Unable to push to ghcr.io from Github Actions

[pulsar256]

Hi,

following the documentation at Publishing Docker images - GitHub Docs I have set up an action for a private (team) respository

name: Create and publish a Docker image
on:

push:

branches: ['master']
env:

REGISTRY: ghcr.io

IMAGE_NAME: ${{ github.repository }}
jobs:

build-and-push-image:

runs-on: ubuntu-latest

permissions:

contents: read

packages: write
steps:
  - name: Checkout repository
    uses: actions/checkout@v2

  - name: Log in to the Container registry
    uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
    with:
      registry: ${{ env.REGISTRY }}
      username: ${{ github.actor }}
      password: ${{ secrets.GITHUB_TOKEN }}

  - name: Extract metadata (tags, labels) for Docker
    id: meta
    uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38
    with:
      images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

  - name: Build and push Docker image
    uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
    with:
      context: .
      push: true
      tags: ${{ steps.meta.outputs.tags }}
      labels: ${{ steps.meta.outputs.labels }}

Team and Repository settings have Action permissions set to “Allow all actions” and Workflow permissions are set to “Read and write permissions”.

Running the job doesnt allow pushing to the container registry:

#20 pushing ghcr.io/REDACTED/REDACTED:master with docker
#20 sha256:REDACTED
(...)
#20 pushing layer REDACTED 0.4s done
#20 ERROR: denied: permission_denied: write_package
------
 > pushing ghcr.io/REDACTED/REDACTED:master with docker:
------
error: denied: permission_denied: write_package
Error: buildx call failed with: error: denied: permission_denied: write_package

The repository / tag is already present at the time of the job execution.

pushing the same tag using PAT authentication (local dev environment) does work.

I have seen a couple of older articles either mentioning no support for GITHUB_TOKEN auth and image pushes and issues with pushing to non-existent repositories. I take it these are not relevant anymore as the official documentation states otherwise.

Migrating to PAT based authentication is an option I am hesitant to choose as it will expose wider access to other repository based on a users’s PAT token.

Am I missing something here?

[bobra]

have the same issue, and do not understand why

[TADebastiani]

Hi @pulsar256,

I had the same problem as you.

Googling this error I found this comment telling that using PAT is the correct way.

Reading another docs, I found this steps to give GITHUB_TOKEN the write_package permission, but I couldn’t do it.

[pulsar256]

The Information asking to use the PAT token is outdated. I managed to get it working.

It seems there are mulitple ways how GH will create a package. Depending on which path you take It seems to assign different set of “Action Permissions” to the packge/docker repository when it gets implicitly crated by the first push. This implicit creation of the package/docker repository can be triggered by a manual/remote (PAT) based initial push or by GH Actions using the configured authentication. Results seem to differ.

So to fix this, head over to $yourOrganization → Packages → $yourPackage → Package settings (to the right / bottom)

And configure “Manage Actions access” section to allow the git repository in question write permissions on this package/docker repository

[exchgr]

as stated here, also make sure your GITHUB_TOKEN has ample write access

[sombriks]

Thanks for the answer, i was running into this forbidden error!
i just added write permission to my publish job and everything works as expected!

[moos3]

Hrm… This doesn’t work if you haven’t pushed before. These steps work if you have pushed at least once.

[hohmancodes]

Any ideas? Struggling with the same thing.

[Erudition]

Same issue here as well.
Finally found the solution:
home-assistant/builder#177 (comment)

[liammurray]

I was experiencing this because I somehow ended up with a package having the name "REPO/name" unconnected to REPO (probably pushing from CLI or during repository renaming, not sure.) When I looked at my repository the package was not even showing up (but I could push from the command line). In the global packages tab (https://github.com/OWNER?tab=packages) I finally found it. I then was able to connect it to my repo, which caused the name to change from "REPO/name" to name now listed under "REPO". Next I went to my repo, saw the package, and could go to settings to enable write permissions (following steps in accepted answer).

[geometrikal]

Thanks, this got it working for me, except it was under my organisation packages page

[nfcopier]

I've been having the same problem, but it's intermittent. I've been playing with cdktf to create repos and set up the workflow pipelines. I've noticed that, even though the workflow file itself was always the same, sometimes the workflows could push just fine, and other times it couldn't. This is regardless of how many times I toggled the Actions write permission or recreated the repo. The inconsistency is what's frustrating me. I need to be able to rely on this workflow to always work, or it's useless.

I kinda wonder if, in the process of creating, deleting, and recreating the same repo with the same name, GitHub occasionally gets confused and thinks I'm pushing to a different (older) repository.

[danclaytondev]

I have had the same issue as @nfcopier. I am pushing to ghcr.io in my GitHub action, and my docker push fails with:

ERROR: denied: permission_denied: write_package
Error: buildx call failed with: ERROR: denied: permission_denied: write_package

This was with the GITHUB_TOKEN having write permissions enabled. This was in a repo that had been deleted and remade with the same name. As soon as I renamed the repo, the Action successfully pushed the image to ghcr (no changes to repo settings).

[hemwaldoh]

This was the case for me too, renaming the new repo fixed the problem instantly

[brendanmosby]

Worked for me as well, thanks!

[o-liver]

I'm having this issue as well. So is the solution here to rename the repo? I'd rather not!

[JoshMcCullough]

For me, when pushing an image for the first time, I get a 403. Re-running the Docker build/push step again is successful. I have to do this for every new image I push!

[Shankyking25]

I am facing the same issue

[VictorioBerra]

Same issue. In my case I pushed manually before ever setting up my actions YAML and that may have broke it. Packages do not show up in the list even though i successfully pushed and pulled.

[denkasyanov]

In my case, my manually pushed package initially was a separate thing from the repository, despite they had the same user/repo in the name.

If I remember correctly, I manually set the repo from the package side. And not instantly but after some time the package showed up on the repo page.

Not sure what helped, and whether it was necessary to set up the repo in the package settings.

Anyway, I also added permissions to the workflow: https://github.com/denkasyanov/041-tdd-fastapi/blob/main/.github/workflows/main.yml#L12-L16

I guess that's all I did to make it work.

So now it works, I'm not 100% why, but maybe it can help someone: https://github.com/denkasyanov/041-tdd-fastapi