ci: clean up GHCR CI image after pipeline finishes

Every CI run pushes ghcr.io/<repo>/appwrite-dev:<sha> and nothing
removes it. On an active repo with many PRs the GHCR storage grows
without bound. Add a cleanup job that runs after all consumer jobs
complete (always, even if some fail) and deletes the SHA-tagged
package version via the Packages API.

Addresses Greptile feedback on appwrite/appwrite#12176.

.github/workflows/ci.yml

@@ -871,3 +871,29 @@ jobs:
       - name: Fail benchmark
         if: always() && steps.benchmark_after.outcome != 'success'
         run: exit 1
+
+  cleanup:
+    name: Cleanup GHCR Image
+    if: ${{ always() && github.event_name == 'pull_request' }}
+    needs: [build, unit, e2e_general, e2e_service, e2e_abuse, e2e_screenshots, benchmark]
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Delete CI image from GHCR
+        continue-on-error: true
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          package_path="${GITHUB_REPOSITORY#*/}/appwrite-dev"
+          encoded_path="$(printf '%s' "$package_path" | jq -Rr @uri)"
+          version_id=$(gh api -H "Accept: application/vnd.github+json" \
+            "/orgs/${GITHUB_REPOSITORY_OWNER}/packages/container/${encoded_path}/versions" \
+            --jq ".[] | select(.metadata.container.tags | index(\"${GITHUB_SHA}\")) | .id")
+          if [ -n "$version_id" ]; then
+            gh api --method DELETE -H "Accept: application/vnd.github+json" \
+              "/orgs/${GITHUB_REPOSITORY_OWNER}/packages/container/${encoded_path}/versions/${version_id}"
+            echo "Deleted ${package_path}:${GITHUB_SHA} (version ${version_id})"
+          else
+            echo "No GHCR version found for SHA ${GITHUB_SHA}"
+          fi