"installation not allowed to Create organization package" when in an organization

[ChristopherRabotin]

Select Topic Area

Bug

Body

Hi there,

This is probably a permission bug somewhere that I just cannot seem to solve. I've been trying variations of the settings for hours now, to no avail.

In short: I cannot push a docker container to the github registry of the organization in which I'm the admin (and sole team member).

There are a few issues on the docker/build-push-action repo. The troubleshooting page recommends setting the build to create an image and later push it with containerd.

This eventually shows "installation not allowed to Create organization package" as the final step. A roadblock to any progress on this issue quite frankly.

First error in logs: https://github.com/nyx-space/nyx/actions/runs/5233821095/jobs/9449603475

time="2023-06-11T06:16:39Z" level=debug msg="fetch response received" digest="sha256:808110676375ceb5c6be2f9b6cac166bd6bda35d5de9166e7746b88dda7bfcfd" mediatype=application/vnd.oci.image.layer.v1.tar+gzip response.header.content-length=74 response.header.content-type=application/json response.header.date="Sun, 11 Jun 2023 06:16:39 GMT" response.header.docker-distribution-api-version=registry/2.0 response.header.x-github-request-id="E403:0D96:1E84B9A:2D1B650:648566C7" response.status="404 Not Found" size=41035254 url="https://ghcr.io/v2/nyx-space/nyx-fds/blobs/sha256:808110676375ceb5c6be2f9b6cac166bd6bda35d5de9166e7746b88dda7bfcfd"

Final error:

time="2023-06-11T06:16:40Z" level=debug msg="unexpected response" body="{\"errors\":[{\"code\":\"DENIED\",\"message\":\"installation not allowed to Create organization package\"}]}\n" digest="sha256:b23357f998c18fc6d138dbf23f1a4273847070e843f063ef8d89aa4b2dd6a3cc" mediatype=application/vnd.oci.image.config.v1+json resp="&{403 Forbidden 403 HTTP/1.1 1 1 map[Content-Length:[99] Content-Type:[application/json] Date:[Sun, 11 Jun 2023 06:16:40 GMT] Docker-Distribution-Api-Version:[registry/2.0] X-Github-Request-Id:[E40E:406C:1E25B7E:2CBB1C4:648566C8]] 0xc00007c400 99 [] false false map[] 0xc000334a00 0xc0003dafd0}" size=5525

From the referenced issues, I've checked multiple times that my permissions are set to be as free as possible, both in the repo and in the organization:

I also have no package on the repo, so I cannot set specific permissions for the package

Here is my yaml if that's of any help:

packaging:
    permissions: write-all
    runs-on: ubuntu-latest
    # needs: [linux] # Don't package if the tests fail.
    steps:
      - name: Check out code
        uses: actions/checkout@v2

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v2
        with:
          buildkitd-flags: --debug

      - name: Cache Docker layers
        uses: actions/cache@v2
        with:
          path: /tmp/.buildx-cache
          key: ${{ runner.os }}-buildx-${{ github.sha }}
          restore-keys: |
            ${{ runner.os }}-buildx-

      - name: Build development image
        run: docker build -f Dockerfile.dev -t nyx-build .

      - name: Run development container and build the package
        run: docker run --name nyx-builder nyx-build maturin build -F python --release

      - name: Copy built package from container to host
        run: docker cp nyx-builder:/app/target/wheels ./dist

      - name: Get short SHA
        id: short-sha
        run: echo "::set-output name=sha::$(echo ${GITHUB_SHA::8})"

      - name: Get the version
        id: get_version
        run: echo ::set-output name=VERSION::${GITHUB_REF#refs/tags/}

