I am currently trying to run a docker GitHub Action which builds and pushes a docker image to the GitHub Packages but I am receiving an error which I have never seen. For some reason it fails to push the docker image because write_permission is denied but I have a token allowing me to write so I don't understand what the problem is.
This is my action file:
name: Docker Image CI
on:
workflow_dispatch:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
- name: Set up JDK 16
uses: actions/setup-java#v1
with:
java-version: 16
- name: Build with Maven
run: mvn -f ACS/pom.xml clean install dependency:copy-dependencies
- name: Login to GitHub Package Registry
run: echo ${{ secrets.GITHUB_TOKEN }} | docker login docker.pkg.github.com -u ${{ github.repository }} --password-stdin
- name: Build the Docker image
run: docker build -t image:latest .
- name: Tag the Docker image
run: docker tag image:latest docker.pkg.github.com/organization/repository/image:latest
- name: Push the Docker image to the registry
run: docker push docker.pkg.github.com/organization/repository/image:latest
This is my error:
Run docker push docker.pkg.github.com/organization/repository/image:latest
The push refers to repository
[docker.pkg.github.com/organization/repository/image]
f0eaf014e806: Preparing 7d0bad636b3f: Preparing aa0870e7c621:
Preparing 36d2f9f005e6: Preparing 22bb3686ee25: Preparing
05e198868a20: Preparing b5cea4a3dd43: Preparing 93c7a8a0e1f4:
Preparing 7f4b55b885b0: Preparing 05e198868a20: Waiting b5cea4a3dd43:
Waiting 93c7a8a0e1f4: Waiting 7f4b55b885b0: Waiting denied:
permission_denied: write_package
I was facing the same issue. To resolve this
Go to USER/ORG home page and click on Packages tab
Click on the package for which you are getting the permission_denied error
On the bottom of right sidebar click on Package settings option
On the Manage Actions access change the package role to write
Done. Now rerun the the action and you will find the problem is resolved.
The solution presented did not work for me, I had to add my repository to the package settings as documented in the issue https://github.community/t/unable-to-push-to-ghcr-io-from-github-actions/191761/3
Go to Package settings (to the right / bottom) of the package
And configure "Manage Actions access" section to allow the git repository in question write permissions on this package/docker repository - so making sure to also select "Write" when adding the repository.
For those interested, I managed to solve my issue although not quite sure how or more precisely which of the steps that I used, did help me solve the issue.
So basically, I first revoked my tokens and made a new one. Then I logged in to docker like this docker login -u USERNAME -p TOKEN ghcr.io while before I would use docker.pkg.github.com and then managed to push my docker image manually to GitHub Package Registry which then made the GitHub Action flow works as well, although I did change nothing there.
I hope that helps people who have the same issue.
Try adding login step to your job:
- name: Login to GitHub Container Registry
uses: docker/login-action#v1
with:
registry: ghcr.io
username: ${{github.actor}}
password: ${{secrets.GITHUB_TOKEN}}
I just wanted to add an alternative solution for people who are running into this error and finding this page from Google results.
If you've created a package previously from a forked repo, and then forked a different repo with the same package name, Github actions will fail like this. Go into your package settings and delete the package, and it should succeed again.
currently you precise your github token but not the secrets for DOCKERHUB_USERNAME and DOCKERHUB_TOKEN. You need define in your repositories a new secrets DOCKERHUB_USERNAME and DOCKERHUB_TOKEN as indicated in https://docs.github.com/en/actions/reference/encrypted-secrets.
You must also create a dockerhub token on dockerhub website portal.
You also need to add this sample code before build and push action.
name: Login to DockerHub
uses: docker/login-action#v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
Related
With GitHub Actions I'm trying to set up a service that runs a specific image (MySQL preloaded with a database) that I have pushed to ghcr.io however when it runs I get this error:
Error response from daemon: denied
Warning: Docker pull failed with exit code 1, back off 8.976 seconds before retry.
Workflow:
services:
mysql:
image: ghcr.io/my-name/my-image
ports:
- 3306:3306
I see it does the following:
/usr/bin/docker --config /home/runner/work/_temp/.docker_[...] login ghcr.io -u myusername --password-stdin
There is no feedback so not sure if it is logged in or not. And, then:
/usr/bin/docker --config /home/runner/work/_temp/.docker[...] pull ghcr.io/my-name/my-image
And then I get that error.
