GitHub Actions "permission denied" for packages: write (GHCR)
Pushing an image to GHCR with the GITHUB_TOKEN requires packages: write. Without it the push is denied, and a retry does not grant the scope.
What this error means
A docker push to ghcr.io fails with denied or an installation-not-allowed message because the token lacks packages: write.
github-actions
denied: installation not allowed to Create organization package
# or: denied: permission_denied: write_packageCommon causes
Missing packages permission
The GITHUB_TOKEN defaults do not include packages: write for GHCR pushes.
Package not linked to the repo
An existing GHCR package may need its access linked to the repository or org for the token to write.
How to fix it
Grant packages write and log in to GHCR
- Add permissions: packages: write to the job.
- Log in to ghcr.io using the GITHUB_TOKEN before pushing.
.github/workflows/ci.yml
permissions:
contents: read
packages: write
steps:
- run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u ${{ github.actor }} --password-stdinHow to prevent it
- Always set packages: write on jobs that push to GHCR.
- Link the GHCR package to the repository so the token can write to it.
Related guides
GitHub Actions "Resource not accessible by integration"Fix the GitHub Actions "Resource not accessible by integration" 403 caused by the GITHUB_TOKEN lacking the pe…
GitHub Actions default GITHUB_TOKEN permissions cause a 403Fix the GitHub Actions 403 caused by the repository or org default GITHUB_TOKEN being read-only, so write API…
GitHub Actions workflow does not contain permissions (default token)Fix the GitHub Actions warning that a workflow does not specify permissions and falls back to the repository…