workflows: new "CI house keeping"

[wainersm]

The e2e libvirt CI on pull request has pushed images to ghcr.io/confidential-containers/cloud-api-adaptor.

This added the ci_house_keeping.yaml workflow to run daily to clean up unused caa imags (e.g. when the pull request is closed).

[wainersm]

How I used the script to clean up images from my fork:

[wmoschet@wainer-laptop cloud-api-adaptor]$ ORG=wainersm PACKAGE_BASE_API=/users REPO=cc-cloud-api-adaptor ./hack/ci/gh_cleanup_images.sh 
::group::Delete images from closed PRs
PR cc-cloud-api-adaptor/pull/62 is closed
Delete image version=127568786
Delete image version=127568770
Delete image version=127568788
Delete image version=127568773
Delete image version=127568765
Delete image version=127568791
Delete image version=127568793
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr62
PR cc-cloud-api-adaptor/pull/62 is closed
Delete image version=127563353
Delete image version=127563358
Delete image version=127563364
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr62-dev
PR cc-cloud-api-adaptor/pull/61 is closed
Delete image version=127357586
Delete image version=127357587
Delete image version=127357588
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr61-dev
PR cc-cloud-api-adaptor/pull/60 is closed
Delete image version=127311708
Delete image version=127311705
Delete image version=127311717
Delete image version=127311713
Delete image version=127311711
Delete image version=127311720
Delete image version=127311724
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr60
PR cc-cloud-api-adaptor/pull/60 is closed
Delete image version=127309604
Delete image version=127309606
Delete image version=127309608
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr60-dev
PR cc-cloud-api-adaptor/pull/59 is closed
Delete image version=127228715
Delete image version=127228712
Delete image version=127228726
Delete image version=127228723
Delete image version=127228718
Delete image version=127228729
Delete image version=127228732
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr59
PR cc-cloud-api-adaptor/pull/59 is closed
Delete image version=127224439
Delete image version=127224440
Delete image version=127224443
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr59-dev
PR cc-cloud-api-adaptor/pull/58 is closed
Delete image version=127184131
Delete image version=127184126
Delete image version=127184136
Delete image version=127184120
Delete image version=127184117
Delete image version=127184139
Delete image version=127184140
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr58
PR cc-cloud-api-adaptor/pull/58 is closed
Delete image version=127180530
Delete image version=127180533
Delete image version=127180537
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr58-dev
PR cc-cloud-api-adaptor/pull/46 is closed
Delete image version=116862925
Delete image version=116862922
Delete image version=116862929
Delete image version=116862917
Delete image version=116862918
Delete image version=116862933
Delete image version=116862937
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr46
PR cc-cloud-api-adaptor/pull/46 is closed
Delete image version=116860596
Delete image version=116860597
Delete image version=116860599
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr46-dev
PR cc-cloud-api-adaptor/pull/45 is closed
Delete image version=116812394
Delete image version=116812397
Delete image version=116812389
Delete image version=116812392
Delete image version=116812386
Delete image version=116812402
Delete image version=116812404
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr45
PR cc-cloud-api-adaptor/pull/45 is closed
Delete image version=116810190
Delete image version=116810193
Delete image version=116810196
Deleted image ghcr.io/wainersm/cloud-api-adaptor:ci-pr45-dev
::endgroup::
::group::Delete dangling images
Delete image version=127299932
Delete image version=127299930
Delete image version=127299926
Delete image version=127299925
Delete image version=127299923
Delete image version=127299922
Delete image version=127299920
Delete image version=127298973
Delete image version=127298970
Delete image version=127298968
Delete image version=116791282
Delete image version=116791280
Delete image version=116791277
Delete image version=116791275
Delete image version=116791273
Delete image version=116791272
Delete image version=116791270
Delete image version=116787084
Delete image version=116787081
Delete image version=116787078
Delete image version=116742122
Delete image version=116742115
Delete image version=116742110
Delete image version=116742104
Delete image version=116742098
Delete image version=116742092
Delete image version=116742089
Delete image version=116741312
Delete image version=116741307
Delete image version=116741302
Delete image version=116741296
Delete image version=116741290
Delete image version=116741283
Delete image version=116741279
Delete image version=116738135
Delete image version=116738131
Delete image version=116738128
::endgroup::

[wainersm]

hey @fidencio ! you might be interested on that script as we are starting to publish kata containers images on ghcr.io

[snir911]

unrelated question, is there a risk we will be hitting the push/pull limit of ghcr.io?
LGTM overall, nit, s/imags/images in the commit msg

[ldoktor]

I can see 19 closed PRs within the last week and 56 within last month, wouldn't a weekly upkeep be more suitable?

[wainersm]

Good idea @ldoktor! I will change it.

[wainersm]

Rebased the code and changed the workflow to run weekly as suggested by @ldoktor

[ldoktor]

Thank you @wainersm, it looks good to me although I wasn't able to test it due to permission issues so without seeing the json responses from GH I can not guarantee it's all correct. Anyway the approach to get all images and check if that PR is closed or not especially with PR caching seems good to me.

One thing I don't understand is why don't we remove the old images on PR update directly? I mean this upkeep script would be still useful in case some PR fails to remove it for whatever reason so I believe this upkeep script should be here, but perhaps we could even try removing the images on PR update to faster remove the outdated images (at least if I understand it correctly)

[bpradipt]

@ldoktor can you ptal and provide your review comments.

[bpradipt]

@wainersm based on the last comment from @ldoktor, is anything pending ?

[ldoktor]

@wainersm based on the last comment from @ldoktor, is anything pending ?

Not really, it was just a suggestion that we might additionally use on.pull_request.types.closed and clean the images directly on PR close. Still having a cleaner job running makes sense to me in case the on-closed pipeline fails. So the only question is whether we want to add it as well or just rely on weekly cleanup.

[ldoktor]

Thanks, as I mentioned I don't have the permission to check it works properly but visually the code seems to be doing what is mentioned.

Maybe last nitpick, the ci_house_keeping.yaml name is sensible, but since it's only about ghcr images it could something like ci_ghcr_periodic_cleanup.yaml would be more appropriate. But we can re-name it once/if we have more house-keeping ci scripts ;-)