Make GitHub action use PATs instead of Repository secrets #25001
-
Hello, I am having difficulty creating an action to login to Github’s Container Registry. In the README for the docker/login-action repository, it says to login to ghcr.io (the container registry URL), you must use this
where CR_PAT is a PAT with package read, write, and delete access. I have created the CR_PAT with correct permissions, along with an ALL that I also used to see if it was a permissions issue But, my login action would fail with the error below.
After some testing, I realized that my PAT was not being found from the Further, I realized that and used it in an updated action .yml
and this returned with a filled-in
So, I know that For the record, I have enabled Future thanks. |
Beta Was this translation helpful? Give feedback.
Replies: 6 comments
-
Because I’m a new user, I wasn’t able to put in all the pictures and links that I wanted into the post. Please feel free to ask if you want to have more information. |
Beta Was this translation helpful? Give feedback.
-
I run into this too. An earlier setup that I had before 2021 worked with settings like that. The logs from there shows a “password” line with a masked password printed (***). I wonder if someething (note misspelling because the spellcheck will not allow me to write meeth without doubling the e) has changed since then. When I used a similar gha today I saw what you are seeing, approximately. I get “Error: Username and password required”, and even after trying to generate a new CR_PAT and add it specifically to the repo settings (Environment > Secrets) it doesn’t get picked up. I was expecting that ${{ secrets.CR_PAT}} would be picked up but it doesn’t seem so. Any solution yet? |
Beta Was this translation helpful? Give feedback.
-
AnthonyMonterrosa:
No, because that’d be a massive security hole. You have to explicitly provide secrets to actions where you want to use them (see Accessing your secrets). As far as the login problem is concerned, your token seems to be lacking the read:packages permission. |
Beta Was this translation helpful? Give feedback.
-
I checked my CR_PAT (aga_in), both the one I used successfully before and the new one I attempted to use, both have the read:packages permission. Can it be some_thing else coming into play here? (Using underscores to circu_mvent the censoring of potentially upsetting strings inside words) |
Beta Was this translation helpful? Give feedback.
-
My solution was to create a PAT with read/write/delete package permissions, and to copy the generated token value to a repository secret, and then to reference that repository secret in the action. That seems to be the only way to use PATs in actions, by copying them to the action’s repo. |
Beta Was this translation helpful? Give feedback.
-
That works well for me to, it needs to be a repository secret not an environment secret. Maybe you should put it as an accepted answer, at least it solved the problem for me. |
Beta Was this translation helpful? Give feedback.
My solution was to create a PAT with read/write/delete package permissions, and to copy the generated token value to a repository secret, and then to reference that repository secret in the action. That seems to be the only way to use PATs in actions, by copying them to the action’s repo.