container-retention-policy icon indicating copy to clipboard operation
container-retention-policy copied to clipboard

Published 20 hours ago β€’ verified publisher icon snok

Do you really need a personal access token?

Open sihil opened this issue 2 years ago β€’ 13 comments

This looks really useful although I'm very reluctant to create a PAT.

Have you experimented to see whether this can be replaced with a packages: write permission? i.e.

name: Delete old container images

on:
  schedule:
    - cron: '0 0 * * *'  # every day at midnight

permissions:
  packages: write

jobs:
  clean-ghcr:
    name: Delete old unused container images
    runs-on: ubuntu-latest
    steps:
      - name: Delete 'dev' containers older than a week
        uses: snok/container-retention-policy@v1
        with:
          image-names: python-dev, js-dev
          cut-off: A week ago UTC
          account-type: org
          org-name: my-org
          keep-at-least: 1
          untagged-only: true

This certainly lets you push and pull containers but I don't know if delete is included in write. I wondered if you knew one way or the other.

sihil avatar Mar 16 '22 15:03 sihil

Things change all the time, but last time I checked a PAT was required. Definitely understand your hesitation though - not entirely comfortable with it either.

sondrelg avatar Mar 16 '22 16:03 sondrelg

Thanks for the quick reply. I will experiment and feedback just in case it has changed.

sihil avatar Mar 16 '22 16:03 sihil

Please do πŸ₯‡ And I guess we can leave this open for a while in case anyone else has relevant input πŸ‘

sondrelg avatar Mar 16 '22 21:03 sondrelg

It hasn't changed. A personal access token is still required 😒

Would be great to understand if packages/delete will make it to the GITHUB_TOKEN permissions anytime soon @NamrataJha et al.

sihil avatar Mar 18 '22 18:03 sihil

I can confirm that, at the moment, an own personal access token with packages: delete permission is required.

GITHUB_TOKEN is not enough at the current moment.

andygrunwald avatar Mar 19 '22 16:03 andygrunwald

This GitHub blog post states GITHUB_TOKEN is supported in delete operations

tuler avatar Aug 18 '22 20:08 tuler

I just tried switching in one of my workflows, and it resulted in a 500 internal server error :thinking:

sondrelg avatar Sep 03 '22 18:09 sondrelg

This GitHub blog post states GITHUB_TOKEN is supported in delete operations

The article is referring to a different type of API endpoint used by docker CLI to login, push, pull, rm images... that type of API is in fact supported by ${{ secrets.GITHUB_TOKEN }} and is used by Docker Login Action. However, afaik, docker cannot remove container images from private repositories.

To delete private container images, you need access via api.github.com REST API endpoint, which as of now is not supported by ${{ secrets.GITHUB_TOKEN }}.

timofey-drozhzhin avatar Sep 13 '22 03:09 timofey-drozhzhin

It hasn't changed. A personal access token is still required :cry:

I've opened a community discussion on this topic over here:

  • https://github.com/community/community/discussions/50123

Feel free to comment on or upvote the discussion to boost it's visibility/priority.

ruffsl avatar Mar 15 '23 13:03 ruffsl

Did anyone test fine-grained tokens https://github.blog/2022-10-18-introducing-fine-grained-personal-access-tokens-for-github/ for that?

ad-m-ss avatar Apr 14 '23 02:04 ad-m-ss

Not sure if something has changed with the API, but the github provided action for cleaning up packages does work with the standard runner token. As does this action.

Unfortunately neither provide the option for excluding an image from deletion by tag 😞 .

rob-whittle avatar Apr 18 '23 12:04 rob-whittle

The other actions query the packages individually, and that operation works with the default token, as long as the repository can manage its own packages:

  • https://api.github.com/orgs/{organization}/packages?package_type=container 🚫
  • https://api.github.com/orgs/{organization}/packages/container/{name}/versions βœ…

This action doesn't have an easy migration path to the latter, because it also supports regular expressions for package names.

0x2b3bfa0 avatar Sep 25 '23 14:09 0x2b3bfa0

@0x2b3bfa0 this is also my observation. In case we can identify the special case of only completely specified package names, it should be possible to use without a PAT similar to what I did in https://github.com/Chizkiyahu/delete-untagged-ghcr-action/pull/27/commits/3202d0501dfc8d1e1e1f84b126219b9978eb803e.

mering avatar Oct 31 '23 22:10 mering

The other actions query the packages individually, and that operation works with the default token, as long as the repository can manage its own packages:

* [https://api.github.com/orgs/{organization}/packages?package_type=container](https://api.github.com/orgs/%7Borganization%7D/packages?package_type=container) 🚫

* [https://api.github.com/orgs/{organization}/packages/container/{name}/versions](https://api.github.com/orgs/%7Borganization%7D/packages/container/%7Bname%7D/versions) βœ…

This action doesn't have an easy migration path to the latter, because it also supports regular expressions for package names.

I have implemented this suggestion in the newest release. The action now supports:

  • Personal access tokens (classic ones)
  • secrets.GITHUB_TOKEN tokens, with some caveats - see details here
  • Tokens generated with a Github app

The new version is ready now, and the migration guide for v3 is included in the release post πŸ‘

If you run into any issues, please share them in the issue opened for tracking the v3 release ☺️

sondrelg avatar Jun 24 '24 21:06 sondrelg