Description
Behaviour
I've create a PAT from Beta Fine-grained token, and maked ALL User and Repository permissions options to READ-WRITE, copied generated token.
Into my project repository I've created an Action Token called GH_PAT and copied token generatated from Fine-grained than executed action to generate a deploy do GHCR.io
After that I've executed that action to deploy, but I got a permission error when actions tries to deploy to GHCR.io
With Classic version of token Token (Classic) works perfectly without errors.
Repository permissions
- Read access to codespaces metadata and metadata
- Read and Write access to Dependabot alerts, actions, administration, code, codespaces, codespaces lifecycle admin, codespaces secrets, commit statuses, dependabot secrets, deployments, discussions, environments, issues, merge queues, pages, pull requests, repository hooks, secret scanning alerts, secrets, security events, and workflows
User Permission
- Read access to plan and private repository invitations
- Read and Write access to blocking, codespaces user secrets, email addresses, followers, gists, git signing ssh public keys, gpg keys, interaction limits, keys, profile, starring, and watching
Action to deploy
- name: "Login to GitHub Container Registry"
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GH_PAT }}
Steps to reproduce this issue
- Generate a Fine-grained token with ALL permission to READ-WRITE
- Generate a Project PAT with token generated from Fine-grained
- Try to deploy
Expected behaviour
Tell us what should happen
Should made deploy to GHCR.io
Actual behaviour
Tell us what happens instead
• publishing
• docker images
• pushing image=ghcr.io//kvstok:0.2.1-arm64
⨯ release failed after 1m20s error=docker images: failed to publish artifacts: failed to push ghcr.io//kvstok:0.2.1-arm64: exit status 1: The push refers to repository [ghcr.io/***/kvstok]
4a793d9ee315: Preparing
ff8e7336f73c: Preparing
c4d4f60bd31b: Preparing
de51348d431b: Preparing
denied: permission_denied: The token provided does not match expected scopes.
Error: The process '/opt/hostedtoolcache/goreleaser-action/1.12.3/x64/goreleaser' failed with exit code 1
Configuration
- Repository URL (if public): https://github.com/waldirborbajr/kvstok
- Build URL (if public): https://github.com/waldirborbajr/kvstok/blob/main/.github/workflows/goreleaser.yaml
# paste your YAML workflow file here and remove sensitive data
name: Build & Release
on:
push:
tags:
- 'v*'
permissions:
contents: write # needed to write releases
id-token: write # needed for keyless signing
packages: write # needed for ghcr access
issues: write
jobs:
goreleaser:
runs-on: ubuntu-latest
env:
DOCKER_CLI_EXPERIMENTAL: "enabled"
steps:
- name: "Checkout"
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: "Fetch all tags"
run: git fetch --force --tags
- name: "Setup Go"
uses: actions/setup-go@v3
with:
go-version: ">=1.19.0"
cache: true
- name: "Setup Qemu"
uses: docker/setup-qemu-action@v2
- name: "Setup Docker BuildX"
uses: docker/setup-buildx-action@v2
- name: "Login to DockerHub"
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: "Login to GitHub Container Registry"
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GH_PAT }}
- name: "Release a new version"
id: release
uses: goreleaser/goreleaser-action@v3
if: success() && startsWith(github.ref, 'refs/tags/')
with:
distribution: goreleaser
version: latest
args: release --rm-dist
env:
GITHUB_TOKEN: ${{ secrets.GH_PAT }}
Logs
Download the log file of your build
and attach it to this issue.
logs_429.zip