I try to build and push the docker image to GHCR (GitHub Container Registry).
Unfortunately, during the login process with docker/login-action@v1 action which uses a GITHUB_TOKEN as a password, I received an error.
Error: Error response from daemon: Get "https://ghcr.io/v2/": denied: denied
The entire workflow yaml manifest.
name: Docker CI
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
build-push:
name: Buid and push Docker image to GitHub Container registry
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Checkout the repository
uses: actions/checkout@v2
- name: Login to GitHub Container registry
env:
GITHUB_USER: ${{ github.actor }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
uses: docker/login-action@v1
with:
registry: ghcr.io
username: $GITHUB_USER
password: $GITHUB_TOKEN
- name: Build and Push Docker Image
env:
REGISTRY: ghcr.io
OWNER: my-organization-name
IMAGE_NAME: ${{ github.repository }}
uses: docker/build-push-action@v2
with:
context: .
file: ./docker/Dockerfile
target: final
push: true
tags: |
$REGISTRY/$OWNER/$IMAGE_NAME:$(date +%s)
build-args: |
ENVIRONMENT=production
The error screenshot.
UPDATES
Set up job stage.
Current runner version: '2.285.1'
Operating System
Ubuntu
20.04.3
LTS
Virtual Environment
Environment: ubuntu-20.04
Version: 20211219.1
Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20211219.1/images/linux/Ubuntu2004-README.md
Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20211219.1
Virtual Environment Provisioner
1.0.0.0-main-20211214-1
GITHUB_TOKEN Permissions
Contents: read
Metadata: read
Packages: write
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@v2' (SHA:ec3a7ce113134d7a93b817d10a8272cb61118579)
Download action repository 'docker/login-action@v1' (SHA:42d299face0c5c43a0487c477f595ac9cf22f1a7)
Download action repository 'docker/build-push-action@v2' (SHA:a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229)
Login to GitHub Container registry stage.
Run docker/login-action@v1
with:
registry: ghcr.io
username: $GITHUB_USER
password: $GITHUB_TOKEN
ecr: auto
logout: true
env:
GITHUB_USER: my-github-username
GITHUB_TOKEN: ***
Logging into ghcr.io...
Error: Error response from daemon: Get "https://ghcr.io/v2/": denied: denied
NOTE
The repository I work with is private and belongs to the organization that I'm founding.
The GitHub documentation says that is recommended to use GITHUB_TOKEN instead of PAT. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry
To authenticate to the Container registry within a GitHub Actions workflow, use the GITHUB_TOKEN for the best security and experience. If your workflow is using a personal access token (PAT) to authenticate to ghcr.io, then we highly recommend you update your workflow to use the GITHUB_TOKEN.
The issue is trying to use a environment variable
GITHUB_TOKENas a password to which a secret${{ secrets.GITHUB_TOKEN }}was assigned.Since the secret
${{ secrets.GITHUB_TOKEN }}assigns directly to the password everything works fine.Using env is still possible but the syntax is different.
Instead of this assignment
This one should be used
If I understand it correctly, the first syntax can be used inside a workflow runner. In other cases in a workflow file the
env contextshould be used.https://docs.github.com/en/actions/learn-github-actions/environment-variables