CODEWITHSUNDEEP
dockergithub-actions
Martin
Martin

Reputation: 916

GitHub Actions workflow fails to download image from GHCR during build

My workflow should log in to a GitHub Container Registry (GHCR), build a container, and push it. One stage of the container depends on another private container in the organization's registry as a build stage. However, the action fails to authenticate with GHCR during the build process. The action can build and push a private image to the same registry if it does not depend on another private container image. How can I configure my action to pull another private container image during build time?

Here is the relevant part of the Dockerfile:

FROM ghcr.io/my-org/data:main AS data

The container and label I try to pull exist and work fine during local builds.

This is an excerpt from the workflow file:

- name: Log in to the Container registry
  uses: docker/login-action@v2
  with:
    registry: ghcr.io
    username: ${{ github.actor }}
    password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata (tags, labels) for Docker
  id: meta
  uses: docker/metadata-action@v4
  with:
    images: ghcr.io/${{ github.repository_owner }}/frontend
    tags: type=ref,event=branch

- name: Build and push Docker image
  uses: docker/build-push-action@v4
  with:
    push: true
    tags: ${{ steps.meta.outputs.tags }}
    labels: ${{ steps.meta.outputs.labels }}

Docker emitted the following error during build:

ERROR: failed to solve: ghcr.io/my-org/data:main: pulling from host ghcr.io failed with status code [manifests main]: 403 Forbidden

Upvotes: 0

Views: 356

Answers (1)

Martin
Martin

Reputation: 916

By default, the GITHUB_TOKEN in a GitHub Actions workflow is scoped to read and write the repositories resources:

The token's permissions are limited to the repository that contains your workflow.

Quote from GitHub Docs: Automatic token authentication

Each package in GitHub packages is scoped to be only accessible by the repository that created it. However, you can make a package accessible to a different repo (and thus the GITHUB_TOKEN in its workflows) by going to the package settings from the sidebar of the respective package page. There, you can add the repositories that should access this package in the "Manage Actions access" section:

Screenshot of the Manage Actions access section in a package's settings. There is a list with two repositories. One repository is named repo-whose-action-created-this-image and has the admin role, and the second one is called repo-in-which-this-image-should-be-used and has a write role. There is a green "Add Repository" button.

After adding my repo here, the workflow from the original question completes.

Upvotes: 1

Related Questions