Unable to push to ghcr.io from Github Actions

Hi,

following the documentation at Publishing Docker images - GitHub Docs I have set up an action for a private (team) respository

name: Create and publish a Docker image

on:
  push:
    branches: ['master']

env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

    steps:
      - name: Checkout repository
        uses: actions/checkout@v2

      - name: Log in to the Container registry
        uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build and push Docker image
        uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

Team and Repository settings have Action permissions set to “Allow all actions” and Workflow permissions are set to “Read and write permissions”.

Running the job doesnt allow pushing to the container registry:

#20 pushing ghcr.io/REDACTED/REDACTED:master with docker
#20 sha256:REDACTED
(...)
#20 pushing layer REDACTED 0.4s done
#20 ERROR: denied: permission_denied: write_package
------
 > pushing ghcr.io/REDACTED/REDACTED:master with docker:
------
error: denied: permission_denied: write_package
Error: buildx call failed with: error: denied: permission_denied: write_package

The repository / tag is already present at the time of the job execution.

pushing the same tag using PAT authentication (local dev environment) does work.

I have seen a couple of older articles either mentioning no support for GITHUB_TOKEN auth and image pushes and issues with pushing to non-existent repositories. I take it these are not relevant anymore as the official documentation states otherwise.

Migrating to PAT based authentication is an option I am hesitant to choose as it will expose wider access to other repository based on a users’s PAT token.

Am I missing something here?

2 Likes

have the same issue, and do not understand why

Hi @pulsar256,

I had the same problem as you.

Googling this error I found this comment telling that using PAT is the correct way.

Reading another docs, I found this steps to give GITHUB_TOKEN the write_package permission, but I couldn’t do it.

The Information asking to use the PAT token is outdated. I managed to get it working.

It seems there are mulitple ways how GH will create a package. Depending on which path you take It seems to assign different set of “Action Permissions” to the packge/docker repository when it gets implicitly crated by the first push. This implicit creation of the package/docker repository can be triggered by a manual/remote (PAT) based initial push or by GH Actions using the configured authentication. Results seem to differ.

So to fix this, head over to $yourOrganization → Packages → $yourPackage → Package settings (to the right / bottom)

And configure “Manage Actions access” section to allow the git repository in question write permissions on this package/docker repository

3 Likes