From 6a3a9c3252805ecc76abf43d60188f5356446211 Mon Sep 17 00:00:00 2001
From: Moritz Reich <moritz.reich@sap.com>
Date: Wed, 4 Jun 2025 13:20:01 +0200
Subject: [PATCH 1/2] fix: changed to new action for cleanup

---
 .github/workflows/clean-main-images.yml | 69 ++++++-------------------
 1 file changed, 16 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/clean-main-images.yml b/.github/workflows/clean-main-images.yml
index 8de6a7b..1320b20 100644
--- a/.github/workflows/clean-main-images.yml
+++ b/.github/workflows/clean-main-images.yml
@@ -4,68 +4,31 @@ on:
   schedule:
     - cron: "5 1 * * *"
   workflow_dispatch:
+    inputs:
+      dry-run:
+        description: "Dry run"
+        required: false
+        default: true
+        type: "boolean"
 
 env:
-  REGISTRY: ghcr.io
-  ORG: openmcp-project
   IMAGE_NAME: mcp-ui-backend
   KEEP_X_IMAGES: 5
   TAG_PREFIX: "main-"
 
 jobs:
   clean:
-    name: "Clean main images"
+    name: Clean main images
     runs-on: ubuntu-latest
     permissions:
       packages: write
-    env:
-      GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
-      - name: List all ${{ env.TAG_PREFIX }} tags and their version IDs (debug)
-        run: |
-          gh api -H "Accept: application/vnd.github+json" \
-            /orgs/${{ env.ORG }}/packages/container/${{ env.IMAGE_NAME }}/versions \
-            --paginate | jq -r '.[] | select(.metadata.container.tags[] | startswith("${{ env.TAG_PREFIX }}")) | "\(.id) \(.metadata.container.tags[])"' | grep '^.* ${{ env.TAG_PREFIX }}' | sort -k2 -r
-
-      - name: Delete old ${{ env.TAG_PREFIX }}* tags using GitHub API, keep ${{ env.KEEP_X_IMAGES }}
-        run: |
-          set -e
-          set -o pipefail
-
-          # Get all ${{ env.TAG_PREFIX }}* tags and their version IDs, sorted by tag (descending)
-          VERSIONS=$(gh api -H "Accept: application/vnd.github+json" \
-            /orgs/${{ env.ORG }}/packages/container/${{ env.IMAGE_NAME }}/versions \
-            --paginate | jq -r '.[] | select(.metadata.container.tags[] | startswith("${{ env.TAG_PREFIX }}")) | "\(.id) \(.metadata.container.tags[])"' | grep '^.* ${{ env.TAG_PREFIX }}' | sort -k2 -r)
-
-          # Get the lines to delete (skip the first ${{ env.KEEP_X_IMAGES }} versions)
-          TO_DELETE=$(echo "$VERSIONS" | sed "1,${{ env.KEEP_X_IMAGES }}d")
-
-          echo "Deleting the following tags:"
-          echo "$TO_DELETE" | awk '{print $2}'
-
-          if [ -z "$TO_DELETE" ]; then
-            echo "No tags to delete."
-            exit 0
-          fi
-
-          FAILED_DELETIONS=""
-          while read -r line; do
-            id=$(echo "$line" | awk '{print $1}')
-            tag=$(echo "$line" | awk '{print $2}')
-            echo "Deleting tag $tag (version ID $id)"
-            if ! gh api -X DELETE -H "Accept: application/vnd.github+json" \
-              /orgs/${{ env.ORG }}/packages/container/${{ env.IMAGE_NAME }}/versions/$id; then
-              echo "Failed to delete version $id ($tag)"
-              FAILED_DELETIONS="${FAILED_DELETIONS}\n$id ($tag)"
-            fi
-          done <<< "$TO_DELETE"
-
-          if [ -n "$FAILED_DELETIONS" ]; then
-            echo -e "The following deletions failed:\n$FAILED_DELETIONS"
-            exit 1
-          fi
-      - name: List remaining ${{ env.TAG_PREFIX }}* tags and their version IDs (debug)
-        run: |
-          gh api -H "Accept: application/vnd.github+json" \
-            /orgs/${{ env.ORG }}/packages/container/${{ env.IMAGE_NAME }}/versions \
-            --paginate | jq -r '.[] | select(.metadata.container.tags[] | startswith("${{ env.TAG_PREFIX }}")) | "\(.id) \(.metadata.container.tags[])"' | grep '^.* ${{ env.TAG_PREFIX }}' | sort -k2 -r
+      - uses: dataaxiom/ghcr-cleanup-action@v1
+        with:
+          dry-run: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true' }}
+          packages: ${{ env.IMAGE_NAME }}
+          delete-tags: ${{ env.TAG_PREFIX }}
+          delete-untagged: true
+          keep-n-tagged: ${{ env.KEEP_X_IMAGES }}
+          delete-ghost-images: true
+          delete-partial-images: true

From a61618da4a482c91accbd4b20ed0ab31161b98a4 Mon Sep 17 00:00:00 2001
From: Moritz Reich <moritz.reich@sap.com>
Date: Wed, 4 Jun 2025 13:22:17 +0200
Subject: [PATCH 2/2] fix(security): changed to pinned sha for action

---
 .github/workflows/clean-main-images.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/clean-main-images.yml b/.github/workflows/clean-main-images.yml
index 1320b20..0377ee3 100644
--- a/.github/workflows/clean-main-images.yml
+++ b/.github/workflows/clean-main-images.yml
@@ -23,7 +23,7 @@ jobs:
     permissions:
       packages: write
     steps:
-      - uses: dataaxiom/ghcr-cleanup-action@v1
+      - uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 #v1
         with:
           dry-run: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry-run == 'true' }}
           packages: ${{ env.IMAGE_NAME }}