Personal Docker Registry about docker-build-push HOT 12 CLOSED

@marksalpeter no problem at all!

You are exactly correct. At the end of the day this seems to be a permissions issue with the default GITHUB_TOKEN they provide in Actions. I was not able to successfully push images to ghcr.io using this token because it lacks "create organization package" permissions. I have not been unable to find a bug report or suggestion that GitHub might change their permissions scheme for this token.

So essentially you're faced with two solutions:

1. Using the default GITHUB_TOKEN, push the image to the repo level with docker.pkg.github.com
2. Add your own personal access token as a secret and push the image to the org level with ghcr.io

from docker-build-push.

Hi @marksalpeter - thanks for the kind words!

If I understand your use case properly, this is certainly possible. Can you share the snippet of your workflow .yaml file with the Docker build config? Does this repo live in your personal GitHub (marksalpeter)? Is this also where you want the resulting Docker image to end up?

from docker-build-push.

Hi @mr-smithers-excellent! Thanks for taking the time.

My repo lives on my personal GitHub account (marksalpeter) and, yes, I'd like the resulting image to end up on my personal account as well. Here's the cd workflow so far in its entirety:

name: cd

on:
  pull_request:
    types: [closed]
    branches: [main]

jobs:
  version:
    runs-on: ubuntu-latest
    if: github.event_name == 'pull_request' && github.event.pull_request.merged == true
    steps:
      - name: Checkout Repo
        uses: actions/checkout@v2

      - name: Increment Version + Generate Changelog
        id: changelog
        uses: TriPSs/conventional-changelog-action@v3
        with:
          github-token: ${{ secrets.github_token }}
          skip-version-file: true
          output-file: false
          skip-commit: true

      - name: Create Release
        uses: actions/create-release@v1
        env:
          GITHUB_TOKEN: ${{ secrets.github_token }}
        with:
          tag_name: ${{ steps.changelog.outputs.tag }}
          release_name: ${{ steps.changelog.outputs.tag }}
          body: ${{ steps.changelog.outputs.clean_changelog }}

      - name: Docker Build & Push
        uses: mr-smithers-excellent/docker-build-push@v5
        with:
          image: marksalpeter/golang-microservice-boilerplate
          tags: ${{ steps.changelog.outputs.tag }}, latest
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

from docker-build-push.

@marksalpeter - thanks, I've finally figured this out through adding some e2e tests (forthcoming). Currently, I'm expecting the GHCR url to be docker.pkg.github.com, not ghcr.io. Can you try switching your registry param to that?

I fully realize that's what's in the docs, so I'll be ensuring that works in a new release with e2e tests this evening. Stay tuned.

from docker-build-push.

At some point since I added GitHub Docker registry support, GitHub migrated to a new container registry. I've been able to patch the v5 code to support both legacy docker.pkg.github.com and new ghcr.io images.

The key difference between the two is where your images reside. For example:

• Docker registry - docker.pkg.github.com/OWNER/REPOSITORY/IMAGE_NAME (lives at repo level)
• Container registry - ghcr.io/OWNER/IMAGE_NAME (lives at org level)

I've added e2e tests and updated examples for both scenarios, if you'd like to consider both options. One key thing to keep in mind, I was only able to push to ghcr.io using a custom personal access token. The default one provided in the workflow (secrets.GITHUB_TOKEN) does not seem to have the needed permissions to create a package at the organizational level.

from docker-build-push.

Same issue

from docker-build-push.

@laopaoer-wallet - can you provide a snippet of your config?

from docker-build-push.

@mr-smithers-excellent Thanks for getting to the bottom of this!

I think the new container registry pattern looks good to me. I can’t imagine needing more than one container per repo and I could easily make a parallel naming structure that would satisfy my OCD 😂.

The need for a custom key must be at least part of the reason why I wasn’t able to push before. Is that a bug on GitHub’s end? If I recall correctly, their docs seem to suggest that secrets.GITHUB_TOKEN has permission to push.

Anyway I’ll try the patch first thing tomorrow. Thanks again for all the hard work 🙏🏻

from docker-build-push.

A quick update about the GITHUB_TOKEN debacle. They seem to be planning to release a patch that enables workflow token support for ghcr.io mid march according to this thread:
https://github.community/t/how-to-use-installation-access-token-in-ghcr-io-authorization/130666/13

from docker-build-push.

Super helpful. Hard to navigate those forums - good find!

from docker-build-push.

Yea, I left a comment about that on the thread 😂

from docker-build-push.

So, I'm going to close this ticket. I think it's resolved as it can be for now. Thanks for all the help @mr-smithers-excellent 🙏

from docker-build-push.