github action with docker makes error "exporting to image 403 forbidden error"

Question

name: CI/CD Docker

on:
  push:
    branches: [main]

env:
  DOCKER_IMAGE: ghcr.io/${{ github.actor }}/github-actions-auto
  VERSION: ${{ github.sha }}
  NAME: go_cicd

jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
      # github repository에서 checkout
      - uses: actions/checkout@v2
      - name: Set up docker buildx
        id: buildx
        uses: docker/setup-buildx-action@v1
      - name: Cache docker layers
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ env.VERSION }}
          restore-keys: |
            ${{ runner.os }}-buildx-
      - name: Login to ghcr
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Build and push
        id: docker_build
        uses: docker/build-push-action@v2
        with:
          builder: ${{ steps.buildx.outputs.name }}
          push: true
          tags: ${{ env.DOCKER_IMAGE }}:latest
  deploy:
    needs: build
    name: Deploy
    runs-on: [self-hosted, label-go]
    steps:
      - name: Login to ghcr
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GHCR_TOKEN }}
      - name: Docker run
        run: |
          docker stop ${{ env.NAME }} && docker rm ${{ env.NAME }} && docker rmi ${{ env.DOCKER_IMAGE }}:latest
          docker run -d -p 8080:80 --name go_cicd --restart always ${{ env.DOCKER_IMAGE }}:latest

This is our Dockerfile. If I push code to main branch, this CI/CD pipeline works well. But my partner push code to main branch, it makes 403 forbidden error. I don't know how to solve this problem... How to solve this error?

This is error message in github actions.

Answer 1

Had the same problem, here's what fixed:

runs-on: ubuntu-latest
permissions:
  packages: write
  contents: read

It's a combination of @keipala's answer, and this answer.

---

Also note: if permissions are an issue, for testing purposes, you can add

permissions: read-all|write-all

as found here to allow full access, then par back scopes when you know it's working.

Answer 2

To make this work for me, I had to allow the repository to write to the package. You would do that in this link:

https://github.com/users/${username}/packages/container/#{repo}/settings

And there should be a section there "Manage Actions access", where you can add the repository

Answer 3

In my case, it was fixed by adding a driver and install properties.

- name: Set up Docker Buildx
  uses: docker/setup-buildx-action@v1
  with:
    driver: docker
    install: true

Answer 4

For anyone stumbling upon this in future, here's what you need to make the pre-built github actions to push docker image to azure web app work,

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write

You need to add the content given below the permissions part. Reference: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#publishing-a-package-using-an-action

Answer 5

Adding the below permissions to the build job fixed this issue for me. I am not sure it will work for anyone, but this question was the first I found when looking for a solution. Hopefully it can help future people:

jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      packages: write

This was taken from this answer: https://stackoverflow.com/a/71438011/14387852

Answer 6

Follow these steps to fix this issue.

https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#configuring-the-default-github_token-permissions