search

snok / container-retention-policy

GitHub action for pruning old GHCR container image versions.
MIT License
178 stars 29 forks source link

Filter-Tags not working as expected #77

Closed Catscratch closed 2 months ago

Catscratch commented 5 months ago

Hi everyone.

I'm trying to figure out how the filter-tags is supposed to work. I tried with fnmatch in PHP and it seems to behave different that that one in Python here.

Given the following configuration:

      - name: Delete 'SNAPSHOT-test' containers but latest two
        uses: snok/container-retention-policy@v2
        with:
          image-names: my-images
          filter-tags: "*.*.*-SNAPSHOT-test"
          cut-off: 1 minute ago UTC
          account-type: org
          org-name: myorg
          keep-at-least: 2
          token: ${{ secrets.GITHUB_TOKEN }}
          token-type: github-token
          dry-run: true

I got the following output when I run the action: image

The "X" marks the images the dry-run output reported for deletion. My expectation would be that the orange one would not be deleted (because of keep the last 2) and the red one should not match the filter-tags at all.

Can someone give me an advice what could go wrong here?

sondrelg commented 5 months ago

Here is the documentation for the fnmatch we use: https://docs.python.org/3/library/fnmatch.html

Would it be possible for you to just use *-SNAPSHOT-test?

Catscratch commented 5 months ago

Sure.

Here is the result: image

sondrelg commented 5 months ago

You've specified keep-at-least: 2, which seems like it might explain this result

Catscratch commented 5 months ago

I thought that would keep 2 versions of the filtered ones. That's what I would expect.

How is the keep-at-least applied in addition with the filtering?

sondrelg commented 5 months ago

It keeps at least 2 package versions in this case.

To list the package versions for an image, you can run:

curl -L \
        -H "Accept: application/vnd.github+json" \
        -H "Authorization: Bearer {PAT}" \
        -H "X-GitHub-Api-Version: 2022-11-28" \
        "https://api.github.com/user/packages/container/{image-name}/versions?per_page=100" -vv
Catscratch commented 5 months ago

But that will only list me all package versions. I want to cleanup SNAPSHOT versions only but keep at least the last two SNAPSHOT versions. My guess was to filter versions and applying the keep-at-least.

If that is not working, is there any other way to only cleanup SNAPSHOT versions but keep the newest ones?

sondrelg commented 5 months ago

Sorry, yeah you're right, it's weird that it's matching on 1.25.3. Without that in the list, I think it would have made sense to keep two package versions.

The keep-at-least has no ordering built in, IIRC. It will keep two versions at random. Perhaps we should fix that πŸ‘ Would that solve your issue?

Catscratch commented 5 months ago

Yes, it would. Thanks!

So a workaround for now would be to not use keep-at-least, but instead try to find a useful cut-off time.

sondrelg commented 5 months ago

Sounds like that would be best, for now. I'm working on a fix, but it might take a few weeks to release, as it will be a part of a larger release. I'll update this issue when there's news πŸ‘

zoltan-toth-mw commented 5 months ago

I can confirm that keep-at-least doesn't work with filter-tags. If I use filter tags + dry run, I can see that it wants to delete e.g.: only 2 SNAPSHOT prefixed images, but when I add keep-at-least to the mix it basically ignores the filtering.

My config:

      - name: test
        uses: snok/container-retention-policy@b95617ac96d929f7a37025691e1ad89be732fb46
        with:
          image-names: REDACTED
          cut-off: two minutes ago UTC
          timestamp-to-use: updated_at
          account-type: org
          org-name: REDACTED
          filter-tags: RELEASE-*
          token: ${{ secrets.GITHUB_TOKEN }}
          token-type: github-token
          dry-run: true
          keep-at-least: 1

I have only 2 images with RELEASE- prefix. But still:

Would delete image redacted:204836258.
Would delete image redacted:204546179.
Would delete image redacted:204388918.
Would delete image redacted:204367762.
Would delete image redacted:204361851.
Would delete image redacted:204339529.
Would delete image redacted:204331884.
Would delete image redacted:204243346.
Would delete image redacted:204236694.
Would delete image redacted:203998297.
No more versions to delete for redacted

vs remooving keep-at-least:1

Would delete image redacted:204843702.
Would delete image redacted:204836258.
No more versions to delete for redacted
sondrelg commented 2 months ago

This issue should be fixed in the latest release πŸ™‡ Sorry for the delay!

The inputs have changed a bit in the latest release, so a migration guide for v3 is included in the release post πŸ‘

It would be really appreciated if you'd be able to verify that it has been fixed for your case - the dry-run input is still available for testing.

If you see that it has not been fixed, please let me know here. If you run into any other issues, please share them in the issue opened for tracking the v3 release ☺️

Catscratch commented 2 months ago

Looks good! Seems to work. Also the migration guide was very helpful. Thanks!