Move the GHCR package-cleanup workflow from DevSecNinja/dotfiles into this central repo as a reusable workflow so other repos (which also publish multi-arch images by digest) can consume it.
Background
DevSecNinja/dotfiles added .github/workflows/cleanup-packages.yaml (commit 275c8e4) to prune stale, untagged devcontainer image digests from GHCR. Every main/scheduled prebuild pushes per-arch images by digest and re-points :latest, leaving the previous per-arch digests untagged; they accumulate forever without cleanup.
Proposal
Add .github/workflows/ghcr-cleanup.yml here as a workflow_call reusable workflow that wraps snok/container-retention-policy (>= v3.1.0, multi-arch-aware + fail-closed).
Suggested inputs
image-names (required) — exact package name(s)account (default user)tag-selection (default untagged)cut-off (default 1w)dry-run (default false)
Notes / gotchas
- With the built-in
GITHUB_TOKEN ("temporal token"), image-names/image-tags glob operators are unavailable — names must be exact, and the calling repo needs the Admin role on the package.
- Keep
tag-selection: untagged + a cut-off buffer as the safe default; never select tagged (latest, v*) versions.
- Pin
snok/container-retention-policy by SHA with a Renovate comment, and call harden-runner first, per org conventions.
Acceptance criteria
Source workflow: https://github.com/DevSecNinja/dotfiles/blob/main/.github/workflows/cleanup-packages.yaml
Move the GHCR package-cleanup workflow from
DevSecNinja/dotfilesinto this central repo as a reusable workflow so other repos (which also publish multi-arch images by digest) can consume it.Background
DevSecNinja/dotfilesadded.github/workflows/cleanup-packages.yaml(commit275c8e4) to prune stale, untagged devcontainer image digests from GHCR. Every main/scheduled prebuild pushes per-arch images by digest and re-points:latest, leaving the previous per-arch digests untagged; they accumulate forever without cleanup.Proposal
Add
.github/workflows/ghcr-cleanup.ymlhere as aworkflow_callreusable workflow that wrapssnok/container-retention-policy(>= v3.1.0, multi-arch-aware + fail-closed).Suggested inputs
image-names(required) — exact package name(s)account(defaultuser)tag-selection(defaultuntagged)cut-off(default1w)dry-run(defaultfalse)Notes / gotchas
GITHUB_TOKEN("temporal token"),image-names/image-tagsglob operators are unavailable — names must be exact, and the calling repo needs theAdminrole on the package.tag-selection: untagged+ acut-offbuffer as the safe default; never select tagged (latest,v*) versions.snok/container-retention-policyby SHA with a Renovate comment, and callharden-runnerfirst, per org conventions.Acceptance criteria
workflow_callworkflow committed hereAdminpermissiondotfilesmigrated to call the reusable workflow and its local copy removedSource workflow: https://github.com/DevSecNinja/dotfiles/blob/main/.github/workflows/cleanup-packages.yaml