I have found many examples (see below) to use GITHUB_TOKEN but not how to use it within the services section so I am not sure if this works or what the syntax would be. So is it even possible to use with services or not? Also have given the repository in which the GitHub action is defined access to the specific package.
steps:
- name: Checkout repository
uses: actions/checkout#v3
- name: Log in to the Container registry
uses: docker/login-action#f054a8b539a109f9f41c372932f1ae047eff08c9
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
So I finally found the issue, in my workflow (started from default template) I had:
permissions:
contents: read
Then I saw this:
Setting permissions in the workflow
A new permissions key supported at the workflow and job level enables
you to specify which permissions you want for the token. Any
permission that is absent from the list will be set to none.
This caused packages to be set to none. Removing the whole permissions or adding:
packages: read
fixes this issue I had, thanks for the help.
I am trying to set up a test with pulling from GHCR in GitHub Actions.
According to the docs one shall use GITHUB_TOKEN.
So I have the following setup:
name: CI
on: push
env:
REGISTRY: ghcr.io
jobs:
test:
runs-on: ubuntu-latest
permissions:
packages: read
steps:
- name: Log in to the Container registry
uses: docker/login-action#v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: pull
run: |
docker pull ghcr.io/username/terraform-provider-skopeo/alpine:latest
Output of these steps are:
Logging into ghcr.io...
Login Succeeded!
and
Error response from daemon: unauthorized
Not really sure where the problem with authorization comes from.
You actually need to explicitly give the Repo's Actions permission: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio
Necessary steps are:
Navigate to your package landing page.
In the left sidebar, click Actions access. "Actions access" option in left menu
To ensure your container package has access to your workflow, you must add the repository where the workflow is stored to your container. Click Add repository and search for the repository you want to add.
"Add repository" button
Note: Adding a repository to your container through the Actions access menu option is different than connecting your container to a repository. For more information, see "Ensuring workflow access to your package" and "Connecting a repository to a package."
Optionally, using the "role" drop-down menu, select the default access level that you'd like the repository to have to your container image.
Permission access levels to give to repositories
Open your workflow file. On the line where you log in to ghcr.io, ensure to use ${{ secrets.GITHUB_TOKEN }} (replace PAT).
Note: Just linking the Package with the Repo is not enough.
I have link a github repo with my docker hub account. When there is a push to github master branch, a new image will be built in docker hub. But the image only has LATEST tag. How can I make the version increased automatically?
Ideally, I'd like it follow the sversion 1.0.0. And increase for every push 1.0.1, 1.0.2 1.0.3 etc.
Is there a way to make it follow this pattern?
You could associate a GitHub Action workflow to your repository, like docker/metadata-action
GitHub Action to extract metadata (tags, labels) for Docker. This action is particularly useful if used with Docker Build Push action.
You can see it used here. Warning: the tag name (as generated by the GitHub Action) will contain the branch name as well.
I was having the same problem, solved with this GitHub Action Code:
Create a secret called MAJOR to save your mayor version
Create a secret called MINOR to save your minor version
You will need a token to update you repo secrets, so... create a secret called REPO_ACCESS_TOKEN to grant your action dose his work.
name: Docker Image CI
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout#v2
-
name: Build the Docker image
run: docker build . --file src/MasterReport.UI/Dockerfile --tag eriksongm/master-report:${{ secrets.MAJOR }}.${{ secrets.MINOR }}
-
name: Login to DockerHub
uses: docker/login-action#v1
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
-
name: Push to DockerHub
run: docker push eriksongm/master-report:${{ secrets.MAJOR }}.${{ secrets.MINOR }}
-
name: Update Minor version
uses: hmanzur/actions-set-secret#v2.0.0
with:
name: 'MINOR'
value: $((${{ secrets.MINOR }}+1))
repository: EriksonGM/MasterReport
token: ${{ secrets.REPO_ACCESS_TOKEN }}
This was my final code, as you can see, I have a last step just to update the minor version, only if all the other jobs run ok.
For building images of my current project, I use the gradle task bootBuildImage. This task creates a OCI image using Cloud Native Buildpacks.
- name: Build image with Gradle
run: ./gradlew bootBuildImage
With the next step I'm trying to push this docker image to my private GitHub registry using build-push-action.
