raise ghcr unexpected status: 403 Forbidden when push ghcr image

[Yikun]

Troubleshooting

Behaviour

We didn't change any configuration before and after this error happened, same ghcr container image had permisson issue.

Steps to reproduce this issue

Expected behaviour

push successfully

Actual behaviour

#33 [auth] yikun/apache-spark-ci-image:pull,push token for ghcr.io
#33 DONE 0.0s

#32 exporting to image
#32 ...

#34 [auth] apache/spark/apache-spark-github-action-image-cache:pull yikun/apache-spark-ci-image:pull,push token for ghcr.io
#34 DONE 0.0s

#32 exporting to image
#32 pushing layers 1.5s done
#32 ERROR: unexpected status: 403 Forbidden
------
 > exporting to image:
------
ERROR: failed to solve: unexpected status: 403 Forbidden
Error: buildx failed with: ERROR: failed to solve: unexpected status: 403 Forbidden

Configuration

• Repository URL (if public):
• Build URL (if public):

# paste your YAML workflow file here and remove sensitive data

Logs

https://github.com/Yikun/spark/runs/8221889583?check_suite_focus=true

[Yikun]

same issue are also happend in different developers:

• https://github.com/grundprinzip/spark/runs/8220478349?check_suite_focus=true
• https://github.com/panbingkun/spark/runs/8221478433?check_suite_focus=true

[Yikun]

apache/spark#37745 (comment)

We can confirm that:

and

and

We can only recover this by create a new image.

[Yikun]

OK....Related incidents: https://www.githubstatus.com/incidents/d181frs643d4

[Yikun]

After incidents is resolved, it worked as expected again.

Let me close this issue.

[Yikun]

@crazy-max this issue happened again....

[cyclinder]

Same issue for me..

[Yikun]

https://github.com/orgs/community/discussions/32184 and https://downdetector.com/status/github/ also mentioned it

[ErikJiang]

😂I've been tormented by this problem for two days.

docker/build-push-action@v3.1.1

[f-strieg]

I'm working on a monorepo and I get the same error for 1 out of 3 identical workflows. Individual re-running the failed job doesn't help either.

[crazy-max]

Sorry but we can't do much about it as it's related to GitHub infrastructure. Same as #651. Suggest to contact GitHub.

[rewlad]

For me, relinking package to repo has fixed 403:

https://github.com/orgs/community/discussions/26274#discussioncomment-3251137

[danquack]

@crazy-max this seems to be happening for https://github.com/MinimalCompact/thumbor as well. More context and repository screenshots here as following the guidance in this issue: MinimalCompact/thumbor#123. Do you have any advice?

[Anmol1696]

Facing this issue again. Is there no fix for this?

[mneira10]

Same here

[Anmol1696]

Retry seems to work, but this still should be solved properly.

[BenedekKoncz]

same here with docker/build-push-action@v4

[dhedegaard-digisense]

What seem to solve it for me is adding an explicit permissions section to the workflow yml file:

    permissions:
      contents: read
      packages: write

Hope this helps someone else out there 😅

[RamziRebai]

What seem to solve it for me is adding an explicit permissions section to the workflow yml file:

    permissions:
      contents: read
      packages: write

Hope this helps someone else out there 😅

Thank you very much, It's worked for me

[RamziRebai]

It's working fine with me, I hope it will work you guys

This is my buildx.yaml file (You don't need to change anything):

`name: BuildX

#This is a basic workflow to help you get started with Action

#Controls when the workflow will run
on:
#Triggers the workflow on push or pull request events but only for the "main" branch
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

#Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

#A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
#This workflow contains a single job called "build"
build:
#The type of runner that the job will run on
runs-on: ubuntu-latest
permissions:
contents: read
packages: write

#Steps represent a sequence of tasks that will be executed as part of the job
steps:
  #Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
  - uses: actions/checkout@v3

  - name: Set up Docker Buildx
    uses: docker/setup-buildx-action@v1

  - name: Log in to GitHub container registry
    uses: docker/login-action@v1.10.0
    with:
      registry: ghcr.io
      username: ${{ github.actor }}
      password: ${{ github.token }}

  - name: Lowercase the repo name and username
    run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}

  - name: Build and push container image to registry
    uses: docker/build-push-action@v2
    with:
      push: true
      tags: ghcr.io/${{ env.REPO }}:${{ github.sha }}
      file: ./Dockerfile`

and this is my repository : https://github.com/RamziRebai/CI-CD_with_fastapi_HF_Translator

[louisnow]

None of the aforementioned fixes worked for me.

However, what did work was disabling logout from the docker login action as mentioned here, https://news.ycombinator.com/item?id=28607735

      - name: Login to GitHub Registry
        uses: docker/login-action@v3
        with:
          logout: false

It turns out that the issue isn't with GHCR, permissions, etc, it's solely with the action logging us out before the image is pushed.

[crazy-max]

It turns out that the issue isn't with GHCR, permissions, etc, it's solely with the action logging us out before the image is pushed.

Logout is done at post step of the pipeline not between so it should not be the issue you encounter. OTOH if you're using a self-hosted runner, see docker/login-action#173 (comment).