Closed chang-annie closed 2 weeks ago
DOD completed with @ewilkins-csi
Some interesting findings:
When trying to pull on the manifest SHA for the 1.8.0
release images, we cannot simply use something like:
docker buildx imagetools inspect ghcr.io/boozallen/aissemble-spark:1.8.0 --format "{{json .Manifest}}" | jq -r .digest
This will output:
ERROR: failed to copy: httpReadSeeker: failed open: content at https://ghcr.io/v2/boozallen/aissemble-spark/manifests/sha256:c0ea773c38265bf3a80a133211aba2468dec87b8ce5b341d82611e2c81252147 not found: not found
Where the aforementioned SHA is connected to the build attestations. These are created because we have buildx's provenance
set to min
aka not false (default setting). This creates two extra manifests in the manifest list with os: unknown
and architecture: unknown
. You can further inspect those manifests to retrieve basic provenance info.
OTS completed with @carter-cundiff and @jaebchoi
OTS passed ✅
All tests passed. ✅
Reopening so we can test the fix to address docker images with no release versions (which is adding an extra comma at the front of our exclude-tags
parameter - e.g., exclude-tags: ,1.7.0,1.8.0
)
Final test: Passed. Did not delete any release version or the 2 latest dev versions.
Description
The Github prune action which clears out our older Docker images is too aggressive and as a result, the release images are being deleted.
This ticket is to adjust the workflow so that the multi-arch release images are no longer being deleted as part of the prune process.
DOD
Acceptance criteria required to realize the requested feature
1.9.0-SNAPSHOT
and we're also working on a patch version1.8.1-SNAPSHOT
at the same time, then we would want to keep the images for both snapshot versionsTest Strategy/Script
OTS:
dry-run: true
)prune_ghcr (image-name)
steps to confirm the followingPrune ghcr > Runtime configuration
section should includeexclude-tags: 1.7.0,1.8.0
. For example, usingaissemble-vault
:Prune ghcr > Loaded Package Data
section - note the two most recent NON-release versions found. For most images, this should be1.9.0-SNAPSHOT
and1.8.0-rc8
.aissemble-airflow
,aissemble-kafka
, andaissemble-mlflow
images are deprecated and will not have a1.9.0-SNAPSHOT
tagPrune ghcr > Finding tagged images to delete, keeping 2 versions section
and confirm that the list does not include any release versions (e.g.,1.8.0
,1.7.0
) or the two most recent non-release versions (e.g.,1.9.0-SNAPSHOT
,1.8.0-rc8
)Prune ghcr > Deleting packages
section and confirm that the list does not include any release versions or the two most recent non-release versionsFinal Test:
prune_ghcr (image-name)
steps to confirm the followingPrune ghcr > Runtime configuration
section should includeexclude-tags: 1.7.0,1.8.0
. For example, usingaissemble-vault
:Prune ghcr > Loaded Package Data
section - note the two most recent NON-release versions found. For most images, this should be1.9.0-SNAPSHOT
and1.8.0-rc8
.aissemble-airflow
,aissemble-kafka
, andaissemble-mlflow
images are deprecated and will not have a1.9.0-SNAPSHOT
tagPrune ghcr > Finding tagged images to delete, keeping 2 versions section
and confirm that the list does not include any release versions (e.g.,1.8.0
,1.7.0
) or the two most recent non-release versions (e.g.,1.9.0-SNAPSHOT
,1.8.0-rc8
)Prune ghcr > Deleting packages
section and confirm that the list does not include any release versions or the two most recent non-release versions1.8.0
,1.7.0
, and1.9.0-SNAPSHOT
docker imageReferences/Additional Context
Container retention policy doc