mirror of
https://github.com/appwrite/appwrite.git
synced 2026-05-26 13:51:13 +00:00
Jake Barnby
708aea2532
Pin every third-party action in .github/workflows/ to a full commit SHA with a trailing version comment, and bump to the latest stable release. Defends against tag-rewrite supply-chain attacks while keeping versions legible.
70 lines
2.2 KiB
YAML
70 lines
2.2 KiB
YAML
name: Cleanup Cache
|
|
|
|
on:
|
|
pull_request:
|
|
types:
|
|
- closed
|
|
|
|
permissions:
|
|
actions: write
|
|
contents: read
|
|
packages: write
|
|
|
|
jobs:
|
|
cleanup:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check out code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: Cleanup
|
|
run: |
|
|
gh extension install actions/gh-actions-cache
|
|
|
|
REPO=${{ github.repository }}
|
|
BRANCH="refs/pull/${{ github.event.pull_request.number }}/merge"
|
|
|
|
while true
|
|
do
|
|
cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
|
|
|
|
if [ -z "$cacheKeysForPR" ]
|
|
then
|
|
break
|
|
fi
|
|
|
|
## Setting this to not fail the workflow while deleting cache keys.
|
|
set +e
|
|
for cacheKey in $cacheKeysForPR
|
|
do
|
|
gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
|
|
done
|
|
done
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Cleanup GHCR image
|
|
continue-on-error: true
|
|
run: |
|
|
package_path="${GITHUB_REPOSITORY#*/}/appwrite-dev"
|
|
encoded_path="$(printf '%s' "$package_path" | jq -Rr @uri)"
|
|
|
|
gh api --paginate "/repos/${GITHUB_REPOSITORY}/pulls/${{ github.event.pull_request.number }}/commits" --jq '.[].sha' | while read -r sha; do
|
|
version_ids=$(gh api --paginate -H "Accept: application/vnd.github+json" \
|
|
"/orgs/${GITHUB_REPOSITORY_OWNER}/packages/container/${encoded_path}/versions" \
|
|
--jq ".[] | select(.metadata.container.tags | index(\"${sha}\")) | .id")
|
|
|
|
if [ -z "$version_ids" ]; then
|
|
echo "No GHCR version found for SHA ${sha}"
|
|
continue
|
|
fi
|
|
|
|
echo "$version_ids" | while read -r version_id; do
|
|
gh api --method DELETE -H "Accept: application/vnd.github+json" \
|
|
"/orgs/${GITHUB_REPOSITORY_OWNER}/packages/container/${encoded_path}/versions/${version_id}"
|
|
echo "Deleted ${package_path}:${sha} (version ${version_id})"
|
|
done
|
|
done
|
|
env:
|
|
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|