Skip to content

GHA: Error: signing ghcr.io/...: GET https://ghcr.io/token?...: DENIED: denied #2489

New issue
New issue
Closed as not planned
Closed as not planned
GHA: Error: signing ghcr.io/...: GET https://ghcr.io/token?...: DENIED: denied#2489
Labels
bugSomething isn't working
@ianlewis

Description

@ianlewis
ianlewis
opened on Nov 29, 2022

Description

When running cosign attest on GitHub Actions cosign seems to use the ambient github token for retrieving data from the registry for the purposes of signing instead of using the provided registry password/token.

The situation is as follows:

  1. Running inside a GitHub Actions workflow.
  2. The workflow job's ambient GitHub token does not have packages: write permission.
  3. A PAT token with packages: write is given to the workflow and passed to cosign login to authenticate.
  4. Run cosign attest on a previously created ghcr.io image.

This results in an error occurring during signing. Something like:

Error: signing ghcr.io/...: GET https://ghcr.io/token?...: DENIED: denied

I would expect this flow to succeed by using the auth set by cosign login to retrieve registry data for signing.

Background: This is for a GitHub reusable workflow that deals with registries generically and does not request packages: write for the github token, instead relying on the user to pass a token with the proper package: write permissions as a secret and logging them in using cosign login.

Version

v1.13.1

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions