Skip to content
Latchkey

GitHub Actions "ghcr.io push denied" (packages: write)

Pushing a container image to the GitHub Container Registry with GITHUB_TOKEN requires packages: write. Without it, the push is denied at the registry. This is a permission/config gap, not a transient failure.

What this error means

docker push to ghcr.io fails with a denied/permission error after a successful docker login using GITHUB_TOKEN.

github-actions
denied: installation not allowed to Write organization package
Error: buildx failed: error pushing ghcr.io/owner/image:tag

Common causes

Missing packages: write permission

The job does not grant packages: write, so GITHUB_TOKEN can authenticate but not push.

Org package write policy blocks the repo

The organization package settings do not allow this repository to write the package.

How to fix it

Grant packages: write and log in correctly

  1. Add packages: write to the job permissions.
  2. Log in to ghcr.io with GITHUB_TOKEN before pushing.
  3. If the package already exists, ensure the repo has write access under the package settings.
.github/workflows/publish.yml
  publish:
    permissions:
      packages: write
      contents: read
    steps:
      - uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

How to prevent it

  • Set packages: write on any job that pushes to ghcr.io.
  • Grant the repository write access on existing org-owned packages.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →