Skip to content
Latchkey

GitHub Actions docker/build-push-action "denied" on push

docker/build-push-action with push: true authenticates using the login performed earlier in the job. A registry that rejects the credentials, or an image name the account cannot write to, returns a denied error at push time.

What this error means

A build-push step builds the image but fails on push with buildx reporting ERROR: denied, sometimes mentioning the registry host.

github-actions
ERROR: failed to solve: failed to push ghcr.io/acme/app:latest:
denied: permission_denied: write_package
buildx failed with: ERROR: denied

Common causes

Login missing or to the wrong registry

No docker/login-action ran, or it logged into a different registry than the image tag points to.

Token lacks write/packages permission

For GHCR, the workflow token needs packages: write; for other registries the credentials must allow push to that repository.

How to fix it

Authenticate with write access to the target registry

  1. Run docker/login-action against the same registry as the image tag.
  2. Grant packages: write in the job permissions for GHCR.
  3. Confirm the image name matches a repo the account can push to.
.github/workflows/ci.yml
permissions:
  packages: write
steps:
  - uses: docker/login-action@v3
    with:
      registry: ghcr.io
      username: ${{ github.actor }}
      password: ${{ secrets.GITHUB_TOKEN }}
  - uses: docker/build-push-action@v6
    with:
      push: true
      tags: ghcr.io/${{ github.repository }}:latest

How to prevent it

  • Keep the login registry and the image tag registry identical.
  • Set packages: write explicitly when pushing to GHCR.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →