# 错误：解析失败：获取OAuth令牌失败：向 https://ghcr.io/token 发送POST请求返回意外状态：401 未授权

- **ID:** `cicd/docker-buildkit-ssh-auth-fail`
- **领域:** cicd
- **类别:** auth_error
- **错误码:** `BUILDKIT_AUTH_FAIL`
- **验证级别:** ai_generated
- **修复率:** 78%

## 根因

Docker BuildKit 无法通过容器注册表（如 GitHub Container Registry）的身份验证，因为 SSH 代理转发或注册表凭据未在构建上下文中正确配置。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Docker 24.0 | active | — | — |
| Docker 25.0 | active | — | — |
| BuildKit v0.12 | active | — | — |
| Docker Desktop 4.25 | active | — | — |

## 解决方案

1. ```
   Pass registry credentials via Docker BuildKit secrets or --secret flag: echo $GITHUB_TOKEN | docker build --secret id=gh_token,env=GITHUB_TOKEN -t myimage . and use RUN --mount=type=secret,id=gh_token in Dockerfile to authenticate.
   ```
2. ```
   Use DOCKER_AUTH_CONFIG environment variable with a base64-encoded JSON config for the registry, which BuildKit reads automatically.
   ```
3. ```
   Configure a .docker/config.json file in the build context with the registry credentials, ensuring it is not exposed in the final image by using a .dockerignore.
   ```

## 无效尝试

- **** — The issue is authentication, not cache. Pruning removes cached layers but does not provide credentials. (70% 失败率)
- **** — --no-cache only skips layer caching; it does not inject credentials into the build context. (75% 失败率)
- **** — BuildKit may not inherit the Docker CLI credentials; it uses its own credential helpers. (80% 失败率)