build: update build config

Author: sebthom

.github/dependabot.yml

@@ -1,4 +1,4 @@
-# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+# https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference
 version: 2
 updates:
 - package-ecosystem: github-actions

.github/workflows/build.yml

@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache-2.0
 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-openldap
 #
-# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
+# https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions
 name: Build
 
 on:
@@ -26,28 +26,30 @@ on:
     - '.github/*.yml'
     - '.github/workflows/stale.yml'
   schedule:
-    # https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows
+    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows
     - cron: '0 17 * * 3'
   workflow_dispatch:
-    # https://github.blog/changelog/2020-07-06-github-actions-manual-triggers-with-workflow_dispatch/
+    # https://docs.github.com/en/actions/writing-workflows/choosing-when-your-workflow-runs/events-that-trigger-workflows#workflow_dispatch
 
 defaults:
   run:
     shell: bash
 
 env:
-  DOCKER_IMAGE_REPO: vegardit/openldap
+  DOCKER_REPO_NAME: openldap
   TRIVY_CACHE_DIR: ~/.trivy/cache
 
 jobs:
 
   ###########################################################
   build:
   ###########################################################
-
     runs-on: ubuntu-latest  # https://github.com/actions/runner-images#available-images
     timeout-minutes: 10
 
+    permissions:
+      packages: write
+
     steps:
     - name: "Show: GitHub context"
       env:
@@ -99,11 +101,13 @@ jobs:
 
 
     - name: "Determine if docker images shall be published"
+      id: docker_push_actions
       run: |
         # ACT -> https://nektosact.com/usage/index.html#skipping-steps
         set -x
         if [[ $GITHUB_REF_NAME == 'main' && $GITHUB_EVENT_NAME != 'pull_request' && -z "$ACT" ]]; then
           echo "DOCKER_PUSH_GHCR=true" >> "$GITHUB_ENV"
+          echo "DOCKER_PUSH_GHCR=true" >> $GITHUB_OUTPUT
           if [[ -n "${{ secrets.DOCKER_HUB_USERNAME }}" ]]; then
             echo "DOCKER_PUSH=true" >> "$GITHUB_ENV"
           fi
@@ -124,28 +128,41 @@ jobs:
       with:
         registry: ghcr.io
         username: ${{ github.actor }}
-        password: ${{ github.token }}
+        password: ${{ secrets.GITHUB_TOKEN }}
 
 
     - name: Build docker image
       env:
-        TRIVY_GITHUB_TOKEN: ${{ github.token }}
+        DOCKER_IMAGE_REPO: ${{ github.repository_owner }}/${{ env.DOCKER_REPO_NAME }}
+        TRIVY_GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: bash build-image.sh
 
+    outputs:
+      DOCKER_PUSH_GHCR: ${{ steps.docker_push_actions.outputs.DOCKER_PUSH_GHCR }}
+
+
+  ###########################################################
+  delete-untagged-images:
+  ###########################################################
+    runs-on: ubuntu-latest  # https://github.com/actions/runner-images#available-images
+    timeout-minutes: 5
+    needs: [build]
+    if: ${{ needs.build.outputs.DOCKER_PUSH_GHCR }}
+
+    concurrency:
+      group: ${{ github.workflow }}
+      cancel-in-progress: false
+      
+    permissions:
+      packages: write
 
+    steps:
     - name: Delete untagged images
-      uses: actions/github-script@v7
-      if: ${{ env.DOCKER_PUSH_GHCR }}
-      continue-on-error: true
+      uses: dataaxiom/ghcr-cleanup-action@v1
       with:
-        github-token: ${{ secrets.GHA_DELETE_PACKAGES }}
-        script: |
-          const imageName = /[^/]*$/.exec(process.env.DOCKER_IMAGE_REPO)[0]
-          const basePath = `/orgs/${{ github.repository_owner }}/packages/container/${imageName}/versions`
-          for (version of (await github.request(`GET ${basePath}`, { per_page: 100 })).data) {
-            if (version.metadata.container.tags.length == 0) {
-              console.log(`deleting ${version.name}...`)
-              const delResponse = await github.request(`DELETE ${basePath}/${version.id}`)
-              console.log(`status: ${delResponse.status}`)
-            }
-          }
+        package: ${{ env.DOCKER_REPO_NAME }}
+        delete-untagged: true
+        delete-partial-images: true
+        delete-ghost-images: true
+        delete-orphaned-images: true
+        validate: true

README.md

@@ -362,4 +362,4 @@ Individual files contain the following tag instead of the full license text:
 SPDX-License-Identifier: Apache-2.0
 ```
 
-This enables machine processing of license information based on the SPDX License Identifiers that are available here: https://spdx.org/licenses/.
+This enables machine processing of license information based on the SPDX License Identifiers that are available here: https://spdx.org/licenses/.