Unable to push to ghcr.io from Github Actions #26274

pulsar256 · 2021-07-23T11:29:09Z

pulsar256
Jul 23, 2021

Hi,

following the documentation at Publishing Docker images - GitHub Docs I have set up an action for a private (team) respository

name: Create and publish a Docker image
on:

push:

branches: ['master']
env:

REGISTRY: ghcr.io

IMAGE_NAME: ${{ github.repository }}
jobs:

build-and-push-image:

runs-on: ubuntu-latest

permissions:

contents: read

packages: write
steps:
  - name: Checkout repository
    uses: actions/checkout@v2

  - name: Log in to the Container registry
    uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
    with:
      registry: ${{ env.REGISTRY }}
      username: ${{ github.actor }}
      password: ${{ secrets.GITHUB_TOKEN }}

  - name: Extract metadata (tags, labels) for Docker
    id: meta
    uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
    with:
      images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

  - name: Build and push Docker image
    uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
    with:
      context: .
      push: true
      tags: ${{ steps.meta.outputs.tags }}
      labels: ${{ steps.meta.outputs.labels }}

Team and Repository settings have Action permissions set to “Allow all actions” and Workflow permissions are set to “Read and write permissions”.

Running the job doesnt allow pushing to the container registry:

#20 pushing ghcr.io/REDACTED/REDACTED:master with docker
#20 sha256:REDACTED
(...)
#20 pushing layer REDACTED 0.4s done
#20 ERROR: denied: permission_denied: write_package
------
 > pushing ghcr.io/REDACTED/REDACTED:master with docker:
------
error: denied: permission_denied: write_package
Error: buildx call failed with: error: denied: permission_denied: write_package

The repository / tag is already present at the time of the job execution.

pushing the same tag using PAT authentication (local dev environment) does work.

I have seen a couple of older articles either mentioning no support for GITHUB_TOKEN auth and image pushes and issues with pushing to non-existent repositories. I take it these are not relevant anymore as the official documentation states otherwise.

Migrating to PAT based authentication is an option I am hesitant to choose as it will expose wider access to other repository based on a users’s PAT token.

Am I missing something here?

Answered by pulsar256

Jul 30, 2021

The Information asking to use the PAT token is outdated. I managed to get it working.

It seems there are mulitple ways how GH will create a package. Depending on which path you take It seems to assign different set of “Action Permissions” to the packge/docker repository when it gets implicitly crated by the first push. This implicit creation of the package/docker repository can be triggered by a manual/remote (PAT) based initial push or by GH Actions using the configured authentication. Results seem to differ.

So to fix this, head over to $yourOrganization → Packages → $yourPackage → Package settings (to the right / bottom)

And configure “Manage Actions access” section to allow the git re…

View full answer

bobra · 2021-07-26T23:53:42Z

bobra
Jul 26, 2021

have the same issue, and do not understand why

0 replies

TADebastiani · 2021-07-30T00:17:28Z

TADebastiani
Jul 30, 2021

Hi @pulsar256,

I had the same problem as you.

Googling this error I found this comment telling that using PAT is the correct way.

Reading another docs, I found this steps to give GITHUB_TOKEN the write_package permission, but I couldn’t do it.

0 replies

pulsar256 · 2021-07-30T12:19:13Z

pulsar256
Jul 30, 2021
Author

The Information asking to use the PAT token is outdated. I managed to get it working.

It seems there are mulitple ways how GH will create a package. Depending on which path you take It seems to assign different set of “Action Permissions” to the packge/docker repository when it gets implicitly crated by the first push. This implicit creation of the package/docker repository can be triggered by a manual/remote (PAT) based initial push or by GH Actions using the configured authentication. Results seem to differ.

So to fix this, head over to $yourOrganization → Packages → $yourPackage → Package settings (to the right / bottom)

And configure “Manage Actions access” section to allow the git repository in question write permissions on this package/docker repository

2 replies

exchgr Mar 18, 2023

as stated here, also make sure your GITHUB_TOKEN has ample write access

sombriks Dec 25, 2023

Thanks for the answer, i was running into this forbidden error!
i just added write permission to my publish job and everything works as expected!

moos3 · 2022-07-04T20:11:40Z

moos3
Jul 4, 2022

Hrm… This doesn’t work if you haven’t pushed before. These steps work if you have pushed at least once.

2 replies

hohmancodes Nov 18, 2022

Any ideas? Struggling with the same thing.

Erudition Mar 7, 2024

Same issue here as well.
Finally found the solution:
home-assistant/builder#177 (comment)

liammurray · 2022-07-30T20:59:36Z

liammurray
Jul 30, 2022

I was experiencing this because I somehow ended up with a package having the name "REPO/name" unconnected to REPO (probably pushing from CLI or during repository renaming, not sure.) When I looked at my repository the package was not even showing up (but I could push from the command line). In the global packages tab (https://github.com/OWNER?tab=packages) I finally found it. I then was able to connect it to my repo, which caused the name to change from "REPO/name" to name now listed under "REPO". Next I went to my repo, saw the package, and could go to settings to enable write permissions (following steps in accepted answer).

1 reply

geometrikal Nov 30, 2022

Thanks, this got it working for me, except it was under my organisation packages page

nfcopier · 2023-02-06T04:16:22Z

nfcopier
Feb 6, 2023

I've been having the same problem, but it's intermittent. I've been playing with cdktf to create repos and set up the workflow pipelines. I've noticed that, even though the workflow file itself was always the same, sometimes the workflows could push just fine, and other times it couldn't. This is regardless of how many times I toggled the Actions write permission or recreated the repo. The inconsistency is what's frustrating me. I need to be able to rely on this workflow to always work, or it's useless.

I kinda wonder if, in the process of creating, deleting, and recreating the same repo with the same name, GitHub occasionally gets confused and thinks I'm pushing to a different (older) repository.

0 replies

danclaytondev · 2023-02-16T11:48:13Z

danclaytondev
Feb 16, 2023

I have had the same issue as @nfcopier. I am pushing to ghcr.io in my GitHub action, and my docker push fails with:

ERROR: denied: permission_denied: write_package
Error: buildx call failed with: ERROR: denied: permission_denied: write_package

This was with the GITHUB_TOKEN having write permissions enabled. This was in a repo that had been deleted and remade with the same name. As soon as I renamed the repo, the Action successfully pushed the image to ghcr (no changes to repo settings).

3 replies

JoshMcCullough · 2023-05-29T15:34:00Z

JoshMcCullough
May 29, 2023

For me, when pushing an image for the first time, I get a 403. Re-running the Docker build/push step again is successful. I have to do this for every new image I push!

0 replies

Shankyking25 · 2024-03-07T06:43:21Z

Shankyking25
Mar 7, 2024

I am facing the same issue

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

GitHub Community

Unable to push to ghcr.io from Github Actions #26274

{{title}}

Replies: 9 comments 8 replies

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Unable to push to ghcr.io from Github Actions #26274

Replies: 9 comments · 8 replies

pulsar256 Jul 30, 2021 Author

Replies: 9 comments 8 replies

pulsar256
Jul 30, 2021
Author