Skip to content
Latchkey

GitHub Actions "permission denied" for packages: write (GHCR)

Pushing an image to GHCR with the GITHUB_TOKEN requires packages: write. Without it the push is denied, and a retry does not grant the scope.

What this error means

A docker push to ghcr.io fails with denied or an installation-not-allowed message because the token lacks packages: write.

github-actions
denied: installation not allowed to Create organization package
# or: denied: permission_denied: write_package

Common causes

Missing packages permission

The GITHUB_TOKEN defaults do not include packages: write for GHCR pushes.

Package not linked to the repo

An existing GHCR package may need its access linked to the repository or org for the token to write.

How to fix it

Grant packages write and log in to GHCR

  1. Add permissions: packages: write to the job.
  2. Log in to ghcr.io using the GITHUB_TOKEN before pushing.
.github/workflows/ci.yml
permissions:
  contents: read
  packages: write
steps:
  - run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdin

How to prevent it

  • Always set packages: write on jobs that push to GHCR.
  • Link the GHCR package to the repository so the token can write to it.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →