Add support for deletion of container and npm packages #74
Comments
tinaheidinger
changed the title
|
+1 for ghcr packge version deletion support! |
|
Also, there should be a way to auto-delete the untagged docker images stored in the registry for that particular repo |
|
Deleting untagged multi-arch images might be tricky because the individual arch images aren't tagged (AFAIK). |
Have an idea |
|
This issue has caused our organization npm package registry to grow too large (started August/September), accumulating so many non-stable versions, because our retention policy is not being processed, via this GitHub action. I understand the code for this GitHub action and would like to help implement a fix. But what exactly is it in the new registry architecture that's causing an issue with this action? Described here in the docs https://docs.github.com/en/packages/learn-github-packages/deleting-and-restoring-a-package#deleting-a-version-of-a-repository-scoped-package-with-graphql is that a GraphQL mutation cannot be used to delete the package anymore. Is that the only problem, and we could perhaps modify the Or is there more to the permissions thing? Trying to execute the GraphQL query for the list of versions in one of our npm packages, it seems to return a very short list -- versions that were published around August. Versions that were published after some date in August, though still appearing in the Web UI, are not returned in the GraphQL query. Is the GraphQL query operation also not supported with the new architecture (which would lead to a bigger fix for this GitHub action)? |
|
@peter-at-work The GitHub Packages GraphQL API does not support containers or Docker images that use the package namespace https://ghcr.io/OWNER/PACKAGE-NAME, or npm images that use the package namespace https://npm.pkg.github.com/OWNER/PACKAGE-NAME. For more information about GraphQL support, see "Deleting a version of a repository-scoped package with GraphQL." it means new npm packages published after August will not appear on GraphQL output. |
I really want to start a discussion on this. Our organization really needs this GitHub action for running our artifact/package retention policies. We could readily fork this action repo and refactor within our fork, but we also would want to contribute back to the GitHub Actions community and provide a usable fix. There are a few roadmap topics we would want to get some clarification on. In the public repositories for @actions, it seems that this is the only GitHub Action that deals with GitHub Packages. There aren't any actions for publishing into GitHub Packages because the individual tools are used (e.g., It is documented that GraphQL doesn't support NPM and Container packages, but is it in the roadmap for GraphQL to support this? I don't see any technical reason preventing the implementation of proper GraphQL resolvers to handle the different architecture for NPM and Container packages. If that's the case, should we just wait for GitHub to develop the appropriate resolvers? The GraphQL resolvers are, understandably, private to GitHub, and we won't be able to contribute to it. If GraphQL support is not ever planned, then is a refactor to the Packages REST API the right approach? With the Packages REST API, there is one additional requirement of providing the package_type (e.g., Also, will the different architecture for NPM and Container packages introduce some conditional code? The other package types are still associated with repos, so the |
|
Is there any progress here? |
|
As an organization (and paying for GitHub Enterprise), we still a prefer a GitHub-authored/sanctioned action for processing our package retention policies. Some organizations have tight security restrictions on what open-source packages can be incorporated into their software development lifecycle. The reason is often dependent on the size, reputation, and longevity of the maintainers of the packages, to minimize the risk of rogue actors arising in the software supply chain. The action implemented in https://github.com/SmartsquareGmbH/delete-old-packages has more recent activity and has technically surpassed the features of this action. It uses a strategy-based (GraphQL, REST) approach to this issue and have addressed this limitation on npm packages with their v0.6.0 release. Can we get some thoughts from the maintainers on what the roadmap is for this GitHub-authored action? |
|
@peter-at-work |
|
We are working on supporting this action for all the registries migrated to the new architecture. The tentative release date is 20th January 2023. |
|
This has been resolved with v4.0.0 of this Action. Required steps to use this Action for the new GitHub Packages architecture:
|
We just tested v4 of the action, and it properly purged old versions of our NPM packages and matched the retention policy we specified. 🙏Thank you! |
|
@tinaheidinger how do I make it work for GHCR packages? I tried a few different things but always get This is my config: |
|
@DaveFPM i got the same error, then i added the owner and token and it works |
|
@DaveFPM package-name will be
@csaba-kovacs |
|
@s-anupam even if i have the Manage Action access set to the repo with admin role still gives me API error without using token. |
|
@csaba-kovacs Can we know whether the correct permissions are set for the GITHUB_TOKEN over packages as |
|
@nishthaGupta Ah yes, i set the permission/package scope to write on the job level and it solved it. Thanks!:) |
|
@s-anupam Thanks for that, it worked. But does it also support |
This action currently does not work with GitHub Container Registry packages. Also, the npm registry is about to be migrated to the same new architecture as GHCR, this action won't work for npm soon too.
To do: adapt this action to work with the new GitHub Package Registry achitecture in order to support deleting packages from container and npm registries.
The text was updated successfully, but these errors were encountered: