[Bug]: Cleanup job remove images included in image manifest for tag

[asatt]

Summary

We faced with situation when cleanup job break the docker image published in GitHub Container Registry (GHCR).

We are builing multiarch images that publish as 3 images in GHCR:

• image manifest that should include SHA of all images for different architectures
• image for "linux/amd64" (should be included in manifest)
• image for "linux/arm64" (should be included in manifest)

The artifact for which we found broken image is private. After run cleanup job by schedule we found that it removed images for "linux/amd64" and "linux/arm64", but kept image manifest.

As result we have broken image for tag/release that can't be download.

Example:

• Artifact with list of SHA of images that should be included

• Search by artifacts (all fit on the one page)

• Action that removed images https://github.com/Netcracker/qubership-jaeger/actions/runs/20546498761

Using version:

Netcracker/qubership-workflow-hub/actions/container-package-cleanup@9538833017019ab6bbc2138d3034778dfe3a5d1f # v2.0.6

Expected Behaviour

Images included in manifest shouldn't remove if manifest exist. They can be removed only if image manifest should be remove.

Actual Behaviour (What actually happened)

Images included in manifest were removed that break all image manifests.

Reproduction Steps / Logs

1. Publish multiarch image to GHCR for release (maybe need to use private artifact)
2. Configure and call cleanup Action for this artifact
3. Check which image will be removed

Impact / Severity

No response

Environment

• https://github.com/Netcracker/qubership-jaeger/blob/main/.github/workflows/cleanup-old-docker-container.yml
• https://github.com/Netcracker/qubership-jaeger/actions/runs/20546498761

Hypothesis (Optional)

No response

Proposed Fix (Optional)

No response

[nookyo]

fixed in
https://github.com/Netcracker/qubership-workflow-hub/releases/tag/v2.0.7

[asatt]

It's still not working for Docker images that are marked as private.