roll out before the end of the year.

Can you open up a separate topic about the outside collaborator? An OC who has write access to the container should have access with a PAT that has write scope. Thx!

cep21 · September 23, 2020, 2:30am

Found this topic. Not sure if something was opened up, but the UI explicitly says this is not allowed for outside contributers on page {org}/settings/member_privileges

“Members will be able to publish only the selected visibility types of packages and containers. Outside collaborators can never publish packages or containers.”

richicoder1 · September 29, 2020, 8:24pm

@cep21 Opened a separate topic for that issue specifically here: Unable to Publish Image to Github Container Registry with Outside Contributer

ben-elttam · February 15, 2021, 7:05am

Anyway to track these enhancements? e.g. a github issue we can follow?

ashb · February 17, 2021, 3:24pm

Any progress on this @clarkbw ? Would really love this on our apache/airflow repo.

clarkbw · February 18, 2021, 4:02pm

We are closer as we are testing GITHUB_TOKEN support internally right now. App tokens are in the backlog but I don’t have a timeline yet.

sue445 · February 19, 2021, 2:41am

If ghcr.io supports GITHUB_TOKEN, App token is needless. Thank you!

ziegfried · February 23, 2021, 7:51pm

Any ETA you could share (even a rough one)?

clarkbw · February 23, 2021, 9:03pm

½ way through March we should be GA

ziegfried · February 23, 2021, 9:05pm

Sounds great, thanks!

marksalpeter · March 1, 2021, 5:29pm

As an aside, it would be so much better if you hosted these kinds of discussions inside of GitHub issues instead of some random forum software. Then we could reference this discussion in our commits and be notified when its closed.

jetersen · March 30, 2021, 4:50am

FYI ghcr now supports the github app token: Packages: Container registry now supports GITHUB_TOKEN - GitHub Changelog

rhyek · April 6, 2021, 1:07am

I’m having a weird problem. I’m logging in this way:

run: echo ${{ secrets.GITHUB_TOKEN }} | docker login ghcr.io -u rhyek --password-stdin

The result of that being:

Run echo *** | docker login ghcr.io -u rhyek --password-stdin
WARNING! Your password will be stored unencrypted in /home/runner/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store

Login Succeeded

Then doing a build/push with buildx:

          docker buildx build \
            --cache-from="type=registry,ref=$IMAGE_NAME-cache:latest" \
            --cache-from="type=registry,ref=$IMAGE_NAME-cache:$PR_NUMBER" \
            --cache-to="type=registry,ref=$IMAGE_NAME-cache:$PR_NUMBER" \
            -t "$IMAGE_NAME:$PR_NUMBER" \
            -f "$APP_PATH/Dockerfile" \
            --push \
            .

For some reason this always fails with:

 > importing cache manifest from ghcr.io/rhyek/typescript-monorepo-example-main-internal-api-cache:latest:
------
------
 > importing cache manifest from ghcr.io/rhyek/typescript-monorepo-example-main-internal-api-cache:37:
------
------
 > exporting to image:
------
error: failed to solve: rpc error: code = Unknown desc = unexpected status: 403 Forbidden
Error: Process completed with exit code 1.

If I change the login token to a PAT it works fine. Not sure what is going on.

jcansdale · May 25, 2021, 5:22pm

Does this happen every time or only when $IMAGE_NAME-cache is first created? There is a known issue where a new container package can’t we written and read from in the same workflow run. Once the container package has been created, subsequent workflow runs should work.

Do you think this might be the problem?