I am trying to set up a test with pulling from GHCR in GitHub Actions.
According to the docs one shall use GITHUB_TOKEN.
So I have the following setup:
name: CI
on: push
env:
REGISTRY: ghcr.io
jobs:
test:
runs-on: ubuntu-latest
permissions:
packages: read
steps:
- name: Log in to the Container registry
uses: docker/login-action#v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: pull
run: |
docker pull ghcr.io/username/terraform-provider-skopeo/alpine:latest
Output of these steps are:
Logging into ghcr.io...
Login Succeeded!
and
Error response from daemon: unauthorized
Not really sure where the problem with authorization comes from.
You actually need to explicitly give the Repo's Actions permission: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio
Necessary steps are:
Navigate to your package landing page.
In the left sidebar, click Actions access. "Actions access" option in left menu
To ensure your container package has access to your workflow, you must add the repository where the workflow is stored to your container. Click Add repository and search for the repository you want to add.
"Add repository" button
Note: Adding a repository to your container through the Actions access menu option is different than connecting your container to a repository. For more information, see "Ensuring workflow access to your package" and "Connecting a repository to a package."
Optionally, using the "role" drop-down menu, select the default access level that you'd like the repository to have to your container image.
Permission access levels to give to repositories
Open your workflow file. On the line where you log in to ghcr.io, ensure to use ${{ secrets.GITHUB_TOKEN }} (replace PAT).
Note: Just linking the Package with the Repo is not enough.
Related
With GitHub Actions I'm trying to set up a service that runs a specific image (MySQL preloaded with a database) that I have pushed to ghcr.io however when it runs I get this error:
Error response from daemon: denied
Warning: Docker pull failed with exit code 1, back off 8.976 seconds before retry.
Workflow:
services:
mysql:
image: ghcr.io/my-name/my-image
ports:
- 3306:3306
I see it does the following:
/usr/bin/docker --config /home/runner/work/_temp/.docker_[...] login ghcr.io -u myusername --password-stdin
There is no feedback so not sure if it is logged in or not. And, then:
/usr/bin/docker --config /home/runner/work/_temp/.docker[...] pull ghcr.io/my-name/my-image
And then I get that error.
I have found many examples (see below) to use GITHUB_TOKEN but not how to use it within the services section so I am not sure if this works or what the syntax would be. So is it even possible to use with services or not? Also have given the repository in which the GitHub action is defined access to the specific package.
steps:
- name: Checkout repository
uses: actions/checkout#v3
- name: Log in to the Container registry
uses: docker/login-action#f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
So I finally found the issue, in my workflow (started from default template) I had:
permissions:
contents: read
Then I saw this:
Setting permissions in the workflow
A new permissions key supported at the workflow and job level enables
you to specify which permissions you want for the token. Any
permission that is absent from the list will be set to none.
This caused packages to be set to none. Removing the whole permissions or adding:
packages: read
fixes this issue I had, thanks for the help.
I have a repository that includes a container image build-and-publish workflow; the critical workflow steps looks like:
- name: Log in to the Container registry
uses: docker/login-action#v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
[...]
- name: Build and push Docker image
uses: docker/build-push-action#v3
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
I deleted the GitHub repository that contained this workflow, and then re-created it with the same name. After restoring the content in the repository, the above action is now failing with:
ERROR: denied: permission_denied: write_package
Error: buildx failed with: ERROR: denied: permission_denied: write_package
Additionally, using the registry API I can see that the corresponding image repository still exists and contains tagged images from the previous instance of the repository.
I would have expected the package repository to be deleted when I deleted the git repository, but it apparently persists and is linked to the prior authentication credentials.
I've been able to work around the permission problem by manually generating a github token, and then modifying the login action to use it:
- name: Log in to the Container registry
uses: docker/login-action#v2
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.OVERRIDE_GITHUB_TOKEN }}
That works, but the package repository is no longer linked to the git repository. Looking at the repository main page, we see:
Additionally, the workaround is messy and leads to maintenance issues (e.g. if the token expires the secrets need to be updated manually, which isn't an issue when using the default token).
Is there any way to restore package repository access for the default token and re-link the git repository to the package repository? I would be happy to simply delete the package repository, but it wasn't clear if that's possible.
I am currently trying to run a docker GitHub Action which builds and pushes a docker image to the GitHub Packages but I am receiving an error which I have never seen. For some reason it fails to push the docker image because write_permission is denied but I have a token allowing me to write so I don't understand what the problem is.
This is my action file:
name: Docker Image CI
on:
workflow_dispatch:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Set up JDK 16
uses: actions/setup-java#v1
with:
java-version: 16
- name: Build with Maven
run: mvn -f ACS/pom.xml clean install dependency:copy-dependencies
- name: Login to GitHub Package Registry
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u ${{ github.repository }} --password-stdin
- name: Build the Docker image
run: docker build -t image:latest .
- name: Tag the Docker image
run: docker tag image:latest docker.pkg.github.com/organization/repository/image:latest
- name: Push the Docker image to the registry
run: docker push docker.pkg.github.com/organization/repository/image:latest
This is my error:
Run docker push docker.pkg.github.com/organization/repository/image:latest
The push refers to repository
[docker.pkg.github.com/organization/repository/image]
f0eaf014e806: Preparing 7d0bad636b3f: Preparing aa0870e7c621:
Preparing 36d2f9f005e6: Preparing 22bb3686ee25: Preparing
05e198868a20: Preparing b5cea4a3dd43: Preparing 93c7a8a0e1f4:
Preparing 7f4b55b885b0: Preparing 05e198868a20: Waiting b5cea4a3dd43:
Waiting 93c7a8a0e1f4: Waiting 7f4b55b885b0: Waiting denied:
permission_denied: write_package
I was facing the same issue. To resolve this
Go to USER/ORG home page and click on Packages tab
Click on the package for which you are getting the permission_denied error
On the bottom of right sidebar click on Package settings option
On the Manage Actions access change the package role to write
Done. Now rerun the the action and you will find the problem is resolved.
