0

我尝试构建 docker 映像并将其推送到 GHCR(GitHub 容器注册表)。

docker/login-action@v1不幸的是,在使用 GITHUB_TOKEN 作为密码的操作的登录过程中,我收到了一个错误。

Error: Error response from daemon: Get "https://ghcr.io/v2/": denied: denied

整个工作流程 yaml 清单。

name: Docker CI

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build-push:
    name: Buid and push Docker image to GitHub Container registry
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
    - name: Checkout the repository
      uses: actions/checkout@v2

    - name: Login to GitHub Container registry
      env:
        GITHUB_USER: ${{ github.actor }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      uses: docker/login-action@v1
      with:
        registry: ghcr.io
        username: $GITHUB_USER
        password: $GITHUB_TOKEN

    - name: Build and Push Docker Image
      env:
        REGISTRY: ghcr.io
        OWNER: my-organization-name
        IMAGE_NAME: ${{ github.repository }}
      uses: docker/build-push-action@v2
      with:
        context: .
        file: ./docker/Dockerfile
        target: final
        push: true
        tags: |
          $REGISTRY/$OWNER/$IMAGE_NAME:$(date +%s)
        build-args: |
          ENVIRONMENT=production

错误截图。

在此处输入图像描述

更新

设置工作阶段。

Current runner version: '2.285.1'
Operating System
  Ubuntu
  20.04.3
  LTS
Virtual Environment
  Environment: ubuntu-20.04
  Version: 20211219.1
  Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20211219.1/images/linux/Ubuntu2004-README.md
  Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20211219.1
Virtual Environment Provisioner
  1.0.0.0-main-20211214-1
GITHUB_TOKEN Permissions
  Contents: read
  Metadata: read
  Packages: write
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@v2' (SHA:ec3a7ce113134d7a93b817d10a8272cb61118579)
Download action repository 'docker/login-action@v1' (SHA:42d299face0c5c43a0487c477f595ac9cf22f1a7)
Download action repository 'docker/build-push-action@v2' (SHA:a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229)

登录到 GitHub Container 注册阶段。

Run docker/login-action@v1
  with:
    registry: ghcr.io
    username: $GITHUB_USER
    password: $GITHUB_TOKEN
    ecr: auto
    logout: true
  env:
    GITHUB_USER: my-github-username
    GITHUB_TOKEN: ***
Logging into ghcr.io...
Error: Error response from daemon: Get "https://ghcr.io/v2/": denied: denied

笔记

我使用的存储库是私有的,属于我正在创建的组织。

GitHub 文档说建议使用 GITHUB_TOKEN 而不是 PAT。https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry

要在 GitHub Actions 工作流程中对容器注册表进行身份验证,请使用 GITHUB_TOKEN 以获得最佳安全性和体验。如果您的工作流程使用个人访问令牌 (PAT) 对 ghcr.io 进行身份验证,那么我们强烈建议您更新您的工作流程以使用 GITHUB_TOKEN。

4

1 回答 1

1

问题是尝试使用环境变量GITHUB_TOKEN作为${{ secrets.GITHUB_TOKEN }}分配密码的密码。

由于秘密${{ secrets.GITHUB_TOKEN }}直接分配给密码,所以一切正常。

name: Docker CI

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build-push:
    name: Buid and push Docker image to GitHub Container registry
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
    - name: Checkout the repository
      uses: actions/checkout@v2

    - name: Login to GitHub Container registry
      uses: docker/login-action@v1
      env:
        GITHUB_USER: ${{ github.actor }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        registry: ghcr.io
        username: $GITHUB_USER
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Build and Push Docker Image
      env:
        REGISTRY: ghcr.io
        OWNER: my-organization-name
        IMAGE_NAME: ${{ github.repository }}
      uses: docker/build-push-action@v2
      with:
        context: .
        file: ./docker/Dockerfile
        target: final
        push: true
        tags: |
          $REGISTRY/$OWNER/$IMAGE_NAME:$(date +%s)
        build-args: |
          ENVIRONMENT=production

仍然可以使用 env,但语法不同。

而不是这个任务

password: $GITHUB_TOKEN

这个应该用

password: ${{ env.GITHUB_TOKEN }}

如果我理解正确,第一种语法可以在工作流运行器中使用。在工作流文件中的其他情况下,env context应该使用。

https://docs.github.com/en/actions/learn-github-actions/environment-variables

要在工作流文件中使用环境变量的值,您应该使用 env 上下文。如果要在运行器内部使用环境变量的值,可以使用运行器操作系统读取环境变量的常规方法。

于 2022-01-13T08:44:57.133 回答