chore: bump to 1.0.0-rc.1; pin release to commit SHA image; add weekly interim image cleanup

coopernetes · claude · coopernetes · commit 64a0d89b09c5 · 2026-05-05T21:16:14.000-04:00
- Gradle version bumped to 1.0.0-rc.1 - docker-publish: main push now tags build-{sha7} alongside :edge; release promotion resolves build-{sha7} (commit-pinned) instead of :edge, eliminating the race condition where edge moves forward between tag cut and workflow run - cleanup-interim-images: weekly workflow (Mon 08:00 UTC) deletes all GHCR package versions exclusively tagged build-*; protected tags (v*, edge, latest, untagged) are never touched; serialised with main push via concurrency group closes #193 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/cleanup-interim-images.yml b/.github/workflows/cleanup-interim-images.yml
@@ -0,0 +1,81 @@
+name: Cleanup Interim Images
+
+# Deletes GHCR package versions whose tags are exclusively build-* (ephemeral
+# per-commit images). Versions carrying any other tag (v*, edge, latest, etc.)
+# are never touched. Runs weekly and can be triggered manually.
+
+on:
+  schedule:
+    - cron: '0 8 * * 1' # Monday 08:00 UTC
+  workflow_dispatch:
+
+# Serialise with docker-publish to avoid deleting a build-* image that a
+# concurrent release promotion is about to resolve. cancel-in-progress: false
+# makes cleanup wait rather than be killed.
+concurrency:
+  group: docker-refs/heads/main
+  cancel-in-progress: false
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Delete stale build-* package versions
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          OWNER="${{ github.repository_owner }}"
+          PACKAGE="${{ github.event.repository.name }}"
+          DELETED=0
+          KEPT=0
+
+          echo "Fetching package versions for ${OWNER}/${PACKAGE}..."
+
+          # Collect all versions into a temp file (handles pagination via --paginate)
+          gh api \
+            -H "Accept: application/vnd.github+json" \
+            "/users/${OWNER}/packages/container/${PACKAGE}/versions" \
+            --paginate > /tmp/versions.json
+
+          TOTAL=$(jq 'length' /tmp/versions.json)
+          echo "Found ${TOTAL} total package versions."
+          echo ""
+
+          jq -c '.[]' /tmp/versions.json | while read -r version; do
+            VERSION_ID=$(echo "$version" | jq -r '.id')
+            TAGS=$(echo "$version" | jq -r '.metadata.container.tags // [] | .[]')
+
+            # Skip untagged versions — never delete them (likely referenced by a manifest list)
+            if [ -z "$TAGS" ]; then
+              echo "KEEP  [${VERSION_ID}] (untagged)"
+              continue
+            fi
+
+            TAG_LIST=$(echo "$TAGS" | tr '\n' ' ' | sed 's/ $//')
+
+            # Guard: keep if ANY tag does not match build-[0-9a-f]+
+            PROTECTED=false
+            while IFS= read -r tag; do
+              if [[ ! "$tag" =~ ^build-[0-9a-f]+$ ]]; then
+                PROTECTED=true
+                break
+              fi
+            done <<< "$TAGS"
+
+            if [ "$PROTECTED" = true ]; then
+              echo "KEEP  [${VERSION_ID}] tags: ${TAG_LIST}"
+            else
+              echo "DELETE [${VERSION_ID}] tags: ${TAG_LIST}"
+              gh api \
+                --method DELETE \
+                -H "Accept: application/vnd.github+json" \
+                "/users/${OWNER}/packages/container/${PACKAGE}/versions/${VERSION_ID}"
+            fi
+          done
+
+          echo ""
+          echo "Cleanup complete."
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -22,7 +22,8 @@ concurrency:
 
 jobs:
   build-and-push:
-    # Tags are released by promoting the already-built edge image — no rebuild needed.
+    name: Docker / Build & Push
+    # Tags are released by promoting the already-built build image — no rebuild needed.
     if: ${{ !startsWith(github.ref, 'refs/tags/') }}
     runs-on: ubuntu-latest
     outputs:
@@ -55,6 +56,7 @@ jobs:
           tags: |
             type=ref,event=pr
             type=raw,value=edge,enable={{is_default_branch}}
+            type=sha,prefix=build-,format=short,enable={{is_default_branch}}
             type=raw,value=${{ inputs.version }},enable=${{ github.event_name == 'workflow_dispatch' }}
 
       - name: Build and push
@@ -153,21 +155,25 @@ jobs:
           grep "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" "grype_${GRYPE_VERSION}_checksums.txt" | sha256sum --check
           tar -xzf "grype_${GRYPE_VERSION}_linux_amd64.tar.gz" -C /usr/local/bin grype
 
-      # Resolve the digest of the already-built, already-scanned edge image.
-      # The tag ruleset enforces Container Scan passed on this commit before the tag
-      # could be pushed, so edge is guaranteed clean at this point.
-      - name: Resolve edge digest
-        id: edge
+      # Resolve the digest of the build-{sha} image produced when this commit landed on main.
+      # The tag ruleset enforces Container Scan passed on this commit before the tag could be
+      # pushed, so the build image is guaranteed scanned. Using the commit-pinned build tag
+      # (not :edge) ensures we promote the exact image for this release regardless of how
+      # many commits have landed on main since.
+      - name: Resolve build image digest
+        id: build
         run: |
+          TAG="build-${GITHUB_SHA::7}"
           DIGEST=$(docker buildx imagetools inspect \
-            ghcr.io/${{ github.repository }}:edge \
+            "ghcr.io/${{ github.repository }}:${TAG}" \
             --format '{{.Manifest.Digest}}')
           echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
-          echo "Promoting edge digest: ${DIGEST}"
+          echo "tag=${TAG}" >> "$GITHUB_OUTPUT"
+          echo "Promoting ${TAG} @ ${DIGEST}"
 
-      - name: Scan edge image
+      - name: Scan build image
         run: |
-          grype ghcr.io/${{ github.repository }}@${{ steps.edge.outputs.digest }} \
+          grype "ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}" \
             --config .grype.yaml \
             -o "template=grype-report.txt" \
             -o "json=grype-report.json"
@@ -182,12 +188,12 @@ jobs:
             grype-report.json
           retention-days: 90
 
-      - name: Promote edge to release tags
+      - name: Promote build image to release tags
         run: |
           VERSION=${GITHUB_REF_NAME}
           MAJOR=$(echo ${VERSION} | cut -d. -f1)
           MINOR=$(echo ${VERSION} | cut -d. -f1-2)
-          SOURCE="ghcr.io/${{ github.repository }}@${{ steps.edge.outputs.digest }}"
+          SOURCE="ghcr.io/${{ github.repository }}@${{ steps.build.outputs.digest }}"
           docker buildx imagetools create \
             --tag "ghcr.io/${{ github.repository }}:${VERSION}" \
             --tag "ghcr.io/${{ github.repository }}:${MINOR}" \
diff --git a/build.gradle b/build.gradle
@@ -79,7 +79,7 @@ ext {
 
 allprojects {
     group = 'org.finos.gitproxy'
-    version = '1.0.0-beta.7'
+    version = '1.0.0-rc.1'
     
     repositories {
         mavenCentral()