The solution presented did not work for me, I had to add my repository to the package settings as documented in the issue https://github.community/t/unable-to-push-to-ghcr-io-from-github-actions/191761/3
Go to Package settings (to the right / bottom) of the package
And configure "Manage Actions access" section to allow the git repository in question write permissions on this package/docker repository - so making sure to also select "Write" when adding the repository.
For those interested, I managed to solve my issue although not quite sure how or more precisely which of the steps that I used, did help me solve the issue.
So basically, I first revoked my tokens and made a new one. Then I logged in to docker like this docker login -u USERNAME -p TOKEN ghcr.io while before I would use docker.pkg.github.com and then managed to push my docker image manually to GitHub Package Registry which then made the GitHub Action flow works as well, although I did change nothing there.
I hope that helps people who have the same issue.
Try adding login step to your job:
- name: Login to GitHub Container Registry
uses: docker/login-action#v1
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}
I just wanted to add an alternative solution for people who are running into this error and finding this page from Google results.
If you've created a package previously from a forked repo, and then forked a different repo with the same package name, Github actions will fail like this. Go into your package settings and delete the package, and it should succeed again.
currently you precise your github token but not the secrets for DOCKERHUB_USERNAME and DOCKERHUB_TOKEN. You need define in your repositories a new secrets DOCKERHUB_USERNAME and DOCKERHUB_TOKEN as indicated in https://docs.github.com/en/actions/reference/encrypted-secrets.
You must also create a dockerhub token on dockerhub website portal.
You also need to add this sample code before build and push action.
name: Login to DockerHub
uses: docker/login-action#v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
I have link a github repo with my docker hub account. When there is a push to github master branch, a new image will be built in docker hub. But the image only has LATEST tag. How can I make the version increased automatically?
Ideally, I'd like it follow the sversion 1.0.0. And increase for every push 1.0.1, 1.0.2 1.0.3 etc.
Is there a way to make it follow this pattern?
You could associate a GitHub Action workflow to your repository, like docker/metadata-action
GitHub Action to extract metadata (tags, labels) for Docker. This action is particularly useful if used with Docker Build Push action.
You can see it used here. Warning: the tag name (as generated by the GitHub Action) will contain the branch name as well.
I was having the same problem, solved with this GitHub Action Code:
Create a secret called MAJOR to save your mayor version
Create a secret called MINOR to save your minor version
You will need a token to update you repo secrets, so... create a secret called REPO_ACCESS_TOKEN to grant your action dose his work.
name: Docker Image CI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
-
name: Build the Docker image
run: docker build . --file src/MasterReport.UI/Dockerfile --tag eriksongm/master-report:${{ secrets.MAJOR }}.${{ secrets.MINOR }}
-
name: Login to DockerHub
uses: docker/login-action#v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Push to DockerHub
run: docker push eriksongm/master-report:${{ secrets.MAJOR }}.${{ secrets.MINOR }}
-
name: Update Minor version
uses: hmanzur/actions-set-secret#v2.0.0
with:
name: 'MINOR'
value: $((${{ secrets.MINOR }}+1))
repository: EriksonGM/MasterReport
token: ${{ secrets.REPO_ACCESS_TOKEN }}
This was my final code, as you can see, I have a last step just to update the minor version, only if all the other jobs run ok.
I am setting up a Github action to push a Docker image to Docker Hub following Github official README.md for docker/build-push-action#v2.
This is my action inside directory .github/workflows/
name: Publish Docker image
on:
push:
branches: master
jobs:
push_to_registry:
name: Push Docker image to Docker Hub
runs-on: ubuntu-latest
steps:
-
name: Set up QEMU
uses: docker/setup-qemu-action#v1
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action#v1
-
name: Login to DockerHub
uses: docker/login-action#v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
-
name: Build and push
id: docker_build
uses: docker/build-push-action#v2
with:
push: true
tags: user/app:latest
-
name: Image digest
run: echo ${{ steps.docker_build.outputs.digest }}
Having tested the action worked in my fork branch I then merged the branch to the main repo. To my surprise the login step failed showing the following error inside Github actions log
Run docker/login-action#v1
with:
logout: true
Error: Username and password required
At first I thought I could have wrongly defined (or even not defined) the secrets inside the main repo but after a request with octokit I found out that they are there
{
total_count: 2,
secrets: [
{
name: 'DOCKER_PASSWORD',
created_at: '2020-11-04T15:28:55Z',
updated_at: '2020-11-16T13:11:27Z'
},
{
name: 'DOCKER_USERNAME',
created_at: '2020-11-04T15:28:55Z',
updated_at: '2020-11-16T13:11:27Z'
}
]
}
I guess that docker/login-action#v1 is not using username and password provided after the with: keyword. I am very puzzled by this as it did work on my fork branch and do not understand why with: is sending the keyword logout: true instead which I did not set.
Does someone have more insight into this ?
Could you check that in the repository's settings the secrets are there like this:
Also, when you say
Having tested the action worked in my fork branch I then merged the branch to the main repo.
does this mean the main repo is also yours?
Because secrets don't transfer between repos. If you've forked another user's repository and want to contribute workflow changes requiring secrets, the main repo's owner(s) will have to add secrets with the same name.
Additionally, secrets aren't used in Pull Requests workflow runs. Hence you'll only see if it's working after the changes have been merged into the repository.
I have run into the same issue please check where you are giving your secret, now GitHub has two types of secrets, you should use Actions as shown in the image. If you use depependabot.