Registry credentials for private GHCR image not applied to deploys
Anonymous
PROOP

4 days ago

Service: worker-staging (project medguide-staging, ID a7ffe817-75e2-4392-9674-7d6cfc28f998)

Deployment: 0fbca4fd-66f1-403d-8a68-ea06f4f0f60c (FAILED)

Problem:

Registry credentials (GitHub PAT) are set via Settings → Source →

Registry Credentials for a private GHCR image

(ghcr.io/medguide-group/medguide-worker:...). The UI accepts and

displays the credentials (masked dots visible, saves after clicking ✓,

persists after page reload). However, deploys consistently fail at the

"Deploy › Create container" step with:

"We were unable to connect to the registry for this image. If you

are using a private image, please make sure your credentials are

valid."

Railway's Diagnose feature confirms:

"Add a GitHub Personal Access Token with the read:packages scope in

the service's Settings under Source > Registry Credentials. The

deployment failed because Railway could not authenticate with

GitHub Container Registry to pull the private image. Either

credentials have not been configured, or the existing token has

expired or been revoked."

Ruled out:

  • PAT scope: verified via docker login ghcr.io -u <user> + `docker

    pull ghcr.io/medguide-group/medguide-worker:` succeeding locally

    with same PAT

  • PAT expired/revoked: freshly rotated PAT tested locally and still

    entered in Railway UI; still fails

  • Wrong classic/fine-grained: using Classic PAT

  • SAML SSO: Medguide-Group org has no SSO enabled

  • Plan tier: workspace is on Pro

  • Image path format: full ghcr.io/... URL

Additional data:

  • Deploy manifest returned via railway deployment list --json

    ALWAYS shows "registryCredentials": null even after fresh

    credential entries via UI + save + page reload verify

  • Attempted service source disconnect + reconnect via CLI — no effect

  • 6+ failed deploy attempts across multiple PAT rotations

Note: Railway's Registry Credentials UI for GHCR shows only a "GitHub

Access Token" field — no username field. Suspect a username derivation

issue somewhere on Railway's side (locally, docker login requires

-u <username>).

Please advise on how to correctly authenticate against private GHCR

from a Railway service, or acknowledge this as a bug in credential

storage/application.

$20 Bounty

0 Replies

Status changed to Awaiting Railway Response Railway 4 days ago


Railway
BOT

3 days ago

This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.

Status changed to Open Railway 3 days ago


Welcome!

Sign in to your Railway account to join the conversation.

Loading...