GITHUB_TOKEN permission denied write package when build and push docker in github workflows

Question

I have a Github organization and try to migrate container registry from docker hub to GitHub Packages. By using Github Workflows, here's the yaml I used to push docker to GitHub Packages:

name: ghcr_test
on:
  push:
    branches:
      - dev

jobs:
  deploy:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Login to GitHub Packages
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}

GitHub recommends using GITHUB_TOKEN in action workflows, I'm already double check it has read and write permission in my organization settings, but they gave me this error

Error: buildx failed with: error: denied: permission_denied: write_package

Any help?

Answer 1

I've managed to fix 403 error keeping with GITHUB_TOKEN.

From your Organization main github page → Packages → $yourPackage → Package settings → “Manage Actions access” section

Connect git repository with write permissions with this package/docker repository

https://github.com/orgs/community/discussions/26274#discussioncomment-3251137

Answer 2

If you are moving from PAT to GITHUB_TOKEN, you might need to delete the package first!

I followed the instructions here, see "Upgrading a workflow that accesses ghcr.io": https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions

This worked on the two first repositories, but on the third one I had to delete the package first to get it to work.

Answer 3

I think you might need to do two things here:

• First of all, ensure that the Package settings (bottom right of the package page) allow access to actions running in the repository in question
• Secondly, ensure that you have added the package permission to your job

The second of these involves adding this snippet to your workflow's job (note that this permission can be read if you are only pulling a container):

    permissions:
      packages: write

In the context of your workflow:

name: ghcr_test
on:
  push:
    branches:
      - dev

jobs:
  deploy:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      - name: Checkout
        uses: actions/checkout@v2
      - name: Login to GitHub Packages
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Build and push Docker image
        uses: docker/build-push-action@v2
        with:
          context: .
          push: true
          tags: ghcr.io/${{ github.repository }}:${{ github.sha }}

I had a similar issue and eventually stumbled across that permission and suddenly everything started to work. Hopefully it will for you too.

Answer 4

As pointed out in https://github.community/t/unable-to-push-to-ghcr-io-from-github-actions/191761, the default package access settings will differ based on how the first image of that container was pushed:

Pushing with PAT (from outside of Actions at least) directly won't assign repository access. So you need to separately go to the individual package's package settings and add Actions access for the repository.

If the first push happens from the workflow (with GITHUB_TOKEN), then the source repository linking and the Action access is by default configured for the repo that runs the workflow.

Deleting the manually pushed package and rerunning the workflow works.

Answer 5

Check if this is related to actions/runner issue 1039

Seems like GITHUB_TOKEN works only on default branch... You need to use custom PAT when running on PR branches

Check also if this is similar to this discussion:

It turns out another org member had pushed the same package, which was private by default and was owned by that org member.
Since nobody else could even see the package as existing, we were very confused.

I think this default behavior of new packages being privately owned by the user uploading and not being visible to even the org owners is quite confusing.

If not, try, as described here, to do the push manually, in order to validate your token (with a docker login -u USERNAME -p TOKEN ghcr.io, then a docker push). The GitHub action might then work.