fix: delete orphaned digest directories when last tag is removed

[hiroTamada]

Summary

• Fix orphaned digest directory accumulation by implementing eager garbage collection
• When DeleteImage removes the last tag referencing a digest, the digest directory is now automatically deleted
• If multiple tags share the same digest, it's preserved until the last tag is removed

Background

Previously, DeleteImage only removed the tag symlink, leaving digest directories (containing erofs rootfs files) on disk indefinitely. This was documented in the README as "Old digests remain until explicitly garbage collected" but no GC was ever implemented.

At current volume (~20 GB/month), the 3.5 TB disk on prod-iad-hypeman-1 has runway, but this becomes a concern at higher deployment volumes post-rollout.

Changes

• storage.go: Added countTagsForDigest() and deleteDigest() helper functions
• manager.go: Updated DeleteImage() to check for orphaned digests and delete them
• manager_test.go: Updated existing test + added TestDeleteImagePreservesSharedDigest
• README.md: Updated documentation to reflect new behavior

CI fixes (pre-existing issues on main)

• go.mod: Updated oapi-codegen/runtime v1.1.2 → v1.2.0 (fixes missing StyleParamWithOptions)
• Makefile: Pinned oapi-codegen to v2.5.1 (v2.6.0 generates incompatible struct tags)

Test plan

• TestDeleteImage - verifies digest is deleted when orphaned
• TestDeleteImagePreservesSharedDigest - verifies digest is preserved when other tags reference it
• TestDeleteImageNotFound - unchanged, still passes
• Manual test on staging: deploy, stop, verify disk space is reclaimed

Note on CI fixes

This PR includes fixes for two pre-existing CI issues unrelated to the GC changes:

1. Runtime version: CI regenerates oapi.go with oapi-codegen@latest, which uses runtime.StyleParamWithOptions added in v1.2.0, but go.mod had v1.1.2.

2. Generator version: oapi-codegen v2.6.0 changed struct tag generation (adds omitempty to some fields), causing type mismatches. Pinned to v2.5.1 to match committed code.

Both issues caused CI failures starting with commit 08958b8 on main.

---

Note

Medium Risk
Changes image deletion semantics to eagerly remove on-disk digest directories, so bugs in tag counting or race handling could delete still-referenced image data. Impact is limited to local image storage/GC plus a small dependency/tooling version adjustment.

Overview
Eagerly garbage-collects image digests on delete. DeleteImage now resolves the tag to its digest, deletes the tag symlink, then (under createMu) checks if the digest is still referenced by any other tags and removes the digest directory when orphaned.

Adds storage helpers (countTagsForDigest, deleteDigest), updates docs to reflect the new behavior, and expands tests to cover both orphan deletion and shared-digest preservation.

Separately, pins oapi-codegen in the Makefile and bumps github.com/oapi-codegen/runtime to v1.2.0 to keep generated OpenAPI code/CI consistent.

^{Written by Cursor Bugbot for commit d5aeb5d. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

[cursor]

Silent error skip in tag count risks premature deletion

Medium Severity

countTagsForDigest silently continues past resolveTag errors, which can undercount tags referencing a digest. If the only remaining tag hits a transient I/O or permission error on os.Readlink, the count returns 0, causing DeleteImage to delete a digest directory that is still referenced. The caller already handles errors from countTagsForDigest conservatively (preserves the digest), so propagating the error instead of skipping would be safe.

Additional Locations (1)

• lib/images/manager.go#L441-L446