Skip to content
Latchkey

GHCR "installation not allowed to Create organization package" in CI

GHCR denied the first push because the GitHub Actions token (an app installation) is not allowed to create a brand-new package in the organization. Org package-creation settings, or the package not yet existing/linked, block the automatic create. The fix is to allow the action to create packages or create the package once manually.

What this error means

The first push of a new image to ghcr.io/ORG/... fails with "installation not allowed to Create organization package" or a 403 on the package-create step.

docker
denied: installation not allowed to Create organization package

Common causes

Org policy blocks Actions from creating packages

The organization restricts which actors may create packages, so the workflow token cannot create the package on first push.

The package does not exist or is not linked yet

GHCR auto-creates on first push only when permitted. If creation is restricted, a token without create rights is rejected.

How to fix it

Allow the workflow to create the package

  1. In the org Packages settings, permit the repository/Actions to publish packages.
  2. Ensure the workflow has permissions: packages: write.
  3. Re-run; the first push can now create the package.
.github/workflows/ci.yml
permissions:
  contents: read
  packages: write

Create and link the package manually once

Push the package once with a PAT that has write:packages, then link it to the repo so future GITHUB_TOKEN pushes are writes, not creates.

Terminal
echo "$GHCR_PAT" | docker login ghcr.io -u USER --password-stdin
docker push ghcr.io/ORG/app:bootstrap

How to prevent it

  • Configure org package settings to allow Actions to publish.
  • Bootstrap a new package once, then rely on GITHUB_TOKEN writes.
  • Link each package to its source repo for least-privilege pushes.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →