401 Unauthorized during copa action

[BartoszBrodzinski-TomTom]

Hi, I'm trying to use the copa-action, for images that I store in GHCR

Copa patch action fails with:

time="2023-09-29T08:41:30Z" level=info msg="trying next host" error="failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Amy-login%2Fmy-app%3Apull&service=ghcr.io: 401 Unauthorized" host=ghcr.io
Error: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Amy-login%2Fmy-app%3Apull&service=ghcr.io: 401 Unauthorized

Of course, I've added the docker login action at the top of workflow and the image downloads successfully.

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

[ashnamehrotra]

@BartoszBrodzinski-TomTom can you check the visibility of the image you are trying to pull? You can try adding a step before the copa action to check that you have access.

[zhangchl007]

I got the same issue,
ime="2023-11-13T16:22:40Z" level=info msg="trying next host" error="failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://.azurecr.io/oauth2/token?scope=repository%3Aredisdemo%3Apull&service=.azurecr.io: 401 Unauthorized" host=***.azurecr.io

[ashnamehrotra]

@zhangchl007 can you try the same as the comment above to ensure you have access?

[zhangchl007]

@zhangchl007 can you try the same as the comment above to ensure you have access?

Please refer to the error msg info below. the image is here locally, not sure why it still try to pull the image

[ashnamehrotra]

@zhangchl007 Currently, Copa does not use the local image if it is present. We are working on this feature and it should be available in the next Copa release. In order to patch this image through the copa-action right now, you need to make sure there is access to pull.

[zhangchl007]

@zhangchl007 Currently, Copa does not use the local image if it is present. We are working on this feature and it should be available in the next Copa release. In order to patch this image through the copa-action right now, you need to make sure there is access to pull.

this is the steps, I already logged in the registry repo. why does it still report this login issue?
sudo nohup ./buildkitd &
popd
sleep 5
docker login ${{ env.REGISTRY_NAME }}.azurecr.io -u ${{ secrets.REGISTRY_USERNAME }} -p ${{ secrets.REGISTRY_PASSWORD }}
docker image ls
sudo ./copa patch -i ${{ env.REGISTRY_NAME }}.azurecr.io/${{ env.APP_NAME }}:dev -r report.json -t dev-1

[zhangchl007]

@ashnamehrotra it's my fault , I fixed this issue, we need to login docker with privilege permission

[sozercan]

@zhangchl007 do you think any of copa docs can be improved to make sure others don't run into the same issue?

[zhangchl007]

@zhangchl007 do you think any of copa docs can be improved to make sure others don't run into the same issue?
@sozercan
We must make sure the user to log in container registry and perform copa patching under the same User namespace. we face the problem is login the container registry with the regular user. but perform copa patching with the privilege user via "sudo"

[sozercan]

@ashnamehrotra for local images, we can document https://github.com/crazy-max/ghaction-setup-docker#daemon-configuration to set up containerd image store

[ealasgarov]

There's a missing very important piece of information when it comes to ACR (azure container registry), in registry configuration you need to set the key:

 anonymous_pull_enabled = true 

otherwise copa won't be able to connect.

[sozercan]

@ealasgarov that is correct today. after #37 merges, you'll be able to connect to private registries.

[bart-brodz]

I still get the 401 error:

#1 ERROR: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3Abart-brodz%2Fmy-image%3Apull&service=ghcr.io: 401 Unauthorized`

I use docker login action as follows:

      - name: Log into registry 
        id: login
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Pull docker image
        if: steps.login.conclusion == 'success'
        run: |
          docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.build.outputs.new_version }}

And the image is fetched successfully.

my job in workflow file has following permissions:

  vulnerabilities:
    needs: build
    name: Scan for vulnerabilities and patch
    runs-on: ubuntu-latest
    permissions:
      contents: write
      packages: write

On the other hand when I make my container registry public in GH settings, everything works correctly.

[ashnamehrotra]

Hi @bart-brodz we haven't yet merged the change that allows for patching local/private images. We are waiting on another copa release before merging #37 which should be done today.

[ashnamehrotra]

@bart-brodz The new copa action v1.2.0 is released. Using this with copa v0.6.1 will allow you to patch local/private images.