GitHub workflow to push Docker image to ghcr.io

Question

I am trying to push a Docker image from within a GitHub Actions workflow to the GitHub Container Registry (ghcr.io). Here are the steps I've taken:

1. create a GitHub personal access token (PAT) with package read/write/delete permissions

2. logged in locally with this PAT via

   export CR_PAT='...'
   echo $CR_PAT| docker login ghcr.io -u <MY GITHUB USERNAME> --password-stdin
   

3. tagged my Docker image with the proper tag and pushed to ghcr

   docker tag texlive ghcr.io/michaellihs/texlive:latest
   docker push ghcr.io/michaellihs/texlive:latest
   

4. the image was successfully pushed to https://github.com/users/michaellihs/packages/container/texlive

5. went to the settings page of the package https://github.com/users/michaellihs/packages/container/texlive/settings and added the repository in which I implemented the GitHub Actions workflow (https://github.com/michaellihs/docker-texlive) as Actions Access with role admin

   

6. I used the following GitHub Actions workflow to build & push my image

   name: ci
   
   on:
     push:
       branches:
         - 'main'
   
   using-an-action
   jobs:
     build-and-push-image:
       runs-on: ubuntu-latest
       steps:
         - name: Checkout repository
           uses: actions/checkout@v3
   
         - name: Log in to the Container registry
           uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
           with:
             registry: https://ghcr.io
             username: ${{ github.actor }}
             password: ${{ secrets.GITHUB_TOKEN }}
   
         - name: Build and push Docker image
           uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
           with:
             context: image/
             push: true
             tags: ghcr.io/michaellihs/texlive:latest
   

7. when I now run the workflow, I get the following error:

   #10 ERROR: denied: installation not allowed to Write organization package
   ------
    > pushing ghcr.io/michaellihs/texlive:latest with docker:
   ------
   ERROR: denied: installation not allowed to Write organization package
   Error: buildx call failed with: ERROR: denied: installation not allowed to Write 
   organization package
   

Answer 1

An alternative solution is to add the secrete GITHUB_TOKEN to your repository secretes. This should be your personal access token provided you granted it the write permissions while creating it.

To generate one with the write permission:

• Log into your github account
• Click on your profile picture on the top right corner
• Click on "Settings"
• On the left, scroll down and click on "<> Developer settings", then on "Personal access tokens" and finally on "Tokens (Classic)"
• Click on "Generate new token" then on "Generate new token (Classic)"
• You'll be prompted to give a name to the token..
• Once the name given, check the "repo", "workflow" and "write:packages" check boxes provided and click on "Generate token" as shown on the image below

image for generating a personal access token with write permissions

Once the token generated

• Copy the token
• Navigate to the repository
• Click on settings, among the provided options on the left, click on "secretes and variables", then on "New repository secretes"
• Paste the token under the "Secret *" and give it the name you'll use in your workflow file which in the earlier cases was "GITHUB_TOKEN"

Then add

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      packages: write

in your workflow file

Answer 2

An alternative to change the workflow permissions in the repository settings is to use job-level permissions to set write permissions for packages. That has the advantage, that only this job runs with the additional privilege.

jobs:
  ...
  runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      ...

Answer 3

It seems like there was one step missing: in the repository that hosts the workflow,

1. go to the repository settings (/settings)

   

2. from the menu, select "Actions --> General"

   

3. in the "Workflow permissions" select "Read and write permissions"

   

   Don't forget to hit "Save" afterwards

That solved the problem and the image was successfully pushed to the registry.