E

Inquiry about GitHub and Docker permissions

Summary

The user is inquiring about the necessity of logging into both GitHub Container Registry and Docker Hub for their GitHub action, referencing a requirement from Earthly's site to avoid rate-limiting when pulling public images. They are experiencing a "Build error: failed to SAVE IMAGE," which they suspect is due to their GitHub token lacking sufficient permissions for pushing images to the Docker repository. The user has granted the token permissions for deleting packages, repository access, workflow, and writing packages, and they confirm it is a classic GitHub token. They express confusion about the error mentioning "organization," as they are pushing the image as an individual user, not to an organization, and seek clarification on the purpose of the --org flag, questioning if it is solely to specify the Earthly organization.

Status
resolved
Tags
  • Earthly
  • GitHub
  • Docker
  • Permissions
  • GitHub
  • Docker
Source
#earthly
    k

    kingboscop

    9/20/2024

    <@U06LRKHRZFH> Build error: failed to SAVE IMAGE: failed to push <http://ghcr.io/|ghcr.io/>&lt;my-gh-username&gt;/&lt;my-repo&gt;:master: unexpected status from POST request to <https://ghcr.io/v2/>&lt;my-gh-username&gt;/&lt;my-repo&gt;/blobs/uploads/: 403 Forbidden body={"errors":[{"code":"DENIED","message":"installation not allowed to Write organization package"}]}

    p

    pjbecotte

    9/20/2024

    What is the error message?

    k

    kingboscop

    9/18/2024

    Also, don't I need to login to both ghcr and Docker Hub? On Earthly's site it says I need to be logged into Docker Hub so that I don't get rate-limited when pulling public images such alpine.. But how can I login to both in my GH action?

    k

    kingboscop

    9/20/2024

    I'm wondering why the error mentions "organization", that makes me think the error didn't come from GitHub, because I'm pushing the image as my own user, not to an org. The --org flag is only to specify the Earthly organization, right?

    k

    kingboscop

    9/20/2024

    <@U035VU5K46Q> Thanks for your reply, I really appreciate your help, I've been spending a lot of time trying to make this work :sweat_smile: Are you sure this error is returned by ghcr? Because I did give that token the permissions delete:packages, repo, workflow, write:packages , so it should be able to write packages.. Btw, it's a classic GitHub token, that's what it should be, right?

    p

    pjbecotte

    9/18/2024

    You can run docker login more than once with different hostnames

    n

    nacho

    9/18/2024

    > don't I need to login to both ghcr and Docker Hub? you should login into the registry you are pulling/pushing from/to

    About the Build error: failed to SAVE IMAGE, this error is returned by the Github docker registry, and it looks to me like your GH token doesn't have enough permissions to push your image to that docker repo.

    https://github.com/orgs/community/discussions/57724