Skip to content

fix: clean up main branch container images#1339

Open
valdo766hi wants to merge 4 commits into
NVIDIA:mainfrom
valdo766hi:fix-cleanup-main-container-images-171
Open

fix: clean up main branch container images#1339
valdo766hi wants to merge 4 commits into
NVIDIA:mainfrom
valdo766hi:fix-cleanup-main-container-images-171

Conversation

@valdo766hi

@valdo766hi valdo766hi commented May 27, 2026

Copy link
Copy Markdown

Closes #171.

Summary

This completes the cleanup work started in #598.

The existing workflow only removes untagged GHCR images. Images published from main are tagged as main-<shortsha>, so they were not covered by the untagged cleanup policy.

Changes

  • keep the existing untagged image cleanup
  • add cleanup for old main-* tagged images
  • keep the latest 10 matching main images
  • preserve release tags by only matching main-*
  • keep manual runs dry-run safe by default
  • allow scheduled runs to perform real cleanup
  • add currently published packages missing from the cleanup matrix

Validation

ruby -e 'require "yaml"; YAML.load_file(".github/workflows/cleanup-untagged-images.yml"); puts "valid yaml"'
grep -nE 'delete-tags: main-\*|keep-n-tagged: 10|older-than:|validate: true' .github/workflows/cleanup-untagged-images.yml
grep -c "dry-run: \${{ github.event_name == 'workflow_dispatch' && github.event.inputs.dry_run || 'false' }}" .github/workflows/cleanup-untagged-images.yml
git diff --check

Summary by CodeRabbit

  • Chores
    • Renamed and clarified the container image cleanup workflow and its manual-run inputs.
    • Reformatted cutoff input to a human-readable "30 days" and standardized retention defaults.
    • Expanded the list of image packages covered and improved ordering.
    • Adjusted behavior for dry-run between scheduled and manual runs.
    • Added automated removal of older build tags, preserving the 10 most recent and enabling validation.

Signed-off-by: valdo766hi <rivaldosilalahi13@gmail.com>
@copy-pr-bot

copy-pr-bot Bot commented May 27, 2026

Copy link
Copy Markdown

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

@coderabbitai

coderabbitai Bot commented May 27, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 9bfd6aa1-8fa1-4eaf-b4cc-230fbb488098

📥 Commits

Reviewing files that changed from the base of the PR and between ebb9dfc and 595eb3d.

📒 Files selected for processing (1)
  • .github/workflows/cleanup-untagged-images.yml
🚧 Files skipped from review as they are similar to previous changes (1)
  • .github/workflows/cleanup-untagged-images.yml

📝 Walkthrough

Walkthrough

GitHub Actions workflow now named "Cleanup Container Images"; reformats cut_off to "30 days"; expands the container image matrix with additional packages; updates the retention step to default dry-run: false for scheduled runs; and adds ghcr cleanup step to remove old main-* tags, keeping 10 recent.

