Manifest unknown after cleaning up untagged Docker images

[kkalev]

We are facing manifest unknown messages from GHCR after running a cleanup of untagged Docker images in our public and private repos.

The github action we implemented was as follows:

name: clean-untagged
run-name: Clean untagged GHCR Docker images
on:
  workflow_dispatch:
  schedule:
    - cron: 15 2 * * 0
jobs:
  clean-untagged:
    runs-on: ubuntu-latest
    steps:
      - name: Delete untagged ghcr
        uses: Chizkiyahu/delete-untagged-ghcr-action@v4.0.1
        with:
          token: ${{ secrets.GHCR_TOKEN }}
          untagged_only: true
          owner_type: 'org'

The GHCR_TOKEN is a PAT with read and write package permissions. The PAT belongs to an org admin.

After running the action (we had to run it twice to delete all untagged images from all our repos) we only observed tagged Docker images as expected. Yet after trying to docker pull any Docker image created from our repos (private and public) we got an error manifest unknown. The same for docker manifest inspect. It looks like the manifests were not part of the tagged Docker image versions.

Even if we browse the packages for a repo and copy paste the sha2 hash of the latest version docker manifest inspect will fail:

# docker manifest inspect ghcr.io/<org>/<repo>:latest@sha256:c4af81d78998657f15bc61ba02d44edd98c941becaa0027033798ceb06fb154b
manifest unknown

A new build/push (using github actions) allows us to pull images and manifests without any problems.

Any help will be appreciated.

[Chizkiyahu]

Can you send me a link to public repo ? how did you create and push the docker tag with image ?

[Chizkiyahu]

please set except_untagged_multiplatform to true

[kkalev]

Can you send me a link to public repo ?

Check this one. I have already run the builders (to make things work) so you will see untagged versions. If there is a need for your action to run for this specific repo I can try to do that (I support we will need an repository: 'gunet/cert-req' option)

how did you create and push the docker tag with image ?

Github action using the official docker actions. You can find the actions in the relevant folder in the above repo.

please set except_untagged_multiplatform to true

Thanks for the tip.

There are two things missing (AFAIK) from the documentation:

• It seems that the # Default: ${{ github.repository }} is incorrect. When I first setup the action I was banking on that default value for the action to only run in the repo it was setup in, yet it run for the whole organization (i setup owner_type: 'org')
• If the attribute except_untagged_multiplatform should be set to true in order to not lose any manifests it would be very helpful to have a hint in the documentation.

Only trying to help here, thanks for a very helpful action!

[Chizkiyahu]

@kkalev you have 3 sha in the untagged list manifest - sha256:2cdc1a38c734e649df5ea5a7904e8ad8059af1cddbd88490cb2b31a483daa8cd amd - sha256:1d8a60ff2ce0a12e04cf29f9fbaf79423d48988eda8d4b0cae1902d60fbbf112 ??? - sha256:3caabd9cff52cd433d4305df95fb6c1f50b974b7a58f3337033b14b3f0d667a6

if except_untagged_multiplatform hot help try to delete all of them in the gui and than build and see if is created 2 or 3

about the docs you are welcome to open a PR to improve the docs please update if is solved the problem

[kkalev]

Tried with except_untagged_multiplatform and everything seems to work. Submitted PR #46

Thanks again!

[Chizkiyahu]

@kkalev if is not working feel free to open again