0

With GitHub Actions I'm trying to set up a service that runs a specific image (MySQL preloaded with a database) that I have pushed to ghcr.io however when it runs I get this error:

Error response from daemon: denied
Warning: Docker pull failed with exit code 1, back off 8.976 seconds before retry.

Workflow:

services:
  mysql:
    image: ghcr.io/my-name/my-image
    ports:
      - 3306:3306

I see it does the following:

/usr/bin/docker --config /home/runner/work/_temp/.docker_[...] login ghcr.io -u myusername --password-stdin

There is no feedback so not sure if it is logged in or not. And, then:

/usr/bin/docker --config /home/runner/work/_temp/.docker[...] pull ghcr.io/my-name/my-image

And then I get that error.

I have found many examples (see below) to use GITHUB_TOKEN but not how to use it within the services section so I am not sure if this works or what the syntax would be. So is it even possible to use with services or not? Also have given the repository in which the GitHub action is defined access to the specific package.

steps:
  - name: Checkout repository
    uses: actions/checkout@v3

  - name: Log in to the Container registry
    uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
    with:
      registry: ${{ env.REGISTRY }}
      username: ${{ github.actor }}
      password: ${{ secrets.GITHUB_TOKEN }}
Azeem
  • 11,148
  • 4
  • 27
  • 40
sanderdev
  • 3
  • 3
  • Is that image public? – Azeem Feb 06 '23 at 15:56
  • No it is a private image – sanderdev Feb 06 '23 at 15:58
  • Then, to "**Download an existing container**", "**If the container is private, only workflows running in repositories that are given read permission on that container can download the container.**". Ref: https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#default-permissions-and-access-settings-for-containers-modified-through-workflows – Azeem Feb 06 '23 at 15:59
  • You need to configure the image's read visibility for this particular workflow. See https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility. – Azeem Feb 06 '23 at 16:02
  • Yes thank you I was aware of that so had given access but did not help. I actually thought that would have been enough so not sure what I am missing. – sanderdev Feb 06 '23 at 16:03
  • Right. Maybe, you need to revisit and verify all the steps one by one. BTW, have you tried using a [PAT](https://github.com/docker/login-action#github-container-registry)? – Azeem Feb 06 '23 at 16:05
  • So I added the repository which contains the action in the package settings under: Manage Actions access Pick the repositories that can access this package using GitHub Actions. And I set the "Inherit access from source repository (recommended) " Regarding the PAT, I have setup some access tokens but I do not understand what the syntax under services would be but also how it would know which token to use. – sanderdev Feb 06 '23 at 16:08
  • You can [create a PAT](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with more granular privileges and try that in place of `GITHUB_TOKEN`. – Azeem Feb 06 '23 at 16:12
  • Yes thanks but is it possible to use it with the services sections because I cannot find any examples for that. So I do not understand what the syntax would be to use it there., – sanderdev Feb 06 '23 at 16:15
  • See this official example https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#example-of-jobsjob_idservicesservice_idcredentials. – Azeem Feb 06 '23 at 16:20
  • Also, see [`jobs..services..credentials`](https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idservicesservice_idcredentials). – Azeem Feb 06 '23 at 16:22

1 Answers1

0

So I finally found the issue, in my workflow (started from default template) I had:

permissions:
  contents: read

Then I saw this:

Setting permissions in the workflow

A new permissions key supported at the workflow and job level enables you to specify which permissions you want for the token. Any permission that is absent from the list will be set to none.

This caused packages to be set to none. Removing the whole permissions or adding:

packages: read

fixes this issue I had, thanks for the help.

sanderdev
  • 3
  • 3
  • From your earlier comments, I gathered that all the permissions' issues were already taken care of and the workflow in the question itself also had this missing. Anyway, glad you figured this out. Cheers! – Azeem Feb 07 '23 at 04:28
  • Yes it would have helped if I had shown my whole config then you would probably have noticed. Thank for your help though it did help me to see the login was not the issue :) – sanderdev Feb 07 '23 at 07:28
  • Yes, it would have. You're welcome! :) – Azeem Feb 07 '23 at 07:30