#Has anyone successfully been able to

Should work fine I believe! Does the GitHub token have permissions to push to ghcr?

Yes.. I believe the reason is that dagger is using Basic Auth and the Github API does not support that, i think..
I will make a test repository to test it our.

In dagger it works the same as docker login does, which is supported in github docs! But the token must have write:packages to push. More here https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry#authenticating-to-the-container-registry

@edgy wedge I made an example. This is the way I would expect to configure it.

      - uses: dagger/dagger-for-github@8.0.0
        name: publish
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          GH_ACTOR: ${{ github.actor }}
        with:
          call: publish-image --gh-user env://GH_ACTOR --gh-token env://GH_TOKEN
          cloud-token: ${{ secrets.DAGGER_CLOUD_TOKEN }}
          version: "latest"

func (m *AuthTest) PublishImage(ctx context.Context, ghUser string, ghToken *dagger.Secret) (string, error) {
  return dag.Container().
    From("alpine:latest").
    WithLabel("org.opencontainers.image.source", "https://github.com/kerwood/dagger-ghcr-auth-test").
    WithRegistryAuth("ghcr.io", ghUser, ghToken).
    Publish(ctx, "ghcr.io/kerwood/dagger-ghcr-auth-test:latest")
}

https://github.com/Kerwood/dagger-ghcr-auth-test
https://github.com/Kerwood/dagger-ghcr-auth-test/actions/runs/16747698177/job/47410070073

If anyone what to test something out, the workflow is triggered by any PR.

It looks like whats happening is that the ghUser argument is a string, not a Secret, but its passed as env://GH_ACTOR, which is being taken literally as the string. https://github.com/Kerwood/dagger-ghcr-auth-test/actions/runs/16747698177/job/47410070073#step:3:502
so you could change the argument to be a Secret or change the invocation to use $GH_ACTOR

Of course...
Changed it to:

call: publish-image --gh-user ${{ github.actor }} --gh-token env://GH_TOKEN

And this looks better: https://github.com/Kerwood/dagger-ghcr-auth-test/actions/runs/16771608234/job/47487839219#step:3:493
But Im still getting the 403 error.

Interesting, everything looks like it should be right 🤔 I'll try some things on one of my repos and get back to you!

ok yeah worked on my end https://github.com/kpenfound/github-webhooks/actions/runs/16792109290/job/47555622680#step:3:424
this sounds silly, but I think the image address might be case sensitive https://github.com/Kerwood/dagger-ghcr-auth-test/blob/main/main.go#L31 so it should be Publish(ctx, "ghcr.io/Kerwood/dagger-ghcr-auth-test:latest") (capital K)

The thing is that if I run dagger locally from my laptop with dagger -c 'publish-image kerwood cmd://"gh auth token"' it works as intended.
I tried changing the case on the 'k' but that ended in with this error failed to push ghcr.io/Kerwood/dagger-ghcr-auth-test:latest: invalid reference format: repository name (Kerwood/dagger-ghcr-auth-test) must be lowercase

https://github.com/Kerwood/dagger-ghcr-auth-test/actions/runs/16802731649/job/47587662312#step:3:504

I copy/pasted your exact workflow and it fails as well.
https://github.com/Kerwood/dagger-ghcr-auth-test/actions/runs/16802927150/job/47588289130

Same 403 error

Turns out Im an idiot.. Apparently you need to give the repo actions/workflows access to the package registry. Adding the permissions.packages: write property to your workflow file is not enough.
I am sorry for have wasted your time on an issue not related to Dagger.

But thank you for your help figuring it out 🙂