GitHub workflow to push Docker image to ghcr.io

Question

I am trying to push a Docker image from within a GitHub Actions workflow to the GitHub Container Registry (ghcr.io). Here are the steps I've taken:

1. create a GitHub personal access token (PAT) with package read/write/delete permissions

2. logged in locally with this PAT via

   export CR_PAT='...'
   echo $CR_PAT| docker login ghcr.io -u <MY GITHUB USERNAME> --password-stdin
   

3. tagged my Docker image with the proper tag and pushed to ghcr

   docker tag texlive ghcr.io/michaellihs/texlive:latest
   docker push ghcr.io/michaellihs/texlive:latest
   

4. the image was successfully pushed to https://github.com/users/michaellihs/packages/container/texlive

5. went to the settings page of the package https://github.com/users/michaellihs/packages/container/texlive/settings and added the repository in which I implemented the GitHub Actions workflow (https://github.com/michaellihs/docker-texlive) as Actions Access with role admin

   

6. I used the following GitHub Actions workflow to build & push my image

   name: ci
   
   on:
     push:
       branches:
         - 'main'
   
   using-an-action
   jobs:
     build-and-push-image:
       runs-on: ubuntu-latest
       steps:
         - name: Checkout repository
           uses: actions/checkout@v3
   
         - name: Log in to the Container registry
           uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9
           with:
             registry: https://ghcr.io
             username: ${{ github.actor }}
             password: ${{ secrets.GITHUB_TOKEN }}
   
         - name: Build and push Docker image
           uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc
           with:
             context: image/
             push: true
             tags: ghcr.io/michaellihs/texlive:latest
   

7. when I now run the workflow, I get the following error:

   #10 ERROR: denied: installation not allowed to Write organization package
   ------
    > pushing ghcr.io/michaellihs/texlive:latest with docker:
   ------
   ERROR: denied: installation not allowed to Write organization package
   Error: buildx call failed with: ERROR: denied: installation not allowed to Write 
   organization package
   

Answer 1

An alternative to change the workflow permissions in the repository settings is to use job-level permissions to set write permissions for packages. That has the advantage, that only this job runs with the additional privilege.

jobs:
  build-and-push-image:
    runs-on: ubuntu-latest
    permissions:
      packages: write
    steps:
      ...

Update: corrected indention, thanks sismo for pointing this out.

Answer 2

It seems like there was one step missing: in the repository that hosts the workflow,

1. go to the repository settings (/settings)

   

2. from the menu, select "Actions --> General"

   

3. in the "Workflow permissions" select "Read and write permissions"

   

   Don't forget to hit "Save" afterwards

That solved the problem and the image was successfully pushed to the registry.