ci: Update Docker retention and reusable workflows

Enhance Docker retention and reusable workflows with critical updates and improvements. Docker retention workflow: - Upgrade to `snok/container-retention-policy` v3.0.0: - Simplify account and image tag parameters. - Improve cut-off format and retain only the most recent image. - Exclude SHAs from multi-platform manifests via a new digest retrieval script. - Add steps for authentication and SHA retrieval to ensure accuracy in image retention. Reusable Docker workflow: - Update `docker/login-action` to v3.2.0. - Upgrade `docker/build-push-action` to v6.3.0. New script: - Add `ci/Get-DockerTagSHAs.ps1` to obtain and exclude SHAs for all non-pre-release tags, preventing the inadvertent removal of necessary multi-arch images. These changes enhance the robustness and efficiency of the Docker retention policy, ensuring compliance with retention goals and maintaining essential multi-platform images.
10 months ago · 0145b8ce0c
parent bf4830d799
commit 0145b8ce0c
3 changed files with 36 additions and 10 deletions
--- a/.github/workflows/docker-retention.yml
+++ b/.github/workflows/docker-retention.yml
@ -11,15 +11,30 @@ jobs:
    name: Enforce Retention Policy
    runs-on: ubuntu-latest
    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3.2.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Fetch multi-platform package version SHAs
+        id: multi-arch-digests
+        run: |
+          shas="$(pwsh ci/Get-DockerTagSHAs.ps1)"
+          echo "shas=$shas" >> $GITHUB_OUTPUT
+
      - name: Delete old pre-release images
-        uses: snok/container-retention-policy@v2
+        uses: snok/container-retention-policy@v3.0.0
        with:
          image-names: recyclarr
-          filter-tags: '*-dev.*'
-          cut-off: One week ago CST
-          keep-at-least: 1
-          account-type: org
-          org-name: recyclarr
+          account: recyclarr
+          image-tags: '*-dev.*'
          token: ${{ secrets.GITHUB_TOKEN }}
-          token-type: github-token
+          cut-off: 1w
+          keep-n-most-recent: 1
+          skip-shas: ${{ steps.multi-arch-digests.outputs.shas }}
          dry-run: true # TEMP
--- a/.github/workflows/reusable-docker.yml
+++ b/.github/workflows/reusable-docker.yml
@ -53,21 +53,21 @@ jobs:

      - name: Login to Docker Hub
        if: env.SHOULD_PUBLISH == 'true'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.2.0
        with:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GHCR
        if: env.SHOULD_PUBLISH == 'true'
-        uses: docker/login-action@v3
+        uses: docker/login-action@v3.2.0
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build & Push Image
-        uses: docker/build-push-action@v6
+        uses: docker/build-push-action@v6.3.0
        env:
          DOCKER_BUILD_SUMMARY: false
          DOCKER_BUILD_RECORD_UPLOAD: false
--- a/ci/Get-DockerTagSHAs.ps1
+++ b/ci/Get-DockerTagSHAs.ps1
@ -0,0 +1,11 @@
+$output = skopeo --override-os linux list-tags docker://ghcr.io/recyclarr/recyclarr
+$tags = ($output | convertfrom-json).Tags |where-object { $_ -notmatch "dev" }
+
+$shas = @()
+foreach ($tag in $tags) {
+    # "Obtain SHAs for tag $tag"
+    $manifests = docker manifest inspect ghcr.io/recyclarr/recyclarr:$tag | ConvertFrom-Json
+    $manifests.manifests | ForEach-Object { $shas += $_.digest }
+}
+
+Write-Host $($shas | Select-Object -Unique)