[bug]: pushing the first image to github registry from local machine breaks the pipelines

[LucaLanziani]

When pushing an image from local using something like:

initium onbranch --stop-on-push

The resulting package will not be associated with the repo causing the pipelines to fail with:

Failed with denied: permission_denied: write_package

This behaviour could be fixed associating the repository with the package using the appropriate label https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#labelling-container-images

We have to test this option and if it works add the label to the docker files if we are pushing to github.

[mablanco]

In order to recreate this bug I've removed the whole package from my test repository.

I've added the opencontainers.org to the Dockerfile but it doesn't work when run from an Action (see https://github.com/mablanco/initium-nodejs-demo-app/actions/runs/6945262487/job/18894207816?pr=3#step:4:218).

[mablanco]

However, Github recognizes a properly labeled image pushed from the CLI as a package belonging to the repo. Then any images that were previously uploaded to the repo's registry (even without labels) appear in the package repository.

Even then, the workflow keeps on failing (see https://github.com/mablanco/initium-nodejs-demo-app/actions/runs/6955880255/job/18925574420?pr=3#step:4:210).

[mablanco]

I've created a new repository and initialized it with Initium. After trying with a couple of different branches and PRs, all tests were successful and each pipeline was able to push the Docker image it built.

[mablanco]

So I started comparing the package manager of both repositories and I got the following main difference.

Failing repo

Working repo

As can be seen in the above screenshots, both package managers are already assigning the proper org.opencontainers label to the pushed images. However, the failing repo lacks privileges for repository access, while the working one has Admin role privileges assigned.

So my theory is that this issue is happening in repositories that may have been manually modified (as I did deleting the whole package in GitHub) or have been created with an old version of Initium, as the latest one doesn't show the problem. I'm going to manually assign the Write role for repository access in the failing repo and check if the pipelines work again.

[mablanco]

Yes, it has worked! (see https://github.com/mablanco/initium-nodejs-demo-app/actions/runs/6955880255/job/18926680865#step:4:232). This also means that we only need to assign Write privileges.

I'm going to close the PR and move to ticket to the Waiting for review column.

[dublx]

Lots of new things for me to learn on GitHub but your comment makes sense.