Changes the cleanup images workflow so it uses a OAuth token with the correct scope (GITHUB_TOKEN is not enough). Also prevents running if the token is not defined and generally does commenting/cleanups"

2025-07-28 18:24:38 -05:00 · 2022-07-26 15:41:57 -07:00
parent 173934258c
commit 0fdd3d56f4
2 changed files with 68 additions and 16 deletions
--- a/.github/workflows/cleanup-tags.yml
+++ b/.github/workflows/cleanup-tags.yml
@@ -1,3 +1,8 @@
+# This workflow runs on certain conditions to check for and potentially
+# delete container images from the GHCR which no longer have an associated
+# code branch.
+# Requires a PAT with the correct scope set in the secrets
+
 name: Cleanup Image Tags

 on:
@@ -13,15 +18,13 @@ on:
      - ".github/scripts/cleanup-tags.py"
      - ".github/scripts/common.py"

-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
 jobs:
  cleanup:
    name: Cleanup Image Tags
    runs-on: ubuntu-20.04
-    permissions:
-      packages: write
+    env:
+      # Requires a personal access token with the OAuth scope delete:packages
+      TOKEN: ${{ secrets.GHA_CONTAINER_DELETE_TOKEN }}
    steps:
      -
        name: Checkout
@@ -44,5 +47,7 @@ jobs:
          python -m pip install requests
      -
        name: Cleanup feature tags
+        # Only run if the token is not empty
+        if: "${{ env.TOKEN != '' }}"
        run: |
-          python ${GITHUB_WORKSPACE}/.github/scripts/cleanup-tags.py --loglevel info --delete
+          python ${GITHUB_WORKSPACE}/.github/scripts/cleanup-tags.py --loglevel info --untagged --delete