Inicio Explorar Ayuda
Iniciar sesión
yunoadmin
/
bambuddy
espejo de https://github.com/maziggy/bambuddy
1
0
Fork 0
Archivos Incidencias 0 Wiki
Árbol: 44e4b6b5d7
Ramas Etiquetas
bambuddy
/
.github
/
workflows
/
cleanup-ghcr.yml

cleanup-ghcr.yml 4.0 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103 
  1. name: Cleanup GHCR untagged images
    2. 

  2. 

  3. # Deletes untagged (orphan) container versions from GHCR while preserving
    4. 

  4. # any digest that is still referenced by a tagged multi-arch manifest list.
    5. 

  5. # Without that cross-reference, off-the-shelf cleanup actions can silently
    6. 

  6. # break multi-arch tags by deleting referenced platform manifests.
    7. 

  7. #
    8. 

  8. # Requires a repo secret `GHCR_CLEANUP_TOKEN` — a classic PAT with
    9. 

  9. # `read:packages` + `delete:packages` scope. GITHUB_TOKEN cannot delete
    10. 

  10. # versions of user-owned packages (only org-owned).
    11. 

  11. 

  12. on:
    13. 

  13.   schedule:
    14. 

  14.     - cron: '0 3 * * 0'  # Sundays at 03:00 UTC
    15. 

  15.   workflow_dispatch:
    16. 

  16.     inputs:
    17. 

  17.       dry_run:
    18. 

  18.         description: 'List orphans without deleting'
    19. 

  19.         type: boolean
    20. 

  20.         default: false
    21. 

  21. 

  22. jobs:
    23. 

  23.   cleanup:
    24. 

  24.     runs-on: ubuntu-latest
    25. 

  25.     strategy:
    26. 

  26.       fail-fast: false
    27. 

  27.       matrix:
    28. 

  28.         package: [bambuddy, bambuddy-beta]
    29. 

  29.     steps:
    30. 

  30.       - name: Cleanup ${{ matrix.package }}
    31. 

  31.         env:
    32. 

  32.           GH_TOKEN: ${{ secrets.GHCR_CLEANUP_TOKEN }}
    33. 

  33.           OWNER: ${{ github.repository_owner }}
    34. 

  34.           PACKAGE: ${{ matrix.package }}
    35. 

  35.           DRY_RUN: ${{ inputs.dry_run }}
    36. 

  36.         run: |
    37. 

  37.           set -euo pipefail
    38. 

  38. 

  39.           # 1. Fetch all versions for the package.
    40. 

  40.           gh api "users/${OWNER}/packages/container/${PACKAGE}/versions?per_page=100" \
    41. 

  41.             --paginate --slurp > all.json
    42. 

  42.           total=$(jq 'add | length' all.json)
    43. 

  43.           echo "Total versions: $total"
    44. 

  44. 

  45.           # 2. Build the live-digest set: digests referenced by any tagged
    46. 

  46.           #    multi-arch manifest list. Use the registry token (separate from
    47. 

  47.           #    GH_TOKEN) for ghcr.io manifest reads.
    48. 

  48.           REG_TOKEN=$(curl -sS \
    49. 

  49.             "https://ghcr.io/token?scope=repository:${OWNER}/${PACKAGE}:pull&service=ghcr.io" \
    50. 

  50.             | jq -r .token)
    51. 

  51. 

  52.           jq -r 'add | map(select(.metadata.container.tags | length > 0))
    53. 

  53.                  | .[] | .metadata.container.tags[0]' all.json > tags.txt
    54. 

  54. 

  55.           : > live.txt
    56. 

  56.           while IFS= read -r tag; do
    57. 

  57.             curl -sS \
    58. 

  58.               -H "Authorization: Bearer $REG_TOKEN" \
    59. 

  59.               -H "Accept: application/vnd.oci.image.index.v1+json,application/vnd.docker.distribution.manifest.list.v2+json,application/vnd.oci.image.manifest.v1+json,application/vnd.docker.distribution.manifest.v2+json" \
    60. 

  60.               "https://ghcr.io/v2/${OWNER}/${PACKAGE}/manifests/${tag}" \
    61. 

  61.             | jq -r '(.manifests // []) | .[].digest' >> live.txt 2>/dev/null || true
    62. 

  62.           done < tags.txt
    63. 

  63.           sort -u live.txt -o live.txt
    64. 

  64.           echo "Live digests referenced by manifest lists: $(wc -l < live.txt)"
    65. 

  65. 

  66.           # 3. Untagged digests minus live = true orphans.
    67. 

  67.           jq -r 'add | map(select(.metadata.container.tags | length == 0))
    68. 

  68.                  | .[] | .name' all.json | sort -u > untagged.txt
    69. 

  69.           comm -23 untagged.txt live.txt > orphan_digests.txt
    70. 

  70.           orphan_count=$(wc -l < orphan_digests.txt)
    71. 

  71.           echo "Orphan digests safe to delete: $orphan_count"
    72. 

  72. 

  73.           if [ "$orphan_count" -eq 0 ]; then
    74. 

  74.             echo "Nothing to delete."
    75. 

  75.             exit 0
    76. 

  76.           fi
    77. 

  77. 

  78.           # 4. Map orphan digests -> version IDs.
    79. 

  79.           jq -r --slurpfile orphans <(jq -R . orphan_digests.txt) '
    80. 

  80.             add
    81. 

  81.             | map(select(.name as $n | ($orphans | flatten | index($n))))
    82. 

  82.             | .[] | .id
    83. 

  83.           ' all.json > delete_ids.txt
    84. 

  84.           echo "Version IDs queued for deletion: $(wc -l < delete_ids.txt)"
    85. 

  85. 

  86.           if [ "${DRY_RUN:-false}" = "true" ]; then
    87. 

  87.             echo "Dry run — not deleting."
    88. 

  88.             head -20 delete_ids.txt
    89. 

  89.             exit 0
    90. 

  90.           fi
    91. 

  91. 

  92.           # 5. Delete.
    93. 

  93.           deleted=0
    94. 

  94.           failed=0
    95. 

  95.           while IFS= read -r id; do
    96. 

  96.             if gh api -X DELETE "users/${OWNER}/packages/container/${PACKAGE}/versions/${id}" --silent; then
    97. 

  97.               deleted=$((deleted + 1))
    98. 

  98.             else
    99. 

  99.               failed=$((failed + 1))
    100. 

  100.             fi
    101. 

  101.           done < delete_ids.txt
    102. 

  102.           echo "Deleted: $deleted  Failed: $failed"
    103. 

  103.           [ "$failed" -eq 0 ]
    104.