# ERROR: failed to solve: failed to fetch oauth token: unexpected status from POST request to https://ghcr.io/token: 401 Unauthorized - **ID:** `cicd/docker-buildkit-ssh-auth-fail` - **Domain:** cicd - **Category:** auth_error - **Error Code:** `BUILDKIT_AUTH_FAIL` - **Verification:** ai_generated - **Fix Rate:** 78% ## Root Cause Docker BuildKit fails to authenticate with a container registry (e.g., GitHub Container Registry) because the SSH agent forwarding or registry credentials are not properly configured for the build context. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | Docker 24.0 | active | — | — | | Docker 25.0 | active | — | — | | BuildKit v0.12 | active | — | — | | Docker Desktop 4.25 | active | — | — | ## Workarounds 1. **Pass registry credentials via Docker BuildKit secrets or --secret flag: echo $GITHUB_TOKEN | docker build --secret id=gh_token,env=GITHUB_TOKEN -t myimage . and use RUN --mount=type=secret,id=gh_token in Dockerfile to authenticate.** (85% success) ``` Pass registry credentials via Docker BuildKit secrets or --secret flag: echo $GITHUB_TOKEN | docker build --secret id=gh_token,env=GITHUB_TOKEN -t myimage . and use RUN --mount=type=secret,id=gh_token in Dockerfile to authenticate. ``` 2. **Use DOCKER_AUTH_CONFIG environment variable with a base64-encoded JSON config for the registry, which BuildKit reads automatically.** (80% success) ``` Use DOCKER_AUTH_CONFIG environment variable with a base64-encoded JSON config for the registry, which BuildKit reads automatically. ``` 3. **Configure a .docker/config.json file in the build context with the registry credentials, ensuring it is not exposed in the final image by using a .dockerignore.** (75% success) ``` Configure a .docker/config.json file in the build context with the registry credentials, ensuring it is not exposed in the final image by using a .dockerignore. ``` ## Dead Ends - **** — The issue is authentication, not cache. Pruning removes cached layers but does not provide credentials. (70% fail) - **** — --no-cache only skips layer caching; it does not inject credentials into the build context. (75% fail) - **** — BuildKit may not inherit the Docker CLI credentials; it uses its own credential helpers. (80% fail)