Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
GITHUB_TOKEN permissions for ghcr.io only apply to the default branch
See original GitHub issueDescribe the bug
When using the GITHUB_TOKEN to pull images from our private ghcr.io registry following these instructions, it only works on the default branch of each repository with access to the image.
This makes it that I can’t use our images as part of a pull_request workflow using the GITHUB_TOKEN.
To Reproduce Steps to reproduce the behavior:
- Push a docker image to an organisation ghcr.io registry
- Add the repository you want to have read access for to the package
Actions Accessin it’sPackage Settings - In that repository define a workflow that triggers on
pull_requestthat pulls the image from step 1 using theGITHUB_TOKEN - Create a PR.
Expected behavior I expect the image to be able to be pulled from any branch in the repository i gave permissions to.
Runner Version and Platform
Cloud hosted ubuntu-latest
What’s not working?
Login Succeeded
Error response from daemon: pull access denied for ghcr.io/<org>/<image>, repository does not exist or may require 'docker login': denied: installation not allowed to Read organization package
Job Log Output
Output when trying to pull as a service:
Starting foobar service container
/usr/bin/docker --config /home/runner/work/_temp/.docker_d81b48f1-4348-4e54-ab6b-a314fb1605f4 login ghcr.io -u AllexVeldman --password-stdin
/usr/bin/docker --config /home/runner/work/_temp/.docker_d81b48f1-4348-4e54-ab6b-a314fb1605f4 pull ghcr.io/<org>/<image>:latest
Error response from daemon: pull access denied for ghcr.io/<org>/<image>, repository does not exist or may require 'docker login': denied: installation not allowed to Read organization package
Warning: Docker pull failed with exit code 1, back off 4.111 seconds before retry.
/usr/bin/docker --config /home/runner/work/_temp/.docker_d81b48f1-4348-4e54-ab6b-a314fb1605f4 pull ghcr.io/<org>/<image>:latest
Error response from daemon: pull access denied for ghcr.io/<org>/<image>, repository does not exist or may require 'docker login': denied: installation not allowed to Read organization package
Warning: Docker pull failed with exit code 1, back off 3.738 seconds before retry.
/usr/bin/docker --config /home/runner/work/_temp/.docker_d81b48f1-4348-4e54-ab6b-a314fb1605f4 pull ghcr.io/<org>/<image>:latest
Error response from daemon: pull access denied for ghcr.io/<org>/<image>, repository does not exist or may require 'docker login': denied: installation not allowed to Read organization package
Error: Docker pull failed with exit code 1
Output when run as a step:
Run echo "***" | docker login ghcr.io --username AllexVeldman --password-stdin
WARNING! Your password will be stored unencrypted in /home/runner/.docker/config.json.
Configure a credential helper to remove this warning. See
https://docs.docker.com/engine/reference/commandline/login/#credentials-store
Login Succeeded
Error response from daemon: pull access denied for ghcr.io/<org>/<image>, repository does not exist or may require 'docker login': denied: installation not allowed to Read organization package
Issue Analytics
- State:
- Created 2 years ago
- Reactions:3
- Comments:19 (1 by maintainers)
Top Results From Across the Web
GITHUB_TOKEN permission denied write package when ...
Seems like GITHUB_TOKEN works only on default branch. ... token (with a docker login -u USERNAME -p TOKEN ghcr.io , then a docker...
Read more >About permissions for GitHub Packages
Learn about how to manage permissions for your packages. ... The following GitHub Packages registries only support repository-scoped permissions.
Read more >GitHub Actions: Control permissions for GITHUB_TOKEN
A new admin setting lets you set the default permissions for the token in your organization or repository. You can choose between two...
Read more >Pushing container images to GitHub Container Registry ...
To push images to GHCR, you only need the following permissions: read:packages; write:packages; delete:packages. Once you've created the PAT, ...
Read more >GitHub Actions cache
GitHub's cache access restrictions, still apply. Only the cache for the current branch, the base branch and the default branch is accessible by...
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
The error seems to be fixed now!
But nevertheless you need to follow the instructions @AllexVeldman mentioned (https://docs.github.com/en/packages/guides/using-github-packages-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio):
Manage Actions accesswrite.This will make your Actions/Runner be able to read and publish your image to the GitHub Container Registry - also from PR branches (no need for a PAT anymore here also)!
This isn’t specific to the runner so I’m going to close this issue but I did add this to an internal issue we have tracking this problem and someone will follow up here when it is fixed (this appears to be a bug).