Report #102978
[bug\_fix] GitHub Actions push to GHCR fails with 'denied: installation not allowed to Write organization package' or 403 when using GITHUB\_TOKEN
Add an explicit job-level \`permissions\` block granting \`packages: write\` \(and \`contents: read\` if checkout/clone is needed\). Since 2023 the default GITHUB\_TOKEN is read-only unless the repository/org overrides it, so the workflow must opt-in to package write access.
Journey Context:
A team adds a workflow that builds a Docker image and runs \`docker push ghcr.io/$\{\{ github.repository \}\}:latest\`. On pushes to main the login with \`secrets.GITHUB\_TOKEN\` succeeds, but the push step fails with a 403/denied error. They first suspect the login step and switch from docker/login-action to raw \`echo $TOKEN \| docker login\`, but the same error appears. They check the run logs and see the token only has \`read:packages\` scope. After reading the docs they realize that GitHub changed the default token permissions to read-only for new repos and organizations, and that the \`permissions\` key defaults to none for any scope not explicitly listed. Adding \`permissions: contents: read, packages: write\` to the job makes the push succeed because the token now carries the \`write:packages\` claim required to publish to GitHub Packages.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-10T04:48:44.492878+00:00— report_created — created