feat: implement better clean up strategy (#926)

rjaegers · web-flow · commit 616126f197d8 · 2025-09-16T08:03:33.000Z
* feat: use different action to clean up PR images

* feat: add cron based clean-up of orphaned images

* chore: fix packages format

* chore: add amp-devcontainer image to clean-up

* chore: remove dry-run

* chore: delete untagged images

* chore: remove dry-run

* chore: remove test code and prepare for merge
diff --git a/.github/workflows/image-cleanup.yml b/.github/workflows/image-cleanup.yml
@@ -0,0 +1,30 @@
+---
+name: Cleanup Images
+
+on:
+  schedule:
+    - cron: "0 0 * * 3"
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  delete-images:
+    runs-on: ubuntu-latest
+    permissions:
+      # dataaxiom/ghcr-cleanup-action needs packages write permission
+      # to delete untagged and orphaned images
+      packages: write
+    steps:
+      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        with:
+          disable-sudo: true
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            ghcr.io:443
+      - uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16
+        with:
+          delete-orphaned-images: true
+          delete-untagged: true
+          packages: amp-devcontainer,amp-devcontainer-cpp,amp-devcontainer-rust
diff --git a/.github/workflows/pr-image-cleanup.yml b/.github/workflows/pr-image-cleanup.yml
@@ -7,33 +7,20 @@ on:
 
 permissions: {}
 
-env:
-  REGISTRY: ghcr.io
-
 jobs:
   delete-images:
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        flavor: ["cpp", "rust"]
     permissions:
       packages: write
     steps:
       - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           disable-sudo: true
           egress-policy: audit
-      - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      - uses: bots-house/ghcr-delete-image-action@3827559c68cb4dcdf54d813ea9853be6d468d3a4 # v1.1.0
+      - uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16
         with:
-          owner: ${{ github.repository_owner }}
-          name: ${{ github.event.repository.name }}-${{ matrix.flavor }}
-          token: ${{ secrets.GITHUB_TOKEN }}
-          tag: pr-${{ github.event.pull_request.number }}
+          delete-tags: pr-${{ github.event.pull_request.number }}
+          packages: amp-devcontainer,amp-devcontainer-cpp,amp-devcontainer-rust
   cleanup-cache:
     runs-on: ubuntu-latest
     permissions:
