GitHub Actions "ghcr.io push denied" (packages: write)
Pushing a container image to the GitHub Container Registry with GITHUB_TOKEN requires packages: write. Without it, the push is denied at the registry. This is a permission/config gap, not a transient failure.
What this error means
docker push to ghcr.io fails with a denied/permission error after a successful docker login using GITHUB_TOKEN.
github-actions
denied: installation not allowed to Write organization package
Error: buildx failed: error pushing ghcr.io/owner/image:tagCommon causes
Missing packages: write permission
The job does not grant packages: write, so GITHUB_TOKEN can authenticate but not push.
Org package write policy blocks the repo
The organization package settings do not allow this repository to write the package.
How to fix it
Grant packages: write and log in correctly
- Add packages: write to the job permissions.
- Log in to ghcr.io with GITHUB_TOKEN before pushing.
- If the package already exists, ensure the repo has write access under the package settings.
.github/workflows/publish.yml
publish:
permissions:
packages: write
contents: read
steps:
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}How to prevent it
- Set packages: write on any job that pushes to ghcr.io.
- Grant the repository write access on existing org-owned packages.
Related guides
GitHub Actions "npm publish 403 to GitHub Packages" (scope)Fix the GitHub Actions npm publish 403 to GitHub Packages - wrong scope, registry, or missing packages: write.
GitHub Actions docker build "--secret id not provided"Fix the GitHub Actions docker build error where a Dockerfile RUN --mount=type=secret references a secret id t…
GitHub Actions setup-buildx "driver-opts invalid"Fix the GitHub Actions docker/setup-buildx-action error caused by invalid driver-opts input.