Skip to content
Latchkey

Docker "pulling without basic auth: anonymous denied" in CI

Private registries reject anonymous pulls. When a CI job pulls a private image without a prior docker login, the registry resolves the identity as anonymous and returns denied. Occasionally the same surface appears for a moment when the registry's auth/token service is transiently unavailable.

What this error means

A docker pull of a private image fails with denied or pull access denied while the job is not authenticated. Logging in fixes the persistent case.

docker
Error response from daemon: pull access denied for ghcr.io/myorg/private-api, repository does not exist or may require 'docker login': denied

Common causes

No docker login before the pull

A private image needs credentials; an unauthenticated pull is treated as anonymous and denied.

A transient auth/token service blip

A momentarily unavailable registry token service can surface as a denied response before recovering.

How to fix it

Log in before pulling

  1. Authenticate to the registry, then pull.
  2. In Actions, use docker/login-action.
.github/workflows/ci.yml
- uses: docker/login-action@v3
  with:
    registry: ghcr.io
    username: ${{ github.actor }}
    password: ${{ secrets.GITHUB_TOKEN }}
- run: docker pull ghcr.io/myorg/private-api:1.4.2

Verify the credential can read the repo

  1. Confirm the identity has read access to the private repository path.
Terminal
docker login ghcr.io -u myorg --password-stdin <<< "$REGISTRY_TOKEN"
docker pull ghcr.io/myorg/private-api:1.4.2

How to prevent it

  • Authenticate before pulling private images.
  • Grant read access to the pulling identity.
  • Retry transient token-service blips before assuming a permission issue.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →