Skip to content
Latchkey

Docker "denied: installation not allowed to Create organization package" (GHCR)

A push to GitHub Container Registry was denied because the workflow’s token is not permitted to create the package. Either the job lacks packages: write, or the org restricts who can create packages.

What this error means

A docker push ghcr.io/<org>/<image> from GitHub Actions fails with denied: installation not allowed to Create organization package. Authentication succeeded with GITHUB_TOKEN; the authorization to create the package is what is missing.

docker push output
denied: installation not allowed to Create organization package
# pushing ghcr.io/myorg/api:1.4.2 with the default GITHUB_TOKEN

Common causes

The workflow token lacks packages: write

By default GITHUB_TOKEN may be read-only or scoped without package write. Without permissions: packages: write, it cannot create a new package.

Org policy restricts package creation

An organization can limit which actors/apps may create packages. The Actions installation token may simply not be allowed to create a brand-new org package.

First push of a new package under the org

Creating a never-before-seen package needs create permission; pushing a new tag to an existing package needs only write. The first push is the stricter case.

How to fix it

Grant packages: write to the job

Add the permission so the token can create and push packages.

.github/workflows/build.yml
permissions:
  contents: read
  packages: write

# then log in with the token
- uses: docker/login-action@v3
  with:
    registry: ghcr.io
    username: ${{ github.actor }}
    password: ${{ secrets.GITHUB_TOKEN }}

Allow the action to create org packages

  1. In the org’s Packages settings, allow GitHub Actions to create packages (or pre-create the package and link the repo).
  2. If using a PAT instead, give it write:packages.
  3. Confirm the actor/installation is permitted by org package-creation policy.

How to prevent it

  • Set permissions: packages: write explicitly in workflows that push to GHCR.
  • Pre-create org packages or allow Actions to create them in org settings.
  • Use least-privilege tokens with exactly the package scope needed.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →