GHA workflow for image cleanup

[aj-stein]

Committer Notes

Add GHA workflow to prune old OCI images in GHCR as part of #561.

All Submissions:

• Have you selected the correct base branch per Contributing guidance?
• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same update/change?
• Have you squashed any non-relevant commits and commit messages? [instructions]
• Have you set "Allow edits and access to secrets by maintainers"?

By submitting a pull request, you are agreeing to provide this contribution under the CC0 1.0 Universal public domain dedication.

Changes to Core Features:

• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your core changes, as applicable?
• Have you included examples of how to use your new feature(s)?
• Have you updated all website and readme documentation affected by the changes you made?

Summary by CodeRabbit

• Chores
  • Added an automated daily cleanup (with manual trigger) for container images to prune older images per a retention policy, keeping recent versions.
  • Includes configurable dry-run and filtering to avoid removing important tags (e.g., latest and versioned tags).

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

A new GitHub Actions workflow adds scheduled and manual pruning of container images for the metaschema-cli repository, running daily at 02:00 UTC with a retention policy (cut-off 7 days, keep 5 most recent) and tag filters that exclude latest and versioned tags.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow ​.github/workflows/container-cleanup.yml	New workflow "Container Image Cleanup" that runs daily and via manual dispatch. Uses snok/container-retention-policy to prune metaschema-cli images in metaschema-framework with a 7-day cutoff, keep 5 most recent, excludes latest and version tags, supports a dry-run input and uses GITHUB_TOKEN from secrets.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hop through lines at break of day,

Trimming old images that went astray.
Seven days or five I prune with care,
Keeping the spry, sending cobwebs to air. 🥕

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'GHA workflow for image cleanup' is concise and directly describes the main change—adding a GitHub Actions workflow for container image cleanup.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 561-container-cleanup

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between cc62940 and 9d1223f.

📒 Files selected for processing (1)

• .github/workflows/container-cleanup.yml

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: david-waltermire
Repo: metaschema-framework/liboscal-java PR: 222
File: .github/workflows/build.yml:30-32
Timestamp: 2025-12-13T15:29:03.112Z
Learning: In the liboscal-java repository, nightly builds are managed independently using GitHub Actions schedule triggers (cron), not via repository_dispatch from metaschema-java. Each repo in the metaschema-framework manages its own nightly builds.

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Website
• GitHub Check: Code

🔇 Additional comments (5)

.github/workflows/container-cleanup.yml (5)

1-12: LGTM! Well-structured workflow triggers.

The combination of scheduled daily cleanup at 2:00 AM UTC with manual dispatch and dry-run capability provides good operational flexibility.

---

17-18: LGTM! Appropriate minimal permissions.

The packages: write permission correctly scopes access to only what's needed for container cleanup.

---

29-29: LGTM! Dry-run expression correctly handles scheduled runs.

The expression ${{ inputs.dry-run || false }} properly defaults to false for scheduled runs (where inputs is undefined) while respecting the manual input value when the workflow is dispatched manually. This addresses the previous review feedback.

---

23-28: Configuration looks appropriate.

The retention policy settings are reasonable:

• 7-day cutoff with 5 most recent kept provides a good balance
• Excluding latest and versioned tags (v*) prevents accidental deletion of release artifacts
• tag-selection: both ensures cleanup of both tagged and untagged images

---

21-21: The commit SHA correctly corresponds to v3.0.1, which meets the requirement.

The SHA 3b0972b2276b171b212f8c4efbca59ebba26eceb is the commit tagged as v3.0.1 (the latest release from snok/container-retention-policy). Pinning to this specific commit SHA ensures immutability while using the latest version with the most recent bug fixes and dependency updates.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

.github/workflows/container-cleanup.yml (1)

22-28: Consider documenting the retention policy parameters.

The retention policy configuration looks reasonable, but consider adding inline comments to document the cleanup strategy:

• cut-off: 7d - Delete images older than 7 days
• keep-n-most-recent: 5 - Keep at least 5 most recent images regardless of age
• image-tags: "!latest !v*" - Exclude images tagged as latest or version tags (v*)
• tag-selection: both - Apply policy to both tagged and untagged images

This would help future maintainers understand the cleanup criteria.

🔎 Example with comments

       with:
         account: metaschema-framework
         image-names: metaschema-cli
+        # Delete images older than 7 days, but keep at least 5 most recent
         cut-off: 7d
         keep-n-most-recent: 5
+        # Exclude 'latest' and version tags (v*) from deletion
         image-tags: "!latest !v*"
+        # Apply policy to both tagged and untagged images
         tag-selection: both
         dry-run: ${{ inputs.dry-run || false }}
         token: ${{ secrets.GITHUB_TOKEN }}

📜 Review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between a6330f7 and cc62940.

📒 Files selected for processing (1)

• .github/workflows/container-cleanup.yml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Website
• GitHub Check: Code

🔇 Additional comments (2)

.github/workflows/container-cleanup.yml (2)

1-12: LGTM! Well-configured workflow triggers.

The combination of scheduled daily runs and manual workflow_dispatch with a dry-run option provides good operational flexibility for testing before actual cleanup.

---

13-19: LGTM! Proper permissions configuration.

The packages: write permission is correctly set for deleting container images, following the principle of least privilege.