I can't make my ghcr image public because I can't see it

Trolldemorted · October 20, 2020, 9:57pm

I have a github action that is pushing releases to ghcr:

    steps:
      - uses: actions/checkout@v2
      - run: ls -lah
      - name: Build image
        run: docker build ChallengePad --file ChallengePad/Dockerfile --tag challengepad:nightly

      - name: Log into GitHub Container Registry
        run: echo "${{ secrets.CR_PAT }}" | docker login https://ghcr.io -u legofan --password-stdin

      - name: Push image to GitHub Container Registry
        run: |
          IMAGE_ID=ghcr.io/${{ github.repository_owner }}/$IMAGE_NAME
          
          # Change all uppercase to lowercase
          IMAGE_ID=$(echo $IMAGE_ID | tr '[A-Z]' '[a-z]')
          
          echo IMAGE_NAME=$IMAGE_NAME
          echo IMAGE_ID=$IMAGE_ID
          
          docker tag $IMAGE_NAME:nightly $IMAGE_ID:nightly
          docker images | grep 'challengepad'
          docker push $IMAGE_ID

It builds a nightly image and pushes it to ghcr.io, and if I am authenticated I can pull it with docker pull. However I’d like to make the image public, and after reading this thread I assumed I should be seeing the image in the project or the organization:

As you can see there are no images being shown.

How do I make my image public?

noahmatisoff · October 2, 2020, 8:56am

Hi @Trolldemorted! The container images will be private by default, but in the organization’s packages you should be able to go to it to make it public.

The container will show up in the repository view provided that it has been linked through the UI or the source label.

Trolldemorted · October 2, 2020, 9:25am

Hey @noahmatisoff,

as I have written in my first post, the container does not show up in the organization’s packages list either:

Trolldemorted · October 6, 2020, 10:05am

Any updates for this?

I migrated from dockerhub to GHCR and now my users can’t download my packages. Is my guess that I am having this problem correct?

I would have migrated more projects to GHCR, but if our users can’t download our packages they will come at me with pitchforks and torches. Can you estimate when I will be able to make the image public? Are workarounds like emailing the support to do $magic which makes the images public available?

jcansdale · October 6, 2020, 5:16pm

From your screenshot, it looks like your packages are on docker.pkg.github.com rather than the new ghcr.io registry. You can publish to ghcr.io in a similar way to docker.pkg.github.com, but you’ll need to use a PAT with read:packages and write:packages scopes (not the built in GitHub Actions token).

Once published, you make make your container images public (no auth required) like this:

I hope that helps!

Trolldemorted · October 6, 2020, 5:30pm

From your screenshot, it looks like your packages are on docker.pkg.github.com rather than the new ghcr.io registry

What makes you think that? My github action pushes to ghcr.io (?) and I can pull it with

docker pull ghcr.io/enoflag/challengepad:nightly

when I am authenticated.

Since I am able to pull the image I assume it is published, but as I have explained I can’t follow the steps because the image isn’t listed in my organization.

jcansdale · October 8, 2020, 4:32pm

Sorry, I missed the “Getting started with GitHub Packages” bit in your screenshot.

Are you using github.com from the same account that owns ${{ secrets.CR_PAT }}? If this PAT was owned by a different user, it would start off only visible to that user. I’m wondering if this is what you’re experiencing?

Trolldemorted · October 8, 2020, 7:54pm

Yep, it was published by a functional account since organizations can’t have PATs, mystery solved

Why did you think it was a good idea to hide packages from organization owners (!), and why is that not mentioned in the docs?

Johannestegner · October 9, 2020, 10:58am

Oh, wow, this is what I experience as well… Have been waiting for some type of fix for days! Hehe…
I agree with @Trolldemorted that it should not be hidden for other org owners. I use a bot account to publish artifacts, and I almost never log in to that one, so for my “real” account, I can’t manage the images.

ibiqlik · October 12, 2020, 9:08am

This definitely has to be fixed. Org owners should (as the name implies) have access to everything in the org, that includes private packages pushed by a non-human token.

Just like an option (API) to change container/package settings, like most sought after in my org, to make an image public.

Trolldemorted · November 14, 2020, 2:16am

Is this at least on your roadmap for the near future?

noahmatisoff · November 14, 2020, 5:24pm

@ibiqlik @Trolldemorted: we do plan to have an additional visibility setting in the future that can be set by the organization admin that will work in this way.

I can follow up here once we ship it. Sorry for any inconvenience to your workflow(s) in the meantime during beta.