Changes

Container Image Cleanup Workflow

Layer / File(s) Summary
Workflow metadata and input parameters
.github/workflows/cleanup-untagged-images.yml
Workflow display name changed from "Cleanup Untagged Container Images" to "Cleanup Container Images"; job renamed from cleanup-untagged-images to cleanup-container-images; cut_off input default reformatted from '30d' to '30 days'.
Container image matrix expansion
.github/workflows/cleanup-untagged-images.yml
Image package matrix expanded with new packages including nvsentinel/plugins-slinky-drainer, nvsentinel/gpu-reset, nvsentinel/janitor-provider, and nvsentinel/preflight-nccl-loopback, with existing entries reordered.
Image cleanup steps and retention policy
.github/workflows/cleanup-untagged-images.yml
snok/container-retention-policy updated to fall back to '30 days' and dry-run: false for scheduled runs; new dataaxiom/ghcr-cleanup-action step added to delete main-* tags older than cut_off, with keep-n-tagged: 10, dry-run wired to manual input, and validate: true.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 From main the tags sprout, many bright,
I nip the weeds beneath the night.
Ten I keep, the rest I prune,
Registry tidy by the moon,
Hops and carrots—cleanup done!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: adding cleanup for main branch container images. It directly relates to the primary objective in the changeset.
Linked Issues check ✅ Passed The PR implements all core requirements from issue #171: adding cleanup for main-* tagged images, retaining 10 recent images, defaulting manual runs to dry-run, and extending the cleanup matrix.
Out of Scope Changes check ✅ Passed All changes are scoped to the cleanup workflow objectives. The matrix additions (nvsentinel/plugins-slinky-drainer, gpu-reset, janitor-provider, preflight-nccl-loopback) represent published packages missing from cleanup, directly supporting the requirement to extend coverage.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/cleanup-untagged-images.yml:
- Line 117: Replace the mutable tag usage "dataaxiom/ghcr-cleanup-action@v1.2.1"
with an immutable 40-character commit SHA for the same action (e.g.,
"dataaxiom/ghcr-cleanup-action@<full-commit-sha>"); find the correct commit SHA
in the dataaxiom/ghcr-cleanup-action repository (the commit corresponding to
v1.2.1 or the desired release) and update the uses line so the workflow
references that exact SHA instead of the version tag.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 66fc5d07-a25f-447a-9701-ec209549213d

📥 Commits

Reviewing files that changed from the base of the PR and between c28bf0c and 15feb10.

📒 Files selected for processing (1)
  • .github/workflows/cleanup-untagged-images.yml

Comment thread .github/workflows/cleanup-untagged-images.yml Outdated
Signed-off-by: valdo766hi <rivaldosilalahi13@gmail.com>
Signed-off-by: valdo766hi <rivaldosilalahi13@gmail.com>
@valdo766hi

Copy link
Copy Markdown
Author

please take a look sir @KaivalyaMDabhadkar

@KaivalyaMDabhadkar

Copy link
Copy Markdown
Contributor

Thanks for the PR @valdo766hi !
Requesting some changes before we enable scheduled real deletion here:

This PR changes scheduled runs from dry-run to real deletion, because schedule events now resolve dry-run to false. That is fine for the new main-* cleanup goal, but it also makes the existing untagged cleanup step delete for real.

This step is still using snok/container-retention-policy@v3.0.1. NVSentinel publishes multi-arch images (linux/amd64,linux/arm64), and snok’s docs state that GHCR represents multi-arch child manifests as untagged package versions; deleting those children can break the tagged parent image. snok documents automatic multi-arch child protection starting in v3.1.0, while this workflow is pinned to v3.0.1.

Can you please:

  1. Run this workflow manually with dry_run: true and share the output before we enable scheduled deletion.
  2. Since this PR also changes scheduled runs from dry-run to real deletion, can we make the untagged cleanup multi-arch safe before merge, either by upgrading to a pinned snok v3.1.0 SHA or by moving untagged cleanup to dataaxiom/ghcr-cleanup-action as well?

Signed-off-by: valdo766hi <rivaldosilalahi13@gmail.com>
@valdo766hi

valdo766hi commented Jun 2, 2026

Copy link
Copy Markdown
Author

Thanks for the review @KaivalyaMDabhadkar.

I updated the existing untagged cleanup to use snok/container-retention-policy v3.1.0 pinned by full commit SHA.

For the dry-run output, running this from my fork would not be useful because the job is guarded with github.repository == 'NVIDIA/NVSentinel', so it would skip outside the upstream repo.

Could a maintainer/vetter trigger or approve a manual workflow_dispatch run in NVIDIA/NVSentinel with dry_run=true?

@github-actions

Copy link
Copy Markdown
Contributor

@valdo766hi this PR has been inactive for 14 days. Do you need help finishing it, or should we close it for now? Feel free to reopen anytime.

@lalitadithya

Copy link
Copy Markdown
Collaborator

@KaivalyaMDabhadkar , can you please help here?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[Feature]: Clean up old images published form main in container registry

3 participants