How can I get this publish action to work?

[jcbhmr]

Hello! 👋

I am trying to create my own feature collection thing. I so far have one feature that works on my local PC with

devcontainer features test

I then also have this GitHub workflow to release it when I press the manual button in GitHub Actions

name: "Release dev container features & Generate Documentation"
on:
  workflow_dispatch:

jobs:
  deploy:
    if: ${{ github.ref == 'refs/heads/main' }}
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      packages: write
    steps:
      - uses: actions/checkout@v3

      - name: "Publish Features"
        uses: devcontainers/action@v1
        with:
          publish-features: "true"
          base-path-to-features: "./src"
          generate-docs: "true"

        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Live GitHub link to the workflow file: https://github.com/jcbhmr/devcontainer-features/blob/2bb63d027da6aab39b90f5fcfb3311f93998a3cd/.github/workflows/release.yml

It is taken straight from the https://github.com/devcontainers/feature-starter/blob/0937a6939a8c9c75a54171981fb8fc169586109b/.github/workflows/release.yaml#L1-L24 so in theory it should work flawlessly...

But it doesn't. I can't figure out why! Help would be appreciated. 🆘🙏

The error I get is:

[[20](https://github.com/jcbhmr/devcontainer-features/actions/runs/4267540990/jobs/7429251355#step:3:21)[23](https://github.com/jcbhmr/devcontainer-features/actions/runs/4267540990/jobs/7429251355#step:3:24)-02-[25](https://github.com/jcbhmr/devcontainer-features/actions/runs/4267540990/jobs/7429251355#step:3:26)T01:03:16.234Z] Packaging feature collection...
[2023-02-25T01:03:16.237Z] Processing feature: deno...
[2023-02-25T01:03:16.253Z] Packaged 1 features!
[2023-02-25T01:03:16.254Z] Processing feature: deno...
[2023-02-25T01:03:16.254Z] Fetching published versions...
[2023-02-25T01:03:16.596Z] (!) WARNING: Version 1.0.1 already exists, skipping 1.0.1...
[2023-02-25T01:03:16.596Z] Publishing collection metadata...
[2023-02-25T01:03:16.598Z] sha256:ec9cf5ca72767dfd9aa3381cf49d52e6cb2e35ce2508356e42a17411b67cf7ec (size: 733)
[2023-02-25T01:03:16.598Z] Computed Content-Digest ->  sha256:d07b9ac1728171d0dfd50c7de207bf9f1ec70b6dfb1a73448d54ee6f1a748a00 (size: 64)
[2023-02-25T01:03:16.965Z] https://ghcr.io/v2/jcbhmr/devcontainer-features/blobs/uploads/: Unexpected status code '403' 
{
    "errors": [
        {
            "code": "DENIED",
            "message": "permission_denied: write_package"
        }
    ]
}
[2023-02-25T01:03:16.965Z] Failed to get upload session ID
[2023-02-25T01:03:16.965Z] (!) ERR: Failed to publish collection metadata: devcontainer-collection.json
[2023-02-25T01:03:16.965Z] (!) ERR: Failed to publish 'ghcr.io/jcbhmr/devcontainer-features'
Error: The process '/usr/local/bin/devcontainer' failed with exit code 1
Error: (!) Failed to publish Features.

Here's a link to the action workflow failure itself: https://github.com/jcbhmr/devcontainer-features/actions/runs/4267540990/jobs/7429251355

Does it have something to do with the new fancy restricted permissions that GitHub actions tokens are given? Is it an error on my end?

Previously, GitHub Actions gets a GITHUB_TOKEN with both read/write permissions by default whenever Actions is enabled on a repository.
As a default, this is too permissive, so to improve security we would like to change the default going forward to a read-only token. You can still flip it to read/write if needed.
This change will not impact any existing enterprises, organizations or repositories. Here is how the defaults are set going forward.

• Enterprises: New enterprises will have read-only token.
• Organizations owned by Enterprise: New organizations will inherit the permissions from parent enterprise.
• Organizations not owned by Enterprise: New organizations will have read-only token.
• Repositories owned by organization: New repositories will inherit permissions from parent organization.
• Repositories owned by personal account: New repositories will have read-only token.

— https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/

Here's the docs on how to specify perms: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs

/related devcontainers-community/features#2

[Chuxel]

/cc @joshspicer @samruddhikhandale who are the experts on this Action.

[samruddhikhandale]

Hi 👋

Does it have something to do with the new fancy restricted permissions that GitHub actions tokens are given? Is it an error on my end?

Repositories owned by personal account: New repositories will have read-only token.

That seems about right to me, the workflow uses GITHUB_TOKEN which needs packages:write permission. Looks like the permission was automatically added to the workflow's GITHUB_TOKEN until the recent policy change.

@jcbhmr Can you create a PAT with repo and write:packages, add it as a Action secret to your jcbhmr/devcontainer-features repo. Then, use it in your workflow here? That should help fix the issue for you. Thanks!

[samruddhikhandale]

Interesting, I had no trouble with the GITHUB_TOKEN, Features were published fine. 🤔
https://github.com/samruddhikhandale/test-feature-starter/actions/runs/4316776417/jobs/7532991974#step:3:50

[jcbhmr]

I did some tests and I think I figured it out:

When you generate from the devcontainer/feature-starter you inherit the old permissions token settings. This means that the packages: write still works! https://github.com/jcbhmr/devcontainer-features2/actions/runs/4317725262

When you create a brand-new repo without a "generated from" then you get the new permissions stuff, and it doesn't work! https://github.com/jcbhmr/devcontainer-features3/actions/runs/4317740627

Does this seem to be reflected on your end?

[samruddhikhandale]

When you generate from the devcontainer/feature-starter you inherit the old permissions token settings

Hah, when I said things worked, I did create it directly using the Template. So, that could make sense!

[jcbhmr]

Maybe if you do something like:

name: "Release dev container features & Generate Documentation"
on:
  workflow_dispatch:

jobs:
  deploy:
    if: ${{ github.ref == 'refs/heads/main' }}
    runs-on: ubuntu-latest
    permissions: write-all
    # 🔺
    steps:
      - uses: actions/checkout@v3

      - name: "Publish Features"
        uses: devcontainers/action@v1
        with:
          publish-features: "true"
          base-path-to-features: "./src"
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

???

[jcbhmr]

This worked in one test case, but I can't reproduce it on my own repo... 😢

[jcbhmr]

In the end, I just ended up generating my repo from the feature-starter repo and resigning myself to always having the "generated by ..." blue text there. I guess it's not so bad. But yeah idk what the root cause is. Some permission thing or magic or something.