0

Can anyone explain what else I would need to authorize a pull from a private . I have followed the docs and still getting this error:

Error response from daemon: Head "https://ghcr.io/v2/my-image/manifests/latest": unauthorized

I have seen other developers on here having similar issues which I have tried their solutions but still not working. Based on the docs there are 2 ways to authenticate. The old and not recommend anymore according to docs is using a PAT personal access token. The second way and recommend is using a secrets.GITHUB_TOKEN as shown here I'm using the GITHUB_TOKEN setup as seen in my code below.

What am I missing here to be able to do a pull on the package after it has pushed to the registry ??

github workflow

name: Release
on:
  push:
    branches:
      - main
env:
  REGISTRY: ghcr.io
  IMAGE_NAME: ${{ github.repository }}

jobs:
  Release:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3

      - name: Log into Container registry ${{ env.REGISTRY }}
        uses: docker/login-action@v2
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Extract metadata (tags, labels) for Docker
        id: meta
        uses: docker/metadata-action@v4
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}

      - name: Build and push Docker image
        uses: docker/build-push-action@v3
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}

Workflow permissionsenter image description here:

me-me
  • 5,139
  • 13
  • 50
  • 91
  • What permission scope did you configure for your repository `secrets.GITHUB_TOKEN`? – GuiFalourd Sep 12 '22 at 12:25
  • Only PAT's have scope from what I have read in the docs. If secrets.GITHUB_TOKEN can have scope can you please explain ? – me-me Sep 12 '22 at 14:55
  • @GuiFalourd as written in docs: You can use the permissions key in your workflow file to modify permissions for the GITHUB_TOKEN for an entire workflow or for individual jobs. This allows you to configure the minimum required permissions for a workflow or job. When the permissions key is used, all unspecified permissions are set to no access, with the exception of the metadata scope, which always gets read access. – me-me Sep 12 '22 at 14:57
  • I was thinking it might be related to the default read permission, but as you have Read and Write, that's not the issue here. Even if it's not recommended to use the PAT anymore, did you check if using one was working? – GuiFalourd Sep 12 '22 at 17:35
  • @GuiFalourd I added a PAT and used that as a login using username: ${{ github.actor }} password: ${{ secrets.GITHUB_PAT }} I set it to packages read/write Getting the exact same unauthorized message when doing a pull – me-me Sep 12 '22 at 18:59
  • If you followed what is informed on the [action documentation for container registry](https://github.com/docker/login-action#github-container-registry),I don't know how to identify what may be wrong besides the author and password scope permission (which are the only thing we can't reproduce here). – GuiFalourd Sep 12 '22 at 20:01
  • 1
    Ok got it to work finally. I had to delete the package and then run it again using a PAT. But most importantly I had to login in to the registry using the PAT in order to be able to pull from my terminal. docker login ghcr.io --username MY_USERNAME – me-me Sep 12 '22 at 20:07
  • Now the question is how would this work with multiple users. I would have to create a PAT for every user which is crazy ? – me-me Sep 12 '22 at 20:08
  • If it's inside an organization, the best solution would be to create a service account and use its PAT for this kind of operations. That way you won't depend on TOKEN many accounts. (PS: add your answer as official answer as well! :D ) – GuiFalourd Sep 12 '22 at 21:02

1 Answers1

0

For anyone else who has this issue maybe this will help: 2 extra steps to the above post.

  1. Delete the package that I had already created in github
  2. Then run another build using a PAT that I created.

Github action updated code:

  - name: Log into Container registry ${{ env.REGISTRY }}
    uses: docker/login-action@v2
    with:
      registry: ${{ env.REGISTRY }}
      username: ${{ github.actor }}
      password: ${{ secrets.GITHUB_PAT }}

After doing a new build I had to login to docker using the PAT as the password.

docker login ghcr.io --username YOUR_GITHUB_USERNAME
me-me
  • 5,139
  • 13
  • 50
  • 91