Maintenance #201
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Maintenance | |
| on: | |
| schedule: | |
| - cron: '30 1 * * *' | |
| workflow_dispatch: | |
| # Declare default permissions as read-only. | |
| permissions: read-all | |
| jobs: | |
| ghcr-cleanup: | |
| name: Cleanup GHCR | |
| runs-on: ubuntu-24.04 | |
| strategy: | |
| matrix: | |
| agent: [ clinical-domain-agent, trust-center-agent, research-domain-agent ] | |
| fail-fast: false | |
| permissions: | |
| packages: write | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Cleanup Untagged Images | |
| uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16 | |
| with: | |
| package: "fts/${{ matrix.agent }}" | |
| delete-untagged: true | |
| delete-ghost-images: true | |
| delete-partial-images: true | |
| delete-orphaned-images: true | |
| - name: Cleanup >7d Old Images | |
| uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16 | |
| with: | |
| package: "fts/${{ matrix.agent }}" | |
| exclude-tags: "latest,*.*.*" | |
| delete-tags: "pr-*,build-*" | |
| older-than: 7 days | |
| cache-cleanup: | |
| name: Remove old Trivy Caches | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| actions: write # required to delete caches | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0 | |
| with: | |
| egress-policy: audit | |
| - name: Delete caches not from today | |
| env: | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| REPO: ${{ github.repository }} | |
| run: | | |
| set -euo pipefail | |
| # Use UTC date to avoid timezone ambiguity on GitHub-hosted runners | |
| TODAY="$(date -u +%F)" # e.g., 2025-09-01 | |
| KEEP_KEY="cache-trivy-${TODAY}" | |
| echo "Keeping cache with key: ${KEEP_KEY}" | |
| # List all caches, filter keys beginning with cache-trivy- that are not today's key, then delete by cache_id | |
| gh api "repos/${REPO}/actions/caches" --paginate \ | |
| -q '.actions_caches[] | select((.key | startswith("cache-trivy-")) and (.key != "'"${KEEP_KEY}"'")) | [.id, .key] | @tsv' | | |
| while IFS=$'\t' read -r CACHE_ID CACHE_KEY; do | |
| echo "Deleting cache '${CACHE_KEY}'" | |
| gh api -X DELETE "repos/${REPO}/actions/caches/${CACHE_ID}" | |
| done |