Cannot push image to ghcr via workflow but cli works

[aptalca]

Hi,

I’m using a bot account to push images to ghcr.

When I use the pat created for the bot, I can log into ghcr and then successfully push image manually in cli.

But if I try to use the same user and pat in a github workflow, it fails with denied: permission_denied: write_package

In org settings, users are allowed to push packages as public, private and internal (@clarkbw had turned on the internal flag for our org). And the pat has the read and write package perms enabled.

With the same user/pat, cli push works just fine and the new package is marked internal as expected. But a push from workflow with the same credentials fails: https://github.com/linuxserver/docker-mods/runs/1338930900?check_suite_focus=true

Any ideas?

Thanks

[aptalca]

It turns out another org member had pushed the same package, which was private by default and was owned by that org member.

Since nobody else could even see the package as existing, we were very confused.

I think this default behavior of new packages being privately owned by the user uploading and not being visible to even the org owners is quite confusing.

[whitneyimura]

aptalca:

I think this default behavior of new packages being privately owned by the user uploading and not being visible to even the org owners is quite confusing.

👋 Hi there – Yes, we’ve received this feedback and are working on a fix to make this more intuitive for the end user. ❤️

[nemchik]

aptalca:

It turns out another org member had pushed the same package, which was private by default and was owned by that org member.

[halink0803]

I also got the same problem but mine is that I deleted the old repository and create a new one (with the same name). I cannot push the packages. I go to package tab in my profile and link the old package to the new repo but still cannot push even though I own both of them. I think you guys should fix it. Simple solution is change the target to push package to different name.

[danielhelfand]

I have also noticed this issue with deleting a repository and then recreating the repository with the same name. This is really relevant in the context of forking a repository. I personally debug/test my project’s release process using a fork of the project. This makes it very challenging for our current workflow if we need to rename the repository. Agreed there should be some kind of fix for this.

[ulidtko]

I’m affected by the same issue. The token evidently has the write:packages permission — but the push error is extremely confusing, claiming a misleading denied: permission_denied: write_package.

image548×817 51.4 KB

In my case, the workflow tries to publish to an Internal org-level Package (i.e. ghcr.io/PrivateOrg/haskell-stack-builder:tag). Neither updating an existing tag, nor pushing a new one works from Actions.

Pushing manually from CLI works OK.

halink0803:

Simple solution is change the target to push package to different name.

The “simplicity” of this solution vanishes real quick once you start having dozens of other Workflows using this Package.

[ulidtko]

From a user perspective, looks insistently like a bug in the permission system. For example, I keep getting this “permission denied” — even after gaining package admin role.

image1005×232 12.1 KB

It’s really really really easy to get confused.

In the end, I got it working with the help of our org admin (and, like, 15 test rebuilds).

What helped was this URL (only admin can open it):
https://github.com/orgs/PrivateOrg/packages/container/haskell-stack-builder/settings
— and then, granting the write:packages permission to the repo where the publishing Workflow runs — in my case, github.com/PrivateOrg/haskell-stack-builder.git:

image1077×122 5.2 KB

This has resolved the error for me.