GHCR "installation not allowed to Create organization package" in CI
GHCR denied the first push because the GitHub Actions token (an app installation) is not allowed to create a brand-new package in the organization. Org package-creation settings, or the package not yet existing/linked, block the automatic create. The fix is to allow the action to create packages or create the package once manually.
What this error means
The first push of a new image to ghcr.io/ORG/... fails with "installation not allowed to Create organization package" or a 403 on the package-create step.
denied: installation not allowed to Create organization packageCommon causes
Org policy blocks Actions from creating packages
The organization restricts which actors may create packages, so the workflow token cannot create the package on first push.
The package does not exist or is not linked yet
GHCR auto-creates on first push only when permitted. If creation is restricted, a token without create rights is rejected.
How to fix it
Allow the workflow to create the package
- In the org Packages settings, permit the repository/Actions to publish packages.
- Ensure the workflow has
permissions: packages: write. - Re-run; the first push can now create the package.
permissions:
contents: read
packages: writeCreate and link the package manually once
Push the package once with a PAT that has write:packages, then link it to the repo so future GITHUB_TOKEN pushes are writes, not creates.
echo "$GHCR_PAT" | docker login ghcr.io -u USER --password-stdin
docker push ghcr.io/ORG/app:bootstrapHow to prevent it
- Configure org package settings to allow Actions to publish.
- Bootstrap a new package once, then rely on GITHUB_TOKEN writes.
- Link each package to its source repo for least-privilege pushes.