05f1ed756b
## What - Pin all GitHub Actions to their specific SHA1 hashes to reduce supply chain attack risk - Replaces version tags with specific commit SHAs - Includes version comments for easier reference - Changes generated with the pinact tool See internal wiki page on supply chain security for further info ## How Used the tool pinact to pin the sha for github actions. ## Review guide <!-- 1. `x.py` 2. `y.py` --> ## User Impact No impact ## Can this PR be safely reverted and rolled back? - [x] YES 💚 - [ ] NO ❌
37 lines
1.4 KiB
YAML
37 lines
1.4 KiB
YAML
# .github/workflows/prune-temp-ghcr-images.yml
|
|
|
|
name: Docker Image Pruning for GHCR
|
|
# This workflow is responsible for pruning temporary images from the
|
|
# GitHub Container Registry (GHCR).
|
|
# It is scheduled to run every Sunday at 02:00 AM Pacific (09:00 UTC).
|
|
# The workflow uses the snok/container-retention-policy action to delete
|
|
# images that are older than 2 days and match the specified tags.
|
|
# It can also be run as a workflow dispatch to allow manual triggering.
|
|
on:
|
|
schedule:
|
|
- cron: "0 9 * * 0" # every Sunday at 02:00 AM Pacific (09:00 UTC)
|
|
|
|
workflow_dispatch: # allow manual triggering of the workflow
|
|
inputs:
|
|
dry-run:
|
|
description: "Run in dry-run mode?"
|
|
required: false
|
|
default: true
|
|
type: boolean
|
|
|
|
jobs:
|
|
prune-temp-images:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Prune temporary GHCR images
|
|
uses: snok/container-retention-policy@4f22ef80902ad409ed55a99dc5133cc1250a0d03 # v3.0.0
|
|
with:
|
|
account: airbytehq
|
|
token: ${{ secrets.GITHUB_TOKEN }}
|
|
image-tags: > # only delete tags starting with draft- or test-
|
|
draft-*
|
|
test-*
|
|
image-names: "*" # all images in the account if they match tag filters
|
|
cut-off: 2d # delete versions older than 2 days (If run Sunday, deletes anything older than Friday.)
|
|
dry-run: ${{ inputs.dry-run || false }} # set to true first to preview only
|