Super confusing GitHub Container Registry (need pullable public image) #26861

nazar-pc · 2020-09-21T14:44:01Z

nazar-pc
Sep 21, 2020

So my goal is to have a public image pullable without authentication/authorization.

The first (successfull) attempt with docker/build-push-action@v1, but it wasn’t pullable.

Now with combo of docker/login-action@v1, docker/build-push-action@v2[with][load] = true and just docker push I have pushed a few images to ghcr.io (under user that has admin access to organization), but still can’t pull them without authentication.

Here are those that should be pullable:

ghcr.io/subspace/subspace-core-rust/subspace:updates
ghcr.io/subspace/subspace:updates

Those were pushed a few minutes ago, but I can’t find them anywhere in UI and can’t pull anonymously.

Here is what my action file looks like:

    steps:
      - uses: actions/checkout@v2
      - name: Inject slug/short variables
        uses: rlespinasse/github-slug-action@v2.x
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Cache Docker layers
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-${{ env.GITHUB_REF_SLUG }}
            ${{ runner.os }}-buildx-
      - uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.CR_PAT }}
      - name: Build container image
        uses: docker/build-push-action@v2
        with:
          load: true
          tags: |
            ghcr.io/subspace/subspace:${{ env.GITHUB_REF_SLUG }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
      - name: Push container image
        run: |
          docker push ghcr.io/subspace/subspace:${{ env.GITHUB_REF_SLUG }}

Answered by airtower-luna

Sep 21, 2020

That’s odd, the equivalent for personal accounts worked perfectly for me on the weekend.

nazar-pc:

I have pushed a few images to ghcr.io (under user that has admin access to organization)

Is that user who has admin access someone other than you, and they just provided the PAT? In that case you may need to ask them to make the package public.

View full answer

airtower-luna · 2020-09-21T15:05:34Z

airtower-luna
Sep 21, 2020

Images on GHCR are private by default, after creating a new image (not tag!) you need to set it to public before it can be pulled without authentication. Configuring visibility of container images for an organization should describe what you need. 🙂

0 replies

nazar-pc · 2020-09-21T15:09:47Z

nazar-pc
Sep 21, 2020
Author

I wish docs matched my UI. There is no “Package Settings” button in my UI. There is only “Edit package” dropdown that doesn’t contain anything like that.
Moreover, I can’t find images pushed to ghcr.io anywhere in my UI, they are not in the list of packages.

This is why it is super confusing.

0 replies

airtower-luna · 2020-09-21T15:18:33Z

airtower-luna
Sep 21, 2020

That’s odd, the equivalent for personal accounts worked perfectly for me on the weekend.

nazar-pc:

I have pushed a few images to ghcr.io (under user that has admin access to organization)

Is that user who has admin access someone other than you, and they just provided the PAT? In that case you may need to ask them to make the package public.

0 replies

nazar-pc · 2020-09-21T15:24:57Z

nazar-pc
Sep 21, 2020
Author

OK, that helped, thanks!
But why is package that is inside of organization is only visible to a single user and not other admins unless you change access rules?
Doesn’t make any sense to me.

Also I can now see “Package Settings” on these new images, but not on old that is on docker.pkg.github.com.

0 replies

clarkbw · 2020-09-22T00:26:08Z

clarkbw
Sep 22, 2020

nazar-pc:

But why is package that is inside of organization is only visible to a single user and not other admins unless you change access rules?
Doesn’t make any sense to me.

We’ll be improving the defaults on this so you don’t see it as much without trying but we wanted to enable systems to have packages that aren’t visible to owners by default. Many larger organizations have owners who are the IT managers for the system and not necessarily the ones who should have access to all resources. And people are using containers (generic storage) for things like PII (Personally Identifiable Information) with controlled access. Owners will still be able to directly access the container but that will be logged in the audit log.

nazar-pc:

Also I can now see “Package Settings” on these new images, but not on old that is on docker.pkg.github.com .

Yes, these settings will only be available to GHCR. The docker.pkg.github.com service is deprecated and won’t see these changes, it also inherits all permissions from the repository so these settings weren’t necessary.

0 replies

nazar-pc · 2020-09-22T00:29:58Z

nazar-pc
Sep 22, 2020
Author

Looks like confusion is by design, this is even more sad.

I was able to get rid of the docker.pkg.github.com only after contacting support, which is suboptimal.

0 replies

clarkbw · 2020-09-23T14:39:32Z

clarkbw
Sep 23, 2020

nazar-pc:

I was able to get rid of the docker.pkg.github.com only after contacting support, which is suboptimal.

We’ll be adding support for deleting those images soon so you won’t have to contact support.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Super confusing GitHub Container Registry (need pullable public image) #26861

{{title}}

Replies: 7 comments

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

GitHub Community

Super confusing GitHub Container Registry (need pullable public image) #26861

nazar-pc Sep 21, 2020

Replies: 7 comments

airtower-luna Sep 21, 2020

nazar-pc Sep 21, 2020 Author

airtower-luna Sep 21, 2020

nazar-pc Sep 21, 2020 Author

clarkbw Sep 22, 2020

nazar-pc Sep 22, 2020 Author

clarkbw Sep 23, 2020

nazar-pc
Sep 21, 2020

airtower-luna
Sep 21, 2020

nazar-pc
Sep 21, 2020
Author

airtower-luna
Sep 21, 2020

nazar-pc
Sep 21, 2020
Author

clarkbw
Sep 22, 2020

nazar-pc
Sep 22, 2020
Author

clarkbw
Sep 23, 2020