BUILDKIT_AUTH_FAIL cicd auth_error ai_generated partial

错误:解析失败:获取OAuth令牌失败:向 https://ghcr.io/token 发送POST请求返回意外状态:401 未授权

ERROR: failed to solve: failed to fetch oauth token: unexpected status from POST request to https://ghcr.io/token: 401 Unauthorized

ID: cicd/docker-buildkit-ssh-auth-fail

其他格式: JSON · Markdown 中文 · English
78%修复率
84%置信度
1证据数
2024-03-20首次发现

版本兼容性

版本状态引入弃用备注
Docker 24.0 active
Docker 25.0 active
BuildKit v0.12 active
Docker Desktop 4.25 active

根因分析

Docker BuildKit 无法通过容器注册表(如 GitHub Container Registry)的身份验证,因为 SSH 代理转发或注册表凭据未在构建上下文中正确配置。

English

Docker BuildKit fails to authenticate with a container registry (e.g., GitHub Container Registry) because the SSH agent forwarding or registry credentials are not properly configured for the build context.

generic

官方文档

https://docs.docker.com/build/ci/github-actions/#authentication

解决方案

  1. Pass registry credentials via Docker BuildKit secrets or --secret flag: echo $GITHUB_TOKEN | docker build --secret id=gh_token,env=GITHUB_TOKEN -t myimage . and use RUN --mount=type=secret,id=gh_token in Dockerfile to authenticate.
  2. Use DOCKER_AUTH_CONFIG environment variable with a base64-encoded JSON config for the registry, which BuildKit reads automatically.
  3. Configure a .docker/config.json file in the build context with the registry credentials, ensuring it is not exposed in the final image by using a .dockerignore.

无效尝试

常见但无效的做法:

  1. 70% 失败

    The issue is authentication, not cache. Pruning removes cached layers but does not provide credentials.

  2. 75% 失败

    --no-cache only skips layer caching; it does not inject credentials into the build context.

  3. 80% 失败

    BuildKit may not inherit the Docker CLI credentials; it uses its own credential helpers.