search

docker / login-action

GitHub Action to login against a Docker registry
https://github.com/marketplace/actions/docker-login
Apache License 2.0
1.04k stars 191 forks source link

Fine-grained personal access tokens #331

Open waldirborbajr opened 1 year ago

waldirborbajr commented 1 year ago

Behaviour

I've create a PAT from Beta Fine-grained token, and maked ALL User and Repository permissions options to READ-WRITE, copied generated token.

Into my project repository I've created an Action Token called GH_PAT and copied token generatated from Fine-grained than executed action to generate a deploy do GHCR.io

After that I've executed that action to deploy, but I got a permission error when actions tries to deploy to GHCR.io

With Classic version of token Token (Classic) works perfectly without errors.

Repository permissions

User Permission

Action to deploy

  - name: "Login to GitHub Container Registry"
    uses: docker/login-action@v1
    with:
      registry: ghcr.io
      username: ${{ github.repository_owner }}
      password: ${{ secrets.GH_PAT }}

Steps to reproduce this issue

  1. Generate a Fine-grained token with ALL permission to READ-WRITE
  2. Generate a Project PAT with token generated from Fine-grained
  3. Try to deploy

Expected behaviour

Tell us what should happen

Should made deploy to GHCR.io

Actual behaviour

Tell us what happens instead

• publishing • docker images • pushing image=ghcr.io//kvstok:0.2.1-arm64 ⨯ release failed after 1m20s error=docker images: failed to publish artifacts: failed to push ghcr.io//kvstok:0.2.1-arm64: exit status 1: The push refers to repository [ghcr.io/*/kvstok] 4a793d9ee315: Preparing ff8e7336f73c: Preparing c4d4f60bd31b: Preparing de51348d431b: Preparing denied: permission_denied: The token provided does not match expected scopes.**

Error: The process '/opt/hostedtoolcache/goreleaser-action/1.12.3/x64/goreleaser' failed with exit code 1

Configuration

# paste your YAML workflow file here and remove sensitive data
name: Build & Release

on:
  push:
    tags:
      - 'v*'

permissions:
  contents: write # needed to write releases
  id-token: write # needed for keyless signing
  packages: write # needed for ghcr access
  issues: write

jobs:
  goreleaser:
    runs-on: ubuntu-latest
    env:
      DOCKER_CLI_EXPERIMENTAL: "enabled"

    steps:
      - name: "Checkout"
        uses: actions/checkout@v3
        with:
          fetch-depth: 0

      - name: "Fetch all tags"
        run: git fetch --force --tags

      - name: "Setup Go"
        uses: actions/setup-go@v3
        with:
          go-version: ">=1.19.0"
          cache: true

      - name: "Setup Qemu"
        uses: docker/setup-qemu-action@v2

      - name: "Setup Docker BuildX"
        uses: docker/setup-buildx-action@v2

      - name: "Login to DockerHub"
        uses: docker/login-action@v1
        with:
          username: ${{ secrets.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_PASSWORD }}

      - name: "Login to GitHub Container Registry"
        uses: docker/login-action@v1
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GH_PAT }}

      - name: "Release a new version"
        id: release
        uses: goreleaser/goreleaser-action@v3
        if: success() && startsWith(github.ref, 'refs/tags/')
        with:
          distribution: goreleaser
          version: latest
          args: release --rm-dist
        env:
          GITHUB_TOKEN: ${{ secrets.GH_PAT }}

Logs

Download the log file of your build and attach it to this issue. logs_429.zip

boxofyellow commented 1 year ago

@waldirborbajr I know this is an old issue, but I wanted to call out this part of GitHub Packages documentation https://docs.github.com/en/packages/learn-github-packages/about-permissions-for-github-packages#about-scopes-and-permissions-for-package-registries

GitHub Packages only supports authentication using a personal access token (classic). For more information, see "Creating a personal access token."