Validating packer templates with GitHub Actions

Validating packer templates with GitHub Actions
Photo by Roman Synkevych / Unsplash

I setup a GitHub Action for my packer-aws-windows-openssh project last month and it was working pretty well until a recent job failed with this:

Run packer init ./aws-windows-ssh.pkr.hcl
Failed getting the "" plugin:
1 error occurred:
	* Plugin host rate limited the plugin getter. Try again in 43m44.793174231s.
HINT: Set the PACKER_GITHUB_API_TOKEN env var with a token to get more requests.
GET 403 API rate limit exceeded for (But here's the good news: Authenticated requests get a higher rate limit. Check out the documentation for more details.) [rate reset in 43m45s]

This happened during the packer init part of my GitHub action. The packer init command queries GitHub's public API, which rate limits requests per IP address. With GitHub actions, it's quite easy to hit this limit. The packer doc mentions setting PACKER_GITHUB_API_TOKEN but it doesn't get into specifics. Outside of GitHub actions, like running this from your local laptop, you'd probably not hit this issue at all

Fortunately, setting this up in an GitHub Action is fairly easy and you don't need to manually create token, you just set PACKER_GITHUB_API_TOKEN to ${{ secrets.GITHUB_TOKEN }} :


GitHub automatically creates a token for you, called GITHUB_TOKEN, which you can use in your workflow. You would put the above two lines at the top of your action, right before jobs:. Here's a full example of my GitHub action so you can see it in context:

name: Validate packer templates



    runs-on: ubuntu-latest
      - name: Checkout
        uses: actions/checkout@v4

      - name: Setup `packer`
        uses: hashicorp/setup-packer@v3
        id: setup

      - name: Run `packer init`
        id: init
        run: "packer init ./aws-windows-ssh.pkr.hcl"

      - name: Run `packer validate`
        id: validate
        run: "packer validate ./aws-windows-ssh.pkr.hcl"

Once PACKER_GITHUB_API_TOKEN is set in your action, you shouldn't see the rate limit error anymore.