Skip to content
Latchkey

Skaffold "no push access to ... unauthorized" in CI

Before building, Skaffold checks it can push to the target repository. If the runner has no valid registry credentials, that check fails with an unauthorized error and no build runs.

What this error means

Skaffold fails early with "no push access to repository" or "unauthorized: authentication required" naming the registry it tried to reach.

skaffold
checking push permissions: getting push access to "us-docker.pkg.dev/my-project/my-repo/my-app":
GET https://us-docker.pkg.dev/v2/token: unauthorized: authentication required

Common causes

The runner never logged in to the registry

Docker credentials that exist on a developer machine are absent on a clean CI runner, so the push token request is anonymous.

A credential helper is not configured in CI

Cloud registries need a helper (gcloud, aws ecr, docker login) that was not set up before the Skaffold step.

How to fix it

Authenticate to the registry before Skaffold

  1. Log in to the target registry in a step before build.
  2. Confirm the credential is written to the Docker config the runner uses.
  3. Run Skaffold after the login step.
.github/workflows/ci.yml
- name: Log in to registry
  run: gcloud auth configure-docker us-docker.pkg.dev --quiet
- name: Build and deploy
  run: skaffold run --default-repo=us-docker.pkg.dev/my-project/my-repo

Use a docker login for token registries

For registries that accept a username and token, log in with the CI secret.

.github/workflows/ci.yml
echo "${{ secrets.REGISTRY_TOKEN }}" | docker login ghcr.io -u "${{ github.actor }}" --password-stdin

How to prevent it

  • Add an explicit registry login step before every Skaffold build.
  • Store registry credentials in CI secrets, not in the image.
  • Verify the default-repo host matches the registry you logged in to.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →