I am trying to set up a test with pulling from GHCR in GitHub Actions.
According to the docs one shall use GITHUB_TOKEN
.
So I have the following setup:
name: CI
on: push
env:
REGISTRY: ghcr.io
jobs:
test:
runs-on: ubuntu-latest
permissions:
packages: read
steps:
- name: Log in to the Container registry
uses: docker/login-action@v1
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: pull
run: |
docker pull ghcr.io/username/terraform-provider-skopeo/alpine:latest
Output of these steps are:
Logging into ghcr.io...
Login Succeeded!
and
Error response from daemon: unauthorized
Not really sure where the problem with authorization comes from.
You actually need to explicitly give the Repo's Actions permission: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#upgrading-a-workflow-that-accesses-ghcrio
Necessary steps are:
Navigate to your package landing page.
In the left sidebar, click Actions access. "Actions access" option in left menu
To ensure your container package has access to your workflow, you must add the repository where the workflow is stored to your container. Click Add repository and search for the repository you want to add.
"Add repository" button
Note: Adding a repository to your container through the Actions access menu option is different than connecting your container to a repository. For more information, see "Ensuring workflow access to your package" and "Connecting a repository to a package."
Optionally, using the "role" drop-down menu, select the default access level that you'd like the repository to have to your container image. Permission access levels to give to repositories
Open your workflow file. On the line where you log in to ghcr.io, ensure to use
${{ secrets.GITHUB_TOKEN }}
(replace PAT).Note: Just linking the Package with the Repo is not enough.