Using Docker image from Github registry is unauthorized

Question

• I created Docker image locally
• Tagged it for Github Docker registry
• Pushed it to Github Docker registry

Now I want to use it in Github action that create Docker image in FROM field but it always fails with unauthorized error - why ?

here are the steps:

docker tag my_image:1.0 ghcr.io/<github_user>/<organization>/<repo_name>/my_image:1.0

docker push ghcr.io/<github_user>/<organization>/<repo_name>/my_image:1.0
a4f566342e89: Pushed
0378d9143186: Pushed
...
f337026e7d90: Pushed

everything as you see completes successfully and I can even docker pull it on my computer

then I setup Github action and set it to start Powershell script that create Docker image from this Dockerfile:

So Github action set as:

...
...
jobs:

  build:

    runs-on: windows-2019

    steps:
    - uses: actions/checkout@v2
    - name: Package with Docker and push to Github packages
      id: build_and_push_docker_image    
      env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}    
      run: |
        src/database/base-image/github-build.ps1

There just 1 step !

and Powershell script itself do:

...
docker login ghcr.io --username $env:GITHUB_ACTOR --password $env:GITHUB_TOKEN
...
docker build src/database/base-image --file "src/database/base-image/databaseCreateBaseImage.Dockerfile" --tag sqldatabase/base:$VERSION
...
...

and Docker file is:

FROM ghcr.io/<github_user>/<organization>/<repo_name>/my_image:1.0

SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

...
...

but sadly when Github action runs it always fails on line FROM with error message:

Step 1/7 : FROM ghcr.io/<github_user>/<organization>/<repo_name>/my_image:1.0
Get https://ghcr.io/v2/<github_user>/<organization>/<repo_name>/my_image/manifests/1.0: unauthorized
...
...

May be someone could shed some light - why it is not authorized to pull this image ? Everything runs without error until this FROM line :(

Answer 1

This helped me:

echo '<my_token>' | docker login ghcr.io -u <my_username> --password-stdin

<my_token> is the PAT from Github

See Personal Access Tokens (Classic) under Developer settings of your Github account.

Answer 2

Make sure GitHub Actions can access the Docker Image (like @sihil mentioned) and add the following step to your job:

- name: Login to GitHub Container Registry
  uses: docker/login-action@v3
  with:
    registry: ghcr.io
    username: ${{ github.actor }}
    password: ${{ secrets.GITHUB_TOKEN }}

Answer 3

My mistake

According to Github documentation Authenticating to GitHub Packages using GITHUB_TOKEN is not (!) enough. If you want to work with Github registry (ghcr.io) you must (!) use your Personal Access Token.

Answer 4

I think you might need to do two things here:

• First of all, ensure that the Package settings (bottom right of the package page) allow access to actions running in the repository in question
• Secondly, ensure that you have added the package permission to your job

More details in my answer to GITHUB_TOKEN permission denied write package when build and push docker in github workflows