      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}
      
      - name: Build and push Docker image with built package
        uses: docker/build-push-action@v4
        with:
          context: .
          file: ./Dockerfile
          push: false
          tags: |
            ghcr.io/nyx-space/nyx-fds:${{ steps.short-sha.outputs.sha }}
            ghcr.io/nyx-space/nyx-fds:${{ github.ref == 'refs/heads/master' && 'latest' || steps.short-sha.outputs.sha }}
            ghcr.io/nyx-space/nyx-fds:${{ startsWith(github.ref, 'refs/tags/') && steps.get_version.outputs.VERSION || steps.short-sha.outputs.sha }}
          cache-from: type=local,src=/tmp/.buildx-cache
          cache-to: type=local,dest=/tmp/.buildx-cache
          outputs: type=oci,dest=/tmp/image.tar
      -
        name: Import image in containerd
        run: |
          sudo ctr i import --base-name ghcr.io/nyx-space/nyx-fds:${{ steps.short-sha.outputs.sha }} --digests --all-platforms /tmp/image.tar
      -
        name: Push image with containerd
        run: |
          sudo ctr --debug i push --user "${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}" ghcr.io/nyx-space/nyx-fds:${{ steps.short-sha.outputs.sha }}

At this stage, any hint whatsoever would be helpful.

[cuihtlauac]

I was seeing the same error. This solved it for me:
https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-select-actions-and-reusable-workflows-to-run

Just gave write permission to actions

[ChristopherRabotin]

To follow-up, the issue I had was that I had to add permissions: write-all to the job! When I was having the issue with all of the screenshots, I hadn't placed permissions: write-all, but running the job exactly as I posted it above solved the issue. I'd been struggling with the problem for hours and didn't expect that to help.

[csukuangfj]

Thanks!

Adding

permissions: write-all

fixes the issue.

[e10harvey]

Note that one must also run the workflow from the default branch. Thank you for this thread.

[juliankoehn]

Instead of using 'write all,' you can restrict permissions more specifically, as documented here:

https://docs.github.com/en/actions/publishing-packages/publishing-docker-images#publishing-images-to-github-packages

  permissions:
      contents: read
      packages: write
      attestations: write
      id-token: write

[garyy7811]

I tried permission: write-all, not working for me.

But my case I'm using a token generated from Github App, still not able to find the way to add the permission.

Please help.

npm notice
npm notice Publishing to https://npm.pkg.github.com/ with tag latest and default access
npm http fetch PUT 403 https://npm.pkg.github.com/@xxx%2fxxx-YYYs 420ms
npm verb stack HttpErrorGeneral: 403 Forbidden - PUT https://npm.pkg.github.com/@xxx%2fxxx-YYYs - Permission permission_denied: installation not allowed to Write organization package
npm verb stack at /opt/hostedtoolcache/node/18.18.2/x64/lib/node_modules/npm/node_modules/npm-registry-fetch/lib/check-response.js:95:15
npm verb stack at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
npm verb stack at async publish (/opt/hostedtoolcache/node/18.18.2/x64/lib/node_modules/npm/node_modules/libnpmpublish/lib/publish.js:54:17)
npm verb stack at async otplease (/opt/hostedtoolcache/node/18.18.2/x64/lib/node_modules/npm/lib/utils/otplease.js:4:12)
npm verb stack at async Publish.exec (/opt/hostedtoolcache/node/18.18.2/x64/lib/node_modules/npm/lib/commands/publish.js:123:7)
npm verb stack at async module.exports (/opt/hostedtoolcache/node/18.18.2/x64/lib/node_modules/npm/lib/cli-entry.js:61:5)
npm verb statusCode 403
npm verb pkgid @xxx/xxx-YYYs@0.0.14
npm verb cwd /home/runner/work/odmd-app-YYYs/odmd-app-YYYs
npm verb Linux 6.2.0-1016-azure
npm verb node v18.18.2
npm verb npm v9.8.1
npm ERR! code E403
npm ERR! 403 403 Forbidden - PUT https://npm.pkg.github.com/@xxx%2fxxx-YYYs - Permission permission_denied: installation not allowed to Write organization package
npm ERR! 403 In most cases, you or one of your dependencies are requesting
npm ERR! 403 a package version that is forbidden by your security policy, or
npm ERR! 403 on a server you do not have access to.
npm verb exit 1
npm verb code 1

[mr-pinzhang]

same issue +1

[EduardSchwarzkopf]

IMO write-all is a bit overpermissive. For me using package: write did the trick

...
    permissions:
      packages: write
...