ci: scheduled prune of untagged GHCR staging digests#40
Merged
Conversation
Per-arch builds in docker-ci.yml push by digest to ghcr.io/kingpin/php-docker and accumulate as untagged versions over time. dataaxiom/ghcr-cleanup-action removes children of live manifest lists from its working set before pruning, so per-arch digests referenced by current tags remain safe. Starts in dry-run mode; window is 28 days to survive a couple of missed weekly builds. Closes #39
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new scheduled GitHub Actions workflow that prunes untagged digests from the ghcr.io/kingpin/php-docker staging package using dataaxiom/ghcr-cleanup-action@v1, addressing the accumulation of per-arch staging digests left behind by the publish pipeline. The workflow runs weekly (Wednesdays at 05:00 UTC, the day after the weekly build), supports manual workflow_dispatch, and ships in dry-run mode so the first execution only logs intended deletions.
Changes:
- New scheduled workflow with
older-than: 28dretention buffer and concurrency guard. workflow_dispatchinput exposes adry-runboolean (defaulttrue) for manual verification.- Uses
dataaxiom/ghcr-cleanup-action@v1withdelete-untagged: trueandpackages: writepermissions only.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| package: php-docker | ||
| delete-untagged: true | ||
| older-than: 28d | ||
| dry-run: ${{ github.event_name == 'workflow_dispatch' && inputs.dry-run || true }} |
Previous expression had the classic A && B || C pitfall — dispatching with dry-run unchecked still evaluated to true, so the input toggle was inert. Invert the event check so the || branch only fires for non-dispatch events.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
.github/workflows/ghcr-prune.yml: weekly scheduled prune (Wed 05:00 UTC, day after the weekly build) of untagged versions on theghcr.io/kingpin/php-dockerpackage.dataaxiom/ghcr-cleanup-action@v1. Its cleanup algorithm removes children of live manifest lists from the working set before applying any deletion rule, so the per-arch digests referenced by current tags are not at risk even though they appear untagged.older-than: 28dkeeps a comfortable buffer if the weekly build is red for a week or two.dry-run: trueso the first scheduled run logs intended deletions without executing them. Manualworkflow_dispatchexposes adry-runboolean (defaults to true).Closes #39
Test plan
workflow_dispatchwith the defaultdry-run: trueand confirm the run summary lists only stale untagged digests (no children of live tagged manifest lists).docker pull ghcr.io/kingpin/php-docker:<tag>still resolves after the dry run (no-op, but sanity check).dry-runtofalsein a follow-up commit once the dry-run output looks correct.