Unable to pull package of public personal repository pushed to github package

Greetings,

Thanks for adding support for github packages to upload container images, I recently was trying out pushing packages to it, https://github.com/tasdikrahman/bhola/pull/55/checks?check_run_id=1140051698,

Successfully tagged docker.pkg.github.com/tasdikrahman/bhola/bhola:feat-issue-54
Pushing image [docker.pkg.github.com/tasdikrahman/bhola/bhola:feat-issue-54]
The push refers to repository [docker.pkg.github.com/tasdikrahman/bhola/bhola]
b03ea15ce214: Preparing
dbc12b000854: Preparing
0a7fec4e9e75: Preparing
07af6d27e52d: Preparing
43cd00501c28: Preparing
9c8e38fa209a: Preparing
708afaaf892f: Preparing
94928d5d49e7: Preparing
bcf2f368fe23: Preparing
9c8e38fa209a: Waiting
708afaaf892f: Waiting
94928d5d49e7: Waiting
bcf2f368fe23: Waiting
43cd00501c28: Layer already exists
9c8e38fa209a: Layer already exists
708afaaf892f: Layer already exists
94928d5d49e7: Layer already exists
bcf2f368fe23: Layer already exists
b03ea15ce214: Pushed
dbc12b000854: Pushed
0a7fec4e9e75: Pushed
07af6d27e52d: Pushed
feat-issue-54: digest: sha256:bc2c0c5f2e2eede136fc51b7de16a00781d787743c7cae1d2b500b7e46709cdb size: 2201

I tried pulling this image on my machine

$ docker pull docker.pkg.github.com/tasdikrahman/bhola/bhola:feat-issue-54
Error response from daemon: Get "https://docker.pkg.github.com/v2/tasdikrahman/bhola/bhola/manifests/feat-issue-54": no basic auth credentials

I tried checking the answer posted here Just published a new GH package. Have few questions, but couldn’t find the setting to make my container packages public in case they are private.

Let me know if I am missing something folks.

Another thing which I noticed was that I can see the package under the public repositories

I notice that your workflow pushes to the old GitHub Packages Docker registry (docker.pkg.github.com). If you want your packages to be publicly accessible without any authentication you need to use the new GitHub Container Registry (ghcr.io). Note that new images are private by default, so after the first push you’d need to switch the image to public.

I get this error now

 Logging in to registry ghcr.io
WARNING! Using --password via the CLI is insecure. Use --password-stdin.
Error response from daemon: Get https://ghcr.io/v2/: denied
Error: exit status 1
exit status 1
Usage:
  github-actions build-push [flags]

Flags:
  -h, --help   help for build-push

The block for pushing to github package is this

      - name: Push to GitHub Packages
        uses: docker/build-push-action@v1
        with:
          username: tasdikrahman
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: ghcr.io
          repository: tasdikrahman/bhola/bhola
          tag_with_ref: true

anything which I need to add/change.

I see one thing that’s definitely a problem, and one that probably is:

  1. You can’t use GITHUB_TOKEN to authenticate with GHCR. You need to use a PAT. See Authenticating with the container registry.
  2. The repository parameter seems to follow the OWNER/REPOSITORY/IMAGE_NAME pattern. The GHCR uses OWNER/IMAGE_NAME, see Domain changes.

To link your image to the source repository you can either set the org.opencontainers.image.source label to the repository path (that’s what I prefer), or manually link them using the web UI. See Connecting a repository to a container image.

1 Like

You can actually use any number of components with ghcr.io. For example, ghcr.io/OWNER/REPOSITORY/IMAGE_NAME would also work. This might be useful if you have multiple images associated with the same repo.

At the moment the REPOSITORY component doesn’t automatically associate the image with a repository of the same name, but it hopefully will in a future update.

1 Like

Thanks for the response, I am not using a PAT which has read, write and delete access for packages which I have added to my repo secrets.

this is what I have in the pipeline as of now

      - name: Check out the repo
        uses: actions/checkout@v2
      - name: Docker login
        run: >
          echo ${{ secrets.GHCR_PAT }} | docker login ghcr.io -u tasdikrahman --password-stdin
      - name: Build container image
        run: >
          docker build
          --label org.opencontainers.image.revision=${{ github.sha }}
          --iidfile bhola.id .
      - name: Show image information
        run: |
          docker image inspect $(cat bhola.id)
      - name: show docker images
        run: |
          docker images
      - name: take the first docker image from the list
        run: |
          ID=$(docker images -a | awk '{print $3}' | sed '1d' | head -1)
          echo $ID
      - name: Tag container image
        run: |
          docker tag ${ID} ghcr.io/tasdikrahman/bhola:${{ github.SHA }}
      - name: Push the container image
        run: |
          docker push ghcr.io/tasdikrahman/bhola:${{ github.SHA }}
      - name: Docker logout
        if: always()
        run: |
          docker logout ghcr.io

the failure now which I get is during the tagging part. Would fail, while I try to tag

Run docker tag ${ID} ghcr.io/***/bhola:df246a982a3385fc70d52792b1847db964a9f7a7
  docker tag ${ID} ghcr.io/***/bhola:df246a982a3385fc70d52792b1847db964a9f7a7
  shell: /bin/bash -e {0}
"docker tag" requires exactly 2 arguments.
See 'docker tag --help'.

Usage:  docker tag SOURCE_IMAGE[:TAG] TARGET_IMAGE[:TAG]

Create a tag TARGET_IMAGE that refers to SOURCE_IMAGE
##[error]Process completed with exit code 1.

I am not sure what am I doing wrong as I hardcoded the part of the OWNER here while it is still being picked up as ***/bhola:SHA

My pipeline for reference https://github.com/tasdikrahman/bhola/pull/55/checks?check_run_id=1144873993

I think this is the issue. You can’t simply echo something and use it in the next run. Either you need to set it to output or an environment variable or combine it all into 1 run.

      - name: Tag the first docker image from the list
        run: |
          docker images
          ID=$(docker images -a | awk '{print $3}' | sed '1d' | head -1)
          echo $ID
          docker tag ${ID} ghcr.io/tasdikrahman/bhola:${{ github.SHA }}
1 Like

Awesome, that worked out folks!

Only thing was, the flow of making the image go from private to public by follow the instructions here https://docs.github.com/en/packages/managing-container-images-with-github-container-registry/connecting-a-repository-to-a-container-image, would it make sense to have a setting, where the container images of a repo are set to be public by default. What do you folks think

1 Like

Also, would there be a container image retention policy similar to how docker hub is doing for free images?

Good feedback, thank you! We’ve been looking at ways to make this happen.