Error response from daemon: Head "https://ghcr.io/v2/catthehacker/ubuntu/manifests/act-latest": denied: denied

[k8s-gpubuilder-markus]

Bug report info

act version:            0.2.29
GOOS:                   linux
GOARCH:                 amd64
NumCPU:                 16
Docker host:            DOCKER_HOST environment variable is unset/empty.
Sockets found:
        /var/run/docker.sock
Config files:           
        /root/.actrc:
                -P ubuntu-latest=ghcr.io/catthehacker/ubuntu:act-latest
                -P ubuntu-22.04=ghcr.io/catthehacker/ubuntu:act-22.04
                -P ubuntu-20.04=ghcr.io/catthehacker/ubuntu:act-20.04
                -P ubuntu-18.04=ghcr.io/catthehacker/ubuntu:act-18.04
Build info:
        Go version:            go1.18.3
        Module path:           github.com/nektos/act
        Main version:          (devel)
        Main path:             github.com/nektos/act
        Main checksum:         
        Build settings:
                -compiler:            gc
                -ldflags:             -s -w -X main.version=0.2.29 -X main.commit=9499612b5818774c5c6d73fbf2596ed464b7b01d -X main.date=2022-07-01T02:54:35Z -X main.builtBy=goreleaser
                CGO_ENABLED:          0
                GOARCH:               amd64
                GOOS:                 linux
                GOAMD64:              v1
                vcs:                  git
                vcs.revision:         9499612b5818774c5c6d73fbf2596ed464b7b01d
                vcs.time:             2022-06-30T02:19:35Z
                vcs.modified:         false
Docker Engine:
        Engine version:        20.10.12
        Engine runtime:        runc
        Cgroup version:        1
        Cgroup driver:         cgroupfs
        Storage driver:        overlay2
        Registry URI:          https://index.docker.io/v1/
        OS:                    Ubuntu 20.04.4 LTS
        OS type:               linux
        OS version:            20.04
        OS arch:               x86_64
        OS kernel:             5.13.0-52-generic
        OS CPU:                16
        OS memory:             31826 MB
        Security options:
                name=apparmor
                name=seccomp,profile=default

Command used with act

act 
(the initial run to pull the image down)

Describe issue

I expect for act to download the runner image medium.

Link to GitHub repository

No response

Workflow content

This is for the initial run of act, I'm not at this step yet.

Relevant log output

./bin/act 
[release/release] 🚀  Start image=ghcr.io/catthehacker/ubuntu:act-latest
[release/release]   🐳  docker pull image=ghcr.io/catthehacker/ubuntu:act-latest platform= username= forcePull=false
[release/release] 🏁  Job succeeded
Error: Error response from daemon: Head "https://ghcr.io/v2/catthehacker/ubuntu/manifests/act-latest": denied: denied

Additional information

No response

[dkasabovn]

Also have this issue :)

[ChristopherHX]

Unexpected, github has started to enforce authenticated pull for ghcr. No changelog, nothing.

During the past months you could do unauthenticated pulls.
I would need to lookup how to do authenticated pulls in act
You can do

• create a Personal Access Token ( don't need any scope )
• docker login ghcr.io
• Enter your github user name
• Paste your Personal Access Token
• Finally docker pull ghcr.io/catthehacker/ubuntu:act-latest

I think our pipeline might be broken now...
Previously I could also download nuget packages from my package summary without login, this also show an authentication error now. ( a bit offtopic )

[catthehacker]

We can switch back to DockerHub

[dkasabovn]

Unexpected, github has started to enforce authenticated pull for ghcr. No changelog, nothing.

During the past months you could do unauthenticated pulls. I would need to lookup how to do authenticated pulls in act You can do

• create a Personal Access Token ( don't need any scope )
• docker login ghcr.io
• Enter your github user name
• Paste your Personal Access Token
• Finally docker pull ghcr.io/catthehacker/ubuntu:act-latest

I think our pipeline might be broken now...

This is for all images? Feel like this is a pretty major change to go unannounced.

Guess I'll be adding my PAT for now.

[catthehacker]

This is for all images? Feel like this is a pretty major change to go unannounced.

GitHub sometimes (un)intentionally makes (major) breaking changes

[ChristopherHX]

This change seems to be reverted again.

[catthehacker]

I still get unauthorised but I know from someone that GH is having a really fun time today with GHCR

[ZauberNerd]

During the past months you could do unauthenticated pulls. I would need to lookup how to do authenticated pulls in act You can do

• create a Personal Access Token ( don't need any scope )
• docker login ghcr.io
• Enter your github user name
• Paste your Personal Access Token
• Finally docker pull ghcr.io/catthehacker/ubuntu:act-latest

act has built-in support for authenticated pulls, you just need to be logged-in to the docker registry and act will use the same mechanism as the docker CLI to load the docker config and authenticate against the registry: https://github.com/nektos/act/blob/master/pkg/container/docker_auth.go

[k8s-gpubuilder-markus]

Thanks, that resolved it.

[highb]

I have opened a PR to document this requirement for new users. #1270

[bbugh]

I was encountering this issue because my PAT for ghcr.io had expired. Running docker logout ghcr.io allowed it to proceed as expected, without authentication.

[Firefishy]

The solution is to add a docker/login-action for GHCR example:

jobs:
  kitchen:
    name: Test Docker
    runs-on: ubuntu-latest
    permissions:
      packages: read
    steps:
    - name: Login to GitHub Container Registry
      uses: docker/login-action@v2
      with:
        registry: ghcr.io
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}
   ...

There is no need to define github.actor or secrets.GITHUB_TOKEN as these are defined automatically by GitHub Actions