Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

raise ghcr unexpected status: 403 Forbidden when push ghcr image #687

Closed
Yikun opened this issue Sep 7, 2022 · 21 comments · Fixed by TriliumNext/Notes#423
Closed

raise ghcr unexpected status: 403 Forbidden when push ghcr image #687

Yikun opened this issue Sep 7, 2022 · 21 comments · Fixed by TriliumNext/Notes#423

Comments

@Yikun
Copy link

Yikun commented Sep 7, 2022

Troubleshooting

Behaviour

We didn't change any configuration before and after this error happened, same ghcr container image had permisson issue.

Steps to reproduce this issue

Expected behaviour

push successfully

Actual behaviour

#33 [auth] yikun/apache-spark-ci-image:pull,push token for ghcr.io
#33 DONE 0.0s

#32 exporting to image
#32 ...

#34 [auth] apache/spark/apache-spark-github-action-image-cache:pull yikun/apache-spark-ci-image:pull,push token for ghcr.io
#34 DONE 0.0s

#32 exporting to image
#32 pushing layers 1.5s done
#32 ERROR: unexpected status: 403 Forbidden
------
 > exporting to image:
------
ERROR: failed to solve: unexpected status: 403 Forbidden
Error: buildx failed with: ERROR: failed to solve: unexpected status: 403 Forbidden

Configuration

  • Repository URL (if public):
  • Build URL (if public):
# paste your YAML workflow file here and remove sensitive data

Logs

https://github.com/Yikun/spark/runs/8221889583?check_suite_focus=true

@Yikun
Copy link
Author

Yikun commented Sep 7, 2022

@Yikun
Copy link
Author

Yikun commented Sep 7, 2022

apache/spark#37745 (comment)

We can confirm that:
image

and

image

and

image

We can only recover this by create a new image.

@Yikun
Copy link
Author

Yikun commented Sep 7, 2022

OK....Related incidents: https://www.githubstatus.com/incidents/d181frs643d4

@Yikun
Copy link
Author

Yikun commented Sep 7, 2022

After incidents is resolved, it worked as expected again.

Let me close this issue.

@Yikun Yikun closed this as completed Sep 7, 2022
@Yikun Yikun reopened this Sep 8, 2022
@Yikun
Copy link
Author

Yikun commented Sep 8, 2022

@crazy-max this issue happened again....

@cyclinder
Copy link

Same issue for me..

@Yikun
Copy link
Author

Yikun commented Sep 8, 2022

@ErikJiang
Copy link

ErikJiang commented Sep 8, 2022

😂I've been tormented by this problem for two days.
image

@f-strieg
Copy link

f-strieg commented Sep 8, 2022

I'm working on a monorepo and I get the same error for 1 out of 3 identical workflows. Individual re-running the failed job doesn't help either.

@crazy-max
Copy link
Member

Sorry but we can't do much about it as it's related to GitHub infrastructure. Same as #651. Suggest to contact GitHub.

@rewlad
Copy link

rewlad commented Oct 26, 2022

For me, relinking package to repo has fixed 403:

https://github.com/orgs/community/discussions/26274#discussioncomment-3251137

@danquack
Copy link

danquack commented Apr 28, 2023

@crazy-max this seems to be happening for https://github.com/MinimalCompact/thumbor as well. More context and repository screenshots here as following the guidance in this issue: MinimalCompact/thumbor#123. Do you have any advice?

@Anmol1696
Copy link

Facing this issue again. Is there no fix for this?

@mneira10
Copy link

Same here

@Anmol1696
Copy link

Retry seems to work, but this still should be solved properly.

@BenedekKoncz
Copy link

same here with docker/build-push-action@v4

@dhedegaard-digisense
Copy link

What seem to solve it for me is adding an explicit permissions section to the workflow yml file:

    permissions:
      contents: read
      packages: write

Hope this helps someone else out there 😅

@RamziRebai
Copy link

What seem to solve it for me is adding an explicit permissions section to the workflow yml file:

    permissions:
      contents: read
      packages: write

Hope this helps someone else out there 😅

Thank you very much, It's worked for me

@RamziRebai
Copy link

RamziRebai commented Aug 5, 2023

It's working fine with me, I hope it will work you guys

This is my buildx.yaml file (You don't need to change anything):

`name: BuildX

#This is a basic workflow to help you get started with Action

#Controls when the workflow will run
on:
#Triggers the workflow on push or pull request events but only for the "main" branch
push:
branches: [ "main" ]
pull_request:
branches: [ "main" ]

#Allows you to run this workflow manually from the Actions tab
workflow_dispatch:

#A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
#This workflow contains a single job called "build"
build:
#The type of runner that the job will run on
runs-on: ubuntu-latest
permissions:
contents: read
packages: write

#Steps represent a sequence of tasks that will be executed as part of the job
steps:
  #Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
  - uses: actions/checkout@v3

  - name: Set up Docker Buildx
    uses: docker/setup-buildx-action@v1

  - name: Log in to GitHub container registry
    uses: docker/[email protected]
    with:
      registry: ghcr.io
      username: ${{ github.actor }}
      password: ${{ github.token }}

  - name: Lowercase the repo name and username
    run: echo "REPO=${GITHUB_REPOSITORY,,}" >>${GITHUB_ENV}

  - name: Build and push container image to registry
    uses: docker/build-push-action@v2
    with:
      push: true
      tags: ghcr.io/${{ env.REPO }}:${{ github.sha }}
      file: ./Dockerfile`

and this is my repository : https://github.com/RamziRebai/CI-CD_with_fastapi_HF_Translator

@louisnow
Copy link

None of the aforementioned fixes worked for me.

However, what did work was disabling logout from the docker login action as mentioned here, https://news.ycombinator.com/item?id=28607735

      - name: Login to GitHub Registry
        uses: docker/login-action@v3
        with:
          logout: false

It turns out that the issue isn't with GHCR, permissions, etc, it's solely with the action logging us out before the image is pushed.

@crazy-max
Copy link
Member

It turns out that the issue isn't with GHCR, permissions, etc, it's solely with the action logging us out before the image is pushed.

Logout is done at post step of the pipeline not between so it should not be the issue you encounter. OTOH if you're using a self-hosted runner, see docker/login-action#173 (comment).

@docker docker locked as resolved and limited conversation to collaborators Nov 13, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

Successfully merging a pull request may close this issue.