Permission denied during publish feature when putting manifest for tag

[phillies]

I try to publish a feature but I receive the error, that the permission for putting a tag is denied.

[2023-05-10T16:35:29.313Z] @devcontainers/cli 0.41.0. Node.js v18.16.0. linux 5.15.0-1037-azure x64.
[2023-05-10T16:35:29.313Z] Packaging feature collection...
[2023-05-10T16:35:29.315Z] Processing feature: xxx...
[2023-05-10T16:35:29.331Z] Packaged 1 features!
[2023-05-10T16:35:29.332Z] Processing feature: xxx...
[2023-05-10T16:35:29.332Z] Fetching published versions...
[2023-05-10T16:35:29.530Z] Publishing versions: 1,1.0,1.0.0,latest...
[2023-05-10T16:35:29.532Z] sha256:4fe7edad8512422c90f2d4448d187de7598c6985e5a1d2b8b8a06277a722199b (size: 6144)
[2023-05-10T16:35:29.532Z] Computed Content-Digest ->  sha256:6cf53cd32f1f5025a601586967323dd3cdf574ce6b0df268e564f6a09d38775b (size: 64)
[2023-05-10T16:35:29.838Z] Starting PUT of tgzLayer blob 'sha256:4fe7edad8512422c90f2d4448d187de7598c6985e5a1d2b8b8a06277a722199b' (size=6144)
[2023-05-10T16:35:30.606Z] Tagged: 1 -> /v2/xxx/manifests/sha256:6cf53cd32f1f5025a601586967323dd3cdf574ce6b0df268e564f6a09d38775b
[2023-05-10T16:35:30.754Z] Failed to PUT manifest for tag 1.0
{
    "errors": [
        {
            "code": "DENIED",
            "message": "permission_denied: write_package"
        }
    ]
}
[2023-05-10T16:35:30.754Z] (!) ERR: Failed to publish feature: 'xxx'
[2023-05-10T16:35:30.754Z] (!) ERR: Failed to publish 'xxx'

The package setting is public and the workflow has r/w permissions and has the permission to create PRs.

[phillies]

Setting disable-repo-tagging: "true" lets the build pass

[bamurtaugh]

cc @joshspicer @samruddhikhandale

[joshspicer]

Hm, from this log I wouldn't have expected disable-repo-tagging to have changed anything. That flag is what adds in the git tags during publishing (example)

Is the namespace you're attempting to publish the Features to the same as the owner/repo? Can you share the action yaml checked into your repo?

[alexanderilyin]

I'm getting similar errors:

• https://github.com/deep-space-cartel/devcontainers-features/actions/runs/10503824374/job/29097959902

GITHUB_TOKEN Permissions
  Packages: write
...

Run devcontainers/action@v1
Validating Feature metadata...
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/onCreateCommand" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/onCreateCommand/additionalProperties" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/updateContentCommand" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/updateContentCommand/additionalProperties" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/postCreateCommand" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/postCreateCommand/additionalProperties" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/postStartCommand" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/postStartCommand/additionalProperties" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/postAttachCommand" (strictTypes)
strict mode: use allowUnionTypes to allow union type keyword at "#/properties/postAttachCommand/additionalProperties" (strictTypes)
Publishing Features...
Fetching the latest @devcontainer/cli...
/usr/local/bin/devcontainer features publish -r ghcr.io -n deep-space-cartel/devcontainers-features ./src
[2024-08-22T07:35:23.647Z] @devcontainers/cli 0.68.0. Node.js v18.20.4. linux 6.5.0-1025-azure x64.
[2024-08-22T07:35:23.647Z] Packaging feature collection...
[2024-08-22T07:35:23.649Z] Processing feature: starship...
[2024-08-22T07:35:23.664Z] Packaged 1 features!
[2024-08-22T07:35:23.665Z] Processing feature: starship...
[2024-08-22T07:35:23.665Z] Fetching published versions...
[2024-08-22T07:35:23.863Z] Publishing tags: 1,1.1,1.1.0,latest...
[2024-08-22T07:35:23.864Z] Data layer digest: sha256:2f18f672f116b1ee04[15](https://github.com/deep-space-cartel/devcontainers-features/actions/runs/10503824374/job/29097959902#step:3:16)837f3f530edf316d6fd87859069b328509aa035bfb8b (archive size: 7168)
[2024-08-22T07:35:23.865Z] Computed content digest from manifest: sha256:2773ad376abd27ecf5eb39abc06e20b85767bc33eaef17081d5e995655cc88fb
[2024-08-22T07:35:24.098Z] https://ghcr.io/v2/deep-space-cartel/devcontainers-features/starship/blobs/uploads/: Unexpected status code '403' 
{
    "errors": [
        {
            "code": "DENIED",
            "message": "permission_denied: write_package"
        }
    ]
}
[2024-08-22T07:35:24.098Z] Failed to get upload session ID
[2024-08-22T07:35:24.098Z] (!) ERR: Failed to publish feature: 'ghcr.io/deep-space-cartel/devcontainers-features/starship'
[[20](https://github.com/deep-space-cartel/devcontainers-features/actions/runs/10503824374/job/29097959902#step:3:21)24-08-22T07:35:24.098Z] (!) ERR: Failed to publish 'ghcr.io/deep-space-cartel/devcontainers-features/starship'
Error: The process '/usr/local/bin/devcontainer' failed with exit code 1
Error: (!) Failed to publish Features.

Was able to release from CLI:

devcontainer features publish -r ghcr.io -n deep-space-cartel/devcontainers-features ./src

It only worked with personal access token (classic) and Fine-grained personal access tokens Beta did not work, and both tokens had all permissions selected. It feels like it some kind of problem on GH with 1st release in project.

[alexanderilyin]

Maybe I'm doing something wrong and need read those docs?

• https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions

For now I was able to publish package using devcontainer features publish and then manually link repository to packages.

GH Workflow still fails even after manual release.

P. S. Found that I can enable Package setting - Manage Actions access but even giving Admin didn't help to fix the Action.