Fixing "403 Forbidden" GitHub Actions, Docker or Helm Push to GitHub Container Registry (GHCR)

In GitHub Actions, after logging into the GHCR registry, you may be surprised to see the error "403 Forbidden" when running docker push or helm push:

Error: unexpected status from POST request to https://ghcr.io/v2/cert-manager/charts/openshift-routes/blobs/uploads/: 403 Forbidden

Example: https://github.com/cert-manager/openshift-routes/actions/runs/7088552754/job/19291296517

You will probably already have double-checked that you have correctly set the GITHUB_TOKEN permissions:

# Either at the top of your workflow file,
# or under the job itself.
permissions:
  packages: write

You will also have double-checked that you are passing the GITHUB_TOKEN correctly:

  - uses: docker/login-action@v2
    with:
      registry: ghcr.io
      username: ${{ github.actor }}
      password: ${{ secrets.GITHUB_TOKEN }}

But that's not where the issue is, I found. At first, I thought it was because GitHub Actions requires a specific naming to be used. I thought that I had to rename the container image to match the repository name… but that wasn't the cause of the issue.

I noticed that the GitHub Action had run correctly once, but then started failing subsequent runs of the GitHub Action.

Solution: I opened the image's page (https://github.com/cert-manager/openshift-routes/pkgs/container/charts%2Fopenshift-routes), then went to "Package settings", then "Add repository" under the section "Manage Actions access", and finally I added the repository "cert-manager/openshift-routes" and changed the role to Write.

Another issue I hit: After the first successful run of the GitHub Action, goreleaser had successfully created the Helm chart package, but it was marked as "private". I had to make it public before people could use the Helm charts: