BUILDKIT_AUTH_FAIL
cicd
auth_error
ai_generated
partial
ERROR: failed to solve: failed to fetch oauth token: unexpected status from POST request to https://ghcr.io/token: 401 Unauthorized
ID: cicd/docker-buildkit-ssh-auth-fail
78%Fix Rate
84%Confidence
1Evidence
2024-03-20First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Docker 24.0 | active | — | — | — |
| Docker 25.0 | active | — | — | — |
| BuildKit v0.12 | active | — | — | — |
| Docker Desktop 4.25 | active | — | — | — |
Root Cause
Docker BuildKit fails to authenticate with a container registry (e.g., GitHub Container Registry) because the SSH agent forwarding or registry credentials are not properly configured for the build context.
generic中文
Docker BuildKit 无法通过容器注册表(如 GitHub Container Registry)的身份验证,因为 SSH 代理转发或注册表凭据未在构建上下文中正确配置。
Official Documentation
https://docs.docker.com/build/ci/github-actions/#authenticationWorkarounds
-
85% success Pass registry credentials via Docker BuildKit secrets or --secret flag: echo $GITHUB_TOKEN | docker build --secret id=gh_token,env=GITHUB_TOKEN -t myimage . and use RUN --mount=type=secret,id=gh_token in Dockerfile to authenticate.
Pass registry credentials via Docker BuildKit secrets or --secret flag: echo $GITHUB_TOKEN | docker build --secret id=gh_token,env=GITHUB_TOKEN -t myimage . and use RUN --mount=type=secret,id=gh_token in Dockerfile to authenticate.
-
80% success Use DOCKER_AUTH_CONFIG environment variable with a base64-encoded JSON config for the registry, which BuildKit reads automatically.
Use DOCKER_AUTH_CONFIG environment variable with a base64-encoded JSON config for the registry, which BuildKit reads automatically.
-
75% success Configure a .docker/config.json file in the build context with the registry credentials, ensuring it is not exposed in the final image by using a .dockerignore.
Configure a .docker/config.json file in the build context with the registry credentials, ensuring it is not exposed in the final image by using a .dockerignore.
中文步骤
Pass registry credentials via Docker BuildKit secrets or --secret flag: echo $GITHUB_TOKEN | docker build --secret id=gh_token,env=GITHUB_TOKEN -t myimage . and use RUN --mount=type=secret,id=gh_token in Dockerfile to authenticate.
Use DOCKER_AUTH_CONFIG environment variable with a base64-encoded JSON config for the registry, which BuildKit reads automatically.
Configure a .docker/config.json file in the build context with the registry credentials, ensuring it is not exposed in the final image by using a .dockerignore.
Dead Ends
Common approaches that don't work:
-
70% fail
The issue is authentication, not cache. Pruning removes cached layers but does not provide credentials.
-
75% fail
--no-cache only skips layer caching; it does not inject credentials into the build context.
-
80% fail
BuildKit may not inherit the Docker CLI credentials; it uses its own credential helpers.