cannot push to ghcr.io from github action although I am logged in

Question

I'm trying to push an image to ghcr.io but it fails with a 403 error although I am logged in successfully. My actions file is:

on: [release]
env:
  REGISTRY_IMAGE: ghcr.io/<my github>/<my repo>
  PLATFORMS: linux/amd64,linux/arm64

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Login to GHCR.io
        uses: docker/login-action@v3
        with:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
          registry: ghcr.io
      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ env.REGISTRY_IMAGE }}
          tags: |
            type=semver,pattern={{version}}
      - name: Build and push
        uses: docker/build-push-action@v5
        with:
          context: .
          platforms: ${{ env.PLATFORMS }}
          push: ${{ github.event.action == 'published' }}
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

When I publish a release, the login step executes successfully:

then the image is built but the push fails:

#19 ...
#20 [auth] <my github>/<my repo>:pull,push token for ghcr.io
#20 DONE 0.0s
#19 exporting to image
#19 exporting manifest sha256:4cee9ce71a59621cb01da05fe096c4bc1af3d845be2dfa0ef6818bb308a8425f done
#19 exporting config sha256:9252c23b5821f41775fe2972a0a1084da73402989e175f58eb3499724d4a62e9 done
#19 exporting attestation manifest sha256:6fde955ef869eff278ff308c08d68eddc5fb89ff58b9d07c091dab4d8d805526 done
#19 exporting manifest sha256:80a4f338413b816a94fa54b57d5fcc73a5f4f2b2997af1d08e7c51e0a4282294 done
#19 exporting config sha256:a1bba033e73c64e554cfd6576ef057444b40513e681e6a808b322de73d03b1e8 done
#19 exporting attestation manifest sha256:de53d2e47d2c5e63dde15e96bad1bc806dd8b5f3368ca5afab031526342ea245 done
#19 exporting manifest list sha256:63534ced839b9d4dd250a87c22f13c872494a3a8e2fc62718b177401ec7b0e56 done
#19 pushing layers
#19 pushing layers 0.2s done
#19 ERROR: failed to push ghcr.io/<my github>/<my repo>:0.2.1: unexpected status from POST request to https://ghcr.io/v2/<my github>/<my repo>/blobs/uploads/: 403 Forbidden
------
 > exporting to image:
------
ERROR: failed to solve: failed to push ghcr.io/<my github>/<my repo>:0.2.1: unexpected status from POST request to https://ghcr.io/v2/leolivier/cousins-matter/blobs/uploads/: 403 Forbidden
Error: buildx failed with: ERROR: failed to solve: failed to push ghcr.io/<my github>/<my repo>:0.2.1: unexpected status from POST request to https://ghcr.io/v2/<my github>/<my repo>/blobs/uploads/: 403 Forbidden

Edit: My repo is registered with role admin on my package.

Answer 1

Solution

You are missing the write permission for packages most likely, since you are using the default role. Try adding the permissions to your job like this:

jobs:
  docker:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    ...

Explanation

Default permissions for jobs that run with the implicit GITHUB_TOKEN can be found from the documentation.

The same documentation also contains information about how to change the permissions.

In more detail, the write permissions are not granted by default when the GH actions settings are restrictive. You can check the setting from https://github.com/<my github>/<my-repo>/settings/actions. The two options are:

Read and write permissions: Workflows have read and write permissions in the repository for all scopes.

Read repository contents and packages permissions: Workflows have read permissions in the repository for the contents and packages scopes only.

If the lower option is selected, your repository is in restrictive mode from GH Actions perspective, and write access to packages needs to be granted separately.