Super confusing GitHub Container Registry (need pullable public image)

So my goal is to have a public image pullable without authentication/authorization.

The first (successfull) attempt with docker/build-push-action@v1, but it wasn’t pullable.

Now with combo of docker/login-action@v1, docker/build-push-action@v2[with][load] = true and just docker push I have pushed a few images to ghcr.io (under user that has admin access to organization), but still can’t pull them without authentication.

Here are those that should be pullable:

  • ghcr.io/subspace/subspace-core-rust/subspace:updates
  • ghcr.io/subspace/subspace:updates

Those were pushed a few minutes ago, but I can’t find them anywhere in UI and can’t pull anonymously.

Here is what my action file looks like:

    steps:
      - uses: actions/checkout@v2
      - name: Inject slug/short variables
        uses: rlespinasse/github-slug-action@v2.x
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v1
      - name: Cache Docker layers
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-${{ env.GITHUB_REF_SLUG }}
            ${{ runner.os }}-buildx-
      - uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.CR_PAT }}
      - name: Build container image
        uses: docker/build-push-action@v2
        with:
          load: true
          tags: |
            ghcr.io/subspace/subspace:${{ env.GITHUB_REF_SLUG }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
      - name: Push container image
        run: |
          docker push ghcr.io/subspace/subspace:${{ env.GITHUB_REF_SLUG }}

Images on GHCR are private by default, after creating a new image (not tag!) you need to set it to public before it can be pulled without authentication. Configuring visibility of container images for an organization should describe what you need. :slightly_smiling_face:

1 Like

I wish docs matched my UI. There is no “Package Settings” button in my UI. There is only “Edit package” dropdown that doesn’t contain anything like that.
Moreover, I can’t find images pushed to ghcr.io anywhere in my UI, they are not in the list of packages.

This is why it is super confusing.

That’s odd, the equivalent for personal accounts worked perfectly for me on the weekend.

Is that user who has admin access someone other than you, and they just provided the PAT? In that case you may need to ask them to make the package public.

1 Like

OK, that helped, thanks!
But why is package that is inside of organization is only visible to a single user and not other admins unless you change access rules?
Doesn’t make any sense to me.

Also I can now see “Package Settings” on these new images, but not on old that is on docker.pkg.github.com.

1 Like

We’ll be improving the defaults on this so you don’t see it as much without trying but we wanted to enable systems to have packages that aren’t visible to owners by default. Many larger organizations have owners who are the IT managers for the system and not necessarily the ones who should have access to all resources. And people are using containers (generic storage) for things like PII (Personally Identifiable Information) with controlled access. Owners will still be able to directly access the container but that will be logged in the audit log.

Yes, these settings will only be available to GHCR. The docker.pkg.github.com service is deprecated and won’t see these changes, it also inherits all permissions from the repository so these settings weren’t necessary.

Looks like confusion is by design, this is even more sad.

I was able to get rid of the docker.pkg.github.com only after contacting support, which is suboptimal.

We’ll be adding support for deleting those images soon so you won’t have to contact support.

2 Likes