At work, I’m using skaffold to deploy a helm chart which references a ghcr.io repository. Here’s the stanza I’m looking at:
apiVersion: skaffold/v3
kind: Config
deploy:
helm:
releases:
- name: {package}
remoteChart: oci://ghcr.io/{owner}/{package}
This is the first time I’ve tried to deploy this chart, and I kept getting this message:
No tags generated
Starting test...
Starting deploy...
Helm release {package} not installed. Installing...
Error: INSTALLATION FAILED: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3A{owner}%2F{package}%3Apull&scope=repository%3Auser%2Fimage%3Apull&service=ghcr.io: 403 Forbidden
deploying "{package}": install: exit status 1I thought this might have been an issue with the skaffold file, so I tried running this directly with helm:
$ helm pull oci://ghcr.io/{owner}/{package}
Error: failed to authorize: failed to fetch anonymous token: unexpected status from GET request to https://ghcr.io/token?scope=repository%3A{owner}%2F{package}%3Apull&scope=repository%3Auser%2Fimage%3Apull&service=ghcr.io: 403 Forbidden
Huh, that looks a bit familiar. I spent a little while checking to see whether this was something at the Kubernetes cluster, or if it was just me, and ended up finding this nugget (thanks to a steer from this post)
$ gh auth token | helm registry login ghcr.io -u "$(gh auth status --jq '.hosts."github.com"[0].login' --json hosts)" --password-stdin
Login SucceededAnd now it works!
helm pull oci://ghcr.io/{owner}/{package}
Pulled: ghcr.io/{owner}/{package}:1.2.3
Digest: sha256:decafbad1234567890aabbccddeeffdeadbeefbadbadbadbad12345678901234
[Late edit: 2026-02-09] I noticed that I could just ask gh to tell me what my username was… which makes life just a touch easier! π helm registry login command updated!
Featured image is βhelmβ by β23 dingen voor museaβ on Flickr and is released under a CC-BY-SA license.
