-
-
Notifications
You must be signed in to change notification settings - Fork 90
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to find image 'ghcr.io/pypa/gh-action-pypi-publish:61da13deb5f5124fb1536194f82ed3d9bbc7e8f3' #290
Comments
Ah... taking another look I've got a new theory... I'm pinning the action to it's git hash, in order to keep OpenSSF Scorecard checks happy. But it's using the hash as a tag, and there isn't a container image with that tag. |
Thanks for the report! We didn't take hashes into account in #230 and images with those versions aren't published, and the runtime logic doesn't fall back to local builds. cc @br3ndonland |
UPD: I published an image with another tag and in #287 (reply in thread) we confirmed that it fixes the immediate problem. I'm going to keep this issue open for now to keep it on my radar and think about a more long-term solution. |
UPD: while releasing v1.12.1, I remembered to also produce an image for the commit hash before pushing the tag/branches — #296. Long-term, I want to integrate the disconnected part of the process more to avoid human factor-caused mistakes. |
As for possibly, doing a fallback, here's what should help implement the required check: https://checkson.io/blog/monitoring-docker-images/. |
I had the same issue today with a GH Action that has been working for quite a while the first error I got was a bit misleading since it said "docker: invalid reference format: repository name (owasp-sbot/OSBot-GitHub-Actions) must be lowercase." (see https://github.com/owasp-sbot/OSBot-Utils/actions/runs/11723153140/job/32656045035#step:4:209 ) once I made that lowercase, I got another error saying "Unable to find image 'ghcr.io/owasp-sbot/osbot-github-actions:dev' locally" (see https://github.com/owasp-sbot/OSBot-Utils/actions/runs/11723801117/job/32656257025#step:4:209 ) my temporary workaround was to change in my GH Action
into
|
I'm seeing a similar situation when publishing to test pypi: "docker: Error response from daemon: Head "https://ghcr.io/v2/blink1073/drivers-github-tools/manifests/INTPYTHON-406": denied." My workaround was to pin the action as well. https://github.com/blink1073/django-mongodb/actions/runs/11727412713/job/32668549951 |
These two last comments are actually a different issue and I saw two other reports filed separately (#291 / #299). I discovered that this was caused by calling the action from other composite actions. So with that in mind, I'm thinking I'll document such use as known to be unsupported (as opposed to leading people to believe that it was ever encouraged in the first place). |
If anyone is also having an error when switching to v1.11.0 of |
@parth-kulkarni1 no, split the job into two instead. |
I had a similar issue today: After bumping to v1.12.2 publishing to PyPi is failing:
The full logs. Here is the section of my workflow:
Publishing with a previous version v1.11.0 was working. This is the logs. Many thanks for your help 🙏 |
@ludwiglierhammer it's failing because you configured your runner to block connections to GHCR and it prevents the network image download. You'll have to figure out how to allowlist it. |
PR pypa#230 updated the action to pull Docker images from GHCR instead of building Docker images each time the workflow runs. As part of this PR, a new GitHub Actions workflow was added that builds Docker images and pushes them to GitHub Container Registry (GHCR). Actions can be referenced in various ways. The Docker build workflow covers most of the action references, but does not push Docker images tagged with the Git commit ID (Git SHA). This commit will add Docker tags for referencing the action with a Git SHA. GitHub Actions only supports references by the full 40 character SHA. If users try to reference the action by a short SHA like `1234567`, they will get an error like, "Unable to resolve action `pypa/gh-action-pypi-publish@1234567`, the provided ref `1234567` is the shortened version of a commit SHA, which is not supported. Please use the full commit SHA `1234567890123456789012345678901234567890` instead." pypa#230 pypa#290 https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/using-pre-written-building-blocks-in-your-workflow#using-shas
Re: #290 (comment)
Re: #290 (comment)
@cpswan thanks for reporting this issue, and sorry for the inconvenience. As you mention, using the Git SHA is a valid (and secure) way to reference the action. We didn't catch this use case initially. Thankfully it's a simple fix. I've opened #301 to resolve the issue. Just a note in case other users land here - GitHub Actions only supports references by the full 40 character SHA. If users try to reference the action by a short SHA like |
@webknjaz Thanks for your hint. I added |
@ludwiglierhammer couldn't you just add |
@ludwiglierhammer previously, the docker container was pre-built before all the steps in your job. Currently, it's not built but downloaded from GHCR, but the corresponding network access is happening when the job reaches the step with this action. So earlier, your hardening was being applied after the network access related to building the image (so it was before any network traffic was being blocked) and now, it's happening after the firewall is in place. |
After bumping to v1.12.0 publishing to TestPyPI is failing:
Full logs at the workflow run
Here's the relevant section of my workflow (which is pretty much boilerplate):
If I was to take a wild guess at why this is happening, it would be permissions for the new Docker images, which might be available to testers, but not yet public.
The text was updated successfully, but these errors were encountered: