GITHUB_TOKEN 在 github 工作流程中构建和推送 docker 时写入包的权限被拒绝
GITHUB_TOKEN permission denied write package when build and push docker in github workflows
我有一个 Github 组织并尝试将容器注册表从 docker hub 迁移到 GitHub Packages。通过使用 Github 工作流程,这是我用来将 docker 推送到 GitHub Packages 的 yaml:
name: ghcr_test
on:
push:
branches:
- dev
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Login to GitHub Packages
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
GitHub 建议在操作工作流程中使用 GITHUB_TOKEN,我已经仔细检查它在我的组织设置中是否具有读写权限,但他们给了我这个错误
Error: buildx failed with: error: denied: permission_denied: write_package
有什么帮助吗?
检查这是否与actions/runner issue 1039
有关
Seems like GITHUB_TOKEN works only on default branch... You need to use custom PAT when running on PR branches
还要检查这是否类似于 this discussion:
It turns out another org member had pushed the same package, which was private by default and was owned by that org member.
Since nobody else could even see the package as existing, we were very confused.
I think this default behavior of new packages being privately owned by the user uploading and not being visible to even the org owners is quite confusing.
如果没有,请尝试像 那样手动进行推送,以验证您的令牌(使用 docker login -u USERNAME -p TOKEN ghcr.io,然后是 docker push)。 GitHub 操作可能会起作用。
正如 https://github.community/t/unable-to-push-to-ghcr-io-from-github-actions/191761 中所指出的,默认包访问设置将根据该容器的第一个映像的推送方式而有所不同:
直接使用 PAT 推送(至少从 Actions 之外)不会分配存储库访问权限。因此,您需要单独转到各个包的 package settings 并为存储库添加 Actions 访问权限。
如果第一次推送发生在工作流中(使用 GITHUB_TOKEN),则源存储库链接和操作访问默认配置为运行工作流的存储库。
删除手动推送的包并重新运行工作流程。
我想你可能需要在这里做两件事:
- 首先,确保包设置(包页面右下角)允许访问相关存储库中的操作运行
- 其次,确保您已将包权限添加到您的作业中
第二个涉及将此代码段添加到您的工作流作业中(请注意,如果您只拉取一个容器,则可以读取此权限):
permissions:
packages: write
在您的工作流程上下文中:
name: ghcr_test
on:
push:
branches:
- dev
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Login to GitHub Packages
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
我遇到了类似的问题,最终偶然发现了该权限,突然间一切都开始工作了。希望它也适合你。
如果您要从 PAT 移动到 GITHUB_TOKEN,您可能需要先删除包!
我按照此处的说明进行操作,请参阅“升级访问 ghcr.io 的工作流”:
https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions
这适用于前两个存储库,但在第三个存储库上我必须先删除包才能使其工作。
我有一个 Github 组织并尝试将容器注册表从 docker hub 迁移到 GitHub Packages。通过使用 Github 工作流程,这是我用来将 docker 推送到 GitHub Packages 的 yaml:
name: ghcr_test
on:
push:
branches:
- dev
jobs:
deploy:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Login to GitHub Packages
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
GitHub 建议在操作工作流程中使用 GITHUB_TOKEN,我已经仔细检查它在我的组织设置中是否具有读写权限,但他们给了我这个错误
Error: buildx failed with: error: denied: permission_denied: write_package
有什么帮助吗?
检查这是否与actions/runner issue 1039
有关Seems like GITHUB_TOKEN works only on default branch... You need to use custom PAT when running on PR branches
还要检查这是否类似于 this discussion:
It turns out another org member had pushed the same package, which was private by default and was owned by that org member.
Since nobody else could even see the package as existing, we were very confused.I think this default behavior of new packages being privately owned by the user uploading and not being visible to even the org owners is quite confusing.
如果没有,请尝试像 docker login -u USERNAME -p TOKEN ghcr.io,然后是 docker push)。 GitHub 操作可能会起作用。
正如 https://github.community/t/unable-to-push-to-ghcr-io-from-github-actions/191761 中所指出的,默认包访问设置将根据该容器的第一个映像的推送方式而有所不同:
直接使用 PAT 推送(至少从 Actions 之外)不会分配存储库访问权限。因此,您需要单独转到各个包的 package settings 并为存储库添加 Actions 访问权限。
如果第一次推送发生在工作流中(使用 GITHUB_TOKEN),则源存储库链接和操作访问默认配置为运行工作流的存储库。
删除手动推送的包并重新运行工作流程。
我想你可能需要在这里做两件事:
- 首先,确保包设置(包页面右下角)允许访问相关存储库中的操作运行
- 其次,确保您已将包权限添加到您的作业中
第二个涉及将此代码段添加到您的工作流作业中(请注意,如果您只拉取一个容器,则可以读取此权限):
permissions:
packages: write
在您的工作流程上下文中:
name: ghcr_test
on:
push:
branches:
- dev
jobs:
deploy:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@v2
- name: Login to GitHub Packages
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push Docker image
uses: docker/build-push-action@v2
with:
context: .
push: true
tags: ghcr.io/${{ github.repository }}:${{ github.sha }}
我遇到了类似的问题,最终偶然发现了该权限,突然间一切都开始工作了。希望它也适合你。
如果您要从 PAT 移动到 GITHUB_TOKEN,您可能需要先删除包!
我按照此处的说明进行操作,请参阅“升级访问 ghcr.io 的工作流”: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions
这适用于前两个存储库,但在第三个存储库上我必须先删除包才能使其工作。