Clean up stale buildcaches #709
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,72 @@ | ||
| # GHCR Buildcache Cleanup | ||
| # | ||
| # The Spack CI (spack.yml) pushes binary packages to an OCI buildcache at | ||
| # ghcr.io/awslabs/palace-develop-testing. Over time, this accumulates stale | ||
| # versions as dependencies get rebuilt with new hashes. | ||
| # | ||
| # This workflow periodically prunes old versions, keeping the most recent ones | ||
| # so that the cache remains useful without growing unboundedly. | ||
| # | ||
| # ## How GHCR package linking works | ||
| # | ||
| # GitHub Packages (GHCR) can be linked to a repository, which grants repo | ||
| # collaborators with write access the ability to manage packages. This link | ||
| # also allows the GITHUB_TOKEN in workflows to delete package versions. | ||
| # | ||
| # The link is established by adding an OCI config label: | ||
| # | ||
| # org.opencontainers.image.source=https://github.com/awslabs/palace | ||
|
cameronrutherford marked this conversation as resolved.
|
||
| # | ||
| # We used `crane mutate --label` to add this to a tag in the package, which | ||
| # caused GHCR to auto-link the package to this repo. Once linked, the | ||
| # association persists at the GitHub level regardless of individual tag labels. | ||
|
Comment on lines
+20
to
+22
Contributor
There was a problem hiding this comment. Maybe I am just naive but who is "we" here? Our CI jobs do this? |
||
| # | ||
| # If the package is ever deleted and recreated (e.g., a full cache rebuild), | ||
| # the link must be re-established. To do this: | ||
| # | ||
| # 1. Install crane: https://github.com/google/go-containerregistry | ||
| # 2. Authenticate: echo $TOKEN | crane auth login ghcr.io -u USER --password-stdin | ||
| # 3. Label any tag: | ||
| # crane mutate ghcr.io/awslabs/palace-develop-testing:index.spack \ | ||
| # --label org.opencontainers.image.source=https://github.com/awslabs/palace | ||
| # 4. Verify the link: | ||
| # gh api orgs/awslabs/packages/container/palace-develop-testing \ | ||
| # --jq '.repository.full_name' | ||
| # | ||
| # Or as a GitHub Actions step: | ||
|
Contributor
There was a problem hiding this comment. I am interpreting this as "one needs to do this one-off operation on the Which begs the question - why don't we do this then in our GH Actions?
Member
Author
There was a problem hiding this comment. Correct. This is a one-off operation, but it it not cheap (if you do it naively). I thought about adding to our actions but I found that processing all the packages we have in our binary cache would take several hours. We could do something smarter, but I figured that we won't need to do this ever again (unless we change the name of the |
||
| # | ||
| # - name: Install crane | ||
| # run: | | ||
| # curl -sL "https://github.com/google/go-containerregistry/releases/download/v0.20.3/go-containerregistry_Linux_x86_64.tar.gz" \ | ||
| # | tar xz -C /usr/local/bin crane | ||
| # | ||
| # - name: Link GHCR package to repository | ||
| # run: | | ||
| # echo "${{ secrets.GITHUB_TOKEN }}" | crane auth login ghcr.io -u ${{ github.actor }} --password-stdin | ||
| # crane mutate ghcr.io/awslabs/palace-develop-testing:index.spack \ | ||
| # --label org.opencontainers.image.source=https://github.com/${{ github.repository }} | ||
| name: Cleanup GHCR Buildcache | ||
|
|
||
| on: | ||
| schedule: | ||
| - cron: '0 6,18 * * *' # Twice daily at 6:00 and 18:00 UTC | ||
|
Contributor
There was a problem hiding this comment. Maybe just once a week is fine? Curious how you decided on this cadence.
Member
Author
There was a problem hiding this comment. The action can only remove up to 100 packages every time it runs. |
||
| workflow_dispatch: | ||
|
|
||
| permissions: | ||
| packages: write | ||
|
|
||
| jobs: | ||
| cleanup: | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| # Each Spack spec is a tagged version in the container package. We keep | ||
| # the most recent 500 versions (roughly 5-10 full build sets) and delete | ||
| # older ones. The action deletes at most 100 per run. | ||
|
Comment on lines
+62
to
+64
Contributor
There was a problem hiding this comment. I would love to be a bit more scientific about this if possible. I am reading this as it deletes anything past n=500. That seems potentially too many deletions if we end up expanding the matrix of builds that we want to support. Ideally I would hope that one can just delete based on the age of an installation / the time since an installation was last used. In other words, it would be ideal to cleanup based on a different criteria:
|
||
| - name: Delete old buildcache versions | ||
| uses: actions/delete-package-versions@v5 | ||
| with: | ||
| package-name: palace-develop-testing | ||
| package-type: container | ||
| owner: awslabs | ||
| min-versions-to-keep: 500 | ||
| token: ${{ secrets.GITHUB_TOKEN }} | ||
Uh oh!
There was an error while loading. Please reload this page.