- name: Push image to Registry
uses: docker/build-push-action#v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
registry: docker.pkg.github.com
repository: sullrich84/wettkampfdb-backend
tags: latest
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
As I can tell from the logs, the problem with this step is that it seems to rely on a Dockerfile located in the workspaces root directory which does not exist.
unable to prepare context: unable to evaluate symlinks in Dockerfile path:
lstat /github/workspace/Dockerfile: no such file or directory
Is it possible to push the image created via bootBuildImage to my private GitHub registry without using/creating a dedicated Dockerfile?
If you are just looking for something to deal with docker push, you can just use the native docker command to do it.
Something like this.
- name: run docker push
run: |
#docker login -u $DOCKER_USERNAME -p $DOCKER_PASSWORD
#docker push $BUILD_TAG
#docker push $LATEST_TAG
env:
DOCKER_USERNAME: ${{ secrets.DOCKER_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.DOCKER_PASSWORD }}
The github-action you are using is not for pushing an image you define by repository and tag but rahter build and push https://github.com/docker/build-push-action#build-push-action
Builds and pushes Docker images and will log in to a Docker registry if required.
Specifically this is also related to https://github.com/docker/build-push-action/issues/17 - so just building without pushing is possible, not vice versa.
This github action does yet not allow just pushing.
This is for now very common for a lot of CI/CD solutions, where build and push are one task.
I use publishRegistry option of gradle bootBuildImage.
Set parameter in your build.gradle (below is gradle.kts)
tasks.bootBuildImage {
imageName = "${imageName}:${project.version}"
isPublish = true
docker {
publishRegistry {
url = dockerUrl
username = dockerUsername
password = dockerPassword
}
}
}
check this document
I have a github repository, a docker repository and a Amazon ec2 instance. I am trying to create a CI/CD pipeline with these tools. The idea is to deploy a docker container to ec2 instance when a push happened to github repository master branch. I have used github actions to build the code, build docker image and push docker image to docker hub. Now I want to pull the latest image from docker hub to remote ec2 instance and run the same. For this I am trying to execute ansible command from github actions. But I need to specify .pem file as an argument to the ansible command. I tried to keep .pem file in github secretes, but it didn't work. I am really confused how to proceed with this.
Here is my github workflow file
name: helloworld_cicd
on:
push:
branches:
- master
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout#v1
- name: Go Build
run: go build
- name: Docker build
run: docker build -t helloworld .
- name: Docker login
run: docker login --username=${{ secrets.docker_username }} --password=${{ secrets.docker_password }}
- name: Docker tag
run: docker tag helloworld vijinvv/helloworld:latest
- name: Docker push
run: docker push vijinvv/helloworld:latest
I tried to run something like
ansible all -i '3.15.152.219,' --private-key ${{ secrets.ssh_key }} -m rest of the command
but that didn't work. What would be the best way to solve this issue
I'm guessing what you meant by "it didn't work" is that ansible expects the private key to be a file, whereas you are supplying a string.
This page on github actions shows how to use secret files on github actions. The equivalent for your case would be to do the following steps:
gpg --symmetric --cipher-algo AES256 my_private_key.pem
Choose a strong passphrase and save this passphrase as a secret in github secrets. Call it LARGE_SECRET_PASSPHRASE
Commit your encrypted my_private_key.pem.gpg in git
Create a step in your actions that decrypts this file. It could look something like:
- name: Decrypt Pem
run: gpg --quiet --batch --yes --decrypt --passphrase="$LARGE_SECRET_PASSPHRASE" --output $HOME/secrets/my_private_key.pem my_private_key.pem.gpg
env:
LARGE_SECRET_PASSPHRASE: ${{ secrets.LARGE_SECRET_PASSPHRASE }}
Finally you can run your ansible command with ansible all -i '3.15.152.219,' --private-key $HOME/secrets/my_private_key.pem
You can easily use webfactory/ssh-agent to add your ssh private key. You can see its documentation and add the following stage before running the ansible command.
# .github/workflows/my-workflow.yml
jobs:
my_job:
...
steps:
- actions/checkout#v2
# Make sure the #v0.5.2 matches the current version of the
# action
- uses: webfactory/ssh-agent#v0.5.2
with:
ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}
- ... other steps
SSH_PRIVATE_KEY must be the key that is registered in repository secrets. After that, run your ansible command without passing the private key file.