ci: refactor attestation clean-up

Author: rjaegers

.github/workflows/image-cleanup.yml

@@ -5,6 +5,10 @@ on:
   schedule:
     - cron: "0 0 * * 3"
   workflow_dispatch:
+    inputs:
+      dry-run:
+        default: false
+        type: boolean
 
 permissions: {}
 
@@ -19,7 +23,7 @@ jobs:
     permissions:
       packages: read # is needed to list package versions
     steps:
-      - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           disable-sudo-and-containers: true
           egress-policy: audit
@@ -28,6 +32,7 @@ jobs:
         run: |
           set -Eeuo pipefail
           ORG="${GH_REPO%%/*}"
+
           gh api "/orgs/${ORG}/packages/container/${GH_PACKAGE}/versions" \
             --paginate \
             --jq '.[].name' 2>/dev/null > digests.txt || touch digests.txt
@@ -60,7 +65,8 @@ jobs:
         with:
           delete-orphaned-images: true
           delete-untagged: true
-          packages: amp-devcontainer,amp-devcontainer-cpp,amp-devcontainer-rust
+          dry-run: ${{ inputs.dry-run == true }}
+          packages: amp-devcontainer-base,amp-devcontainer-cpp,amp-devcontainer-rust
 
   cleanup-attestations:
     name: 🔏 Cleanup Orphaned Attestations (${{ matrix.package }})
@@ -74,7 +80,7 @@ jobs:
       attestations: write # is needed to delete attestations
       packages: read # is needed to list remaining package versions after cleanup
     steps:
-      - uses: step-security/harden-runner@58077d3c7e43986b6b15fba718e8ea69e387dfcc # v2.15.1
+      - uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
         with:
           disable-sudo-and-containers: true
           egress-policy: audit
@@ -91,21 +97,35 @@ jobs:
           ORG="${GH_REPO%%/*}"
 
           # Get remaining digests after image cleanup
-          current_digests=$(gh api "/orgs/${ORG}/packages/container/${GH_PACKAGE}/versions" \
+          if ! gh api "/orgs/${ORG}/packages/container/${GH_PACKAGE}/versions" \
             --paginate \
-            --jq '.[].name' 2>/dev/null || echo "")
+            --jq '.[].name' > current-digests.txt; then
+            echo "Package not found or API error, skipping attestation cleanup"
+            exit 0
+          fi
+
+          # Find orphaned digests (present before cleanup but no longer in current)
+          orphaned=$(comm -23 <(grep -v '^$' digests.txt | sort -u) <(sort -u current-digests.txt))
+
+          if [[ -z "$orphaned" ]]; then
+            echo "No orphaned digests found"
+            exit 0
+          fi
+
+          count=$(echo "$orphaned" | wc -l)
+          echo "Found ${count} orphaned digests"
+          echo "$orphaned"
+
+          if [[ "${DRY_RUN}" == "true" ]]; then
+            echo "Dry-run mode: skipping attestation deletion"
+            exit 0
+          fi
 
-          # Delete attestations for digests that no longer have a package version
-          while read -r digest; do
-            [[ -z "$digest" ]] && continue
-            if ! echo "$current_digests" | grep -qx "$digest"; then
-              echo "Deleting attestations for removed digest: ${digest}"
-              encoded_digest="${digest//:/%3A}"
-              gh api --method DELETE "/orgs/${ORG}/attestations/digest/${encoded_digest}" \
-                2>/dev/null && echo "Deleted" || echo "No attestations found (already cleaned up)"
-            fi
-          done < digests.txt
+          echo "Deleting attestations for ${count} orphaned digests"
+          echo "$orphaned" | jq -R . | jq -sc '{subject_digests: .}' | \
+            gh api --method POST "/orgs/${ORG}/attestations/delete-request" --input -
         env:
+          DRY_RUN: ${{ inputs.dry-run == true }}
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           GH_REPO: ${{ github.repository }}
           GH_PACKAGE: ${{ matrix.package }}