4 days ago
Service: worker-staging (project medguide-staging, ID a7ffe817-75e2-4392-9674-7d6cfc28f998)
Deployment: 0fbca4fd-66f1-403d-8a68-ea06f4f0f60c (FAILED)
Problem:
Registry credentials (GitHub PAT) are set via Settings → Source →
Registry Credentials for a private GHCR image
(ghcr.io/medguide-group/medguide-worker:...). The UI accepts and
displays the credentials (masked dots visible, saves after clicking ✓,
persists after page reload). However, deploys consistently fail at the
"Deploy › Create container" step with:
"We were unable to connect to the registry for this image. If you
are using a private image, please make sure your credentials are
valid."
Railway's Diagnose feature confirms:
"Add a GitHub Personal Access Token with the read:packages scope in
the service's Settings under Source > Registry Credentials. The
deployment failed because Railway could not authenticate with
GitHub Container Registry to pull the private image. Either
credentials have not been configured, or the existing token has
expired or been revoked."
Ruled out:
-
PAT scope: verified via
docker login ghcr.io -u <user>+ `dockerpull ghcr.io/medguide-group/medguide-worker:` succeeding locally
with same PAT
-
PAT expired/revoked: freshly rotated PAT tested locally and still
entered in Railway UI; still fails
-
Wrong classic/fine-grained: using Classic PAT
-
SAML SSO: Medguide-Group org has no SSO enabled
-
Plan tier: workspace is on Pro
-
Image path format: full ghcr.io/... URL
Additional data:
-
Deploy manifest returned via
railway deployment list --jsonALWAYS shows
"registryCredentials": nulleven after freshcredential entries via UI + save + page reload verify
-
Attempted service source disconnect + reconnect via CLI — no effect
-
6+ failed deploy attempts across multiple PAT rotations
Note: Railway's Registry Credentials UI for GHCR shows only a "GitHub
Access Token" field — no username field. Suspect a username derivation
issue somewhere on Railway's side (locally, docker login requires
-u <username>).
Please advise on how to correctly authenticate against private GHCR
from a Railway service, or acknowledge this as a bug in credential
storage/application.
0 Replies
Status changed to Awaiting Railway Response Railway • 4 days ago
3 days ago
This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.
Status changed to Open Railway • 3 days ago