Unable to login to GitHub Container Registry with GITHUB_TOKEN

I try to build and push the docker image to GHCR (GitHub Container Registry).

Unfortunately, during the login process with docker/login-action@v1 action which uses a GITHUB_TOKEN as a password, I received an error.

Error: Error response from daemon: Get "https://ghcr.io/v2/": denied: denied

The entire workflow yaml manifest.

name: Docker CI

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build-push:
    name: Buid and push Docker image to GitHub Container registry
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
    - name: Checkout the repository
      uses: actions/checkout@v2

    - name: Login to GitHub Container registry
      env:
        GITHUB_USER: ${{ github.actor }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      uses: docker/login-action@v1
      with:
        registry: ghcr.io
        username: $GITHUB_USER
        password: $GITHUB_TOKEN

    - name: Build and Push Docker Image
      env:
        REGISTRY: ghcr.io
        OWNER: my-organization-name
        IMAGE_NAME: ${{ github.repository }}
      uses: docker/build-push-action@v2
      with:
        context: .
        file: ./docker/Dockerfile
        target: final
        push: true
        tags: |
          $REGISTRY/$OWNER/$IMAGE_NAME:$(date +%s)
        build-args: |
          ENVIRONMENT=production

The error screenshot.

UPDATES

Set up job stage.

Current runner version: '2.285.1'
Operating System
  Ubuntu
  20.04.3
  LTS
Virtual Environment
  Environment: ubuntu-20.04
  Version: 20211219.1
  Included Software: https://github.com/actions/virtual-environments/blob/ubuntu20/20211219.1/images/linux/Ubuntu2004-README.md
  Image Release: https://github.com/actions/virtual-environments/releases/tag/ubuntu20%2F20211219.1
Virtual Environment Provisioner
  1.0.0.0-main-20211214-1
GITHUB_TOKEN Permissions
  Contents: read
  Metadata: read
  Packages: write
Secret source: Actions
Prepare workflow directory
Prepare all required actions
Getting action download info
Download action repository 'actions/checkout@v2' (SHA:ec3a7ce113134d7a93b817d10a8272cb61118579)
Download action repository 'docker/login-action@v1' (SHA:42d299face0c5c43a0487c477f595ac9cf22f1a7)
Download action repository 'docker/build-push-action@v2' (SHA:a66e35b9cbcf4ad0ea91ffcaf7bbad63ad9e0229)

Login to GitHub Container registry stage.

Run docker/login-action@v1
  with:
    registry: ghcr.io
    username: $GITHUB_USER
    password: $GITHUB_TOKEN
    ecr: auto
    logout: true
  env:
    GITHUB_USER: my-github-username
    GITHUB_TOKEN: ***
Logging into ghcr.io...
Error: Error response from daemon: Get "https://ghcr.io/v2/": denied: denied

NOTE

The repository I work with is private and belongs to the organization that I'm founding.

The GitHub documentation says that is recommended to use GITHUB_TOKEN instead of PAT. https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-container-registry

To authenticate to the Container registry within a GitHub Actions workflow, use the GITHUB_TOKEN for the best security and experience. If your workflow is using a personal access token (PAT) to authenticate to ghcr.io, then we highly recommend you update your workflow to use the GITHUB_TOKEN.

The issue is trying to use a environment variable GITHUB_TOKEN as a password to which a secret ${{ secrets.GITHUB_TOKEN }} was assigned.

Since the secret ${{ secrets.GITHUB_TOKEN }} assigns directly to the password everything works fine.

name: Docker CI

on:
  push:
    branches: [ main ]
  pull_request:
    branches: [ main ]

jobs:
  build-push:
    name: Buid and push Docker image to GitHub Container registry
    runs-on: ubuntu-latest
    permissions:
      packages: write
      contents: read
    steps:
    - name: Checkout the repository
      uses: actions/checkout@v2

    - name: Login to GitHub Container registry
      uses: docker/login-action@v1
      env:
        GITHUB_USER: ${{ github.actor }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      with:
        registry: ghcr.io
        username: $GITHUB_USER
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Build and Push Docker Image
      env:
        REGISTRY: ghcr.io
        OWNER: my-organization-name
        IMAGE_NAME: ${{ github.repository }}
      uses: docker/build-push-action@v2
      with:
        context: .
        file: ./docker/Dockerfile
        target: final
        push: true
        tags: |
          $REGISTRY/$OWNER/$IMAGE_NAME:$(date +%s)
        build-args: |
          ENVIRONMENT=production

Using env is still possible but the syntax is different.

Instead of this assignment

password: $GITHUB_TOKEN

This one should be used

password: ${{ env.GITHUB_TOKEN }}

If I understand it correctly, the first syntax can be used inside a workflow runner. In other cases in a workflow file the env context should be used.

https://docs.github.com/en/actions/learn-github-actions/environment-variables

To use the value of an environment variable in a workflow file, you should use the env context. If you want to use the value of an environment variable inside a runner, you can use the runner operating system's normal method for reading environment variables.