Add GHCR cleanup workflow to delete old container images

[AnjaliMishra1st]

This PR introduces a GitHub Actions workflow to clean up old container images from GHCR.

• Runs daily using a scheduled workflow
• Deletes older container image versions
• Keeps the latest 5 versions

This helps reduce storage clutter and maintain a clean registry.

[osullivandonal]

@AnjaliMishra1st nice work on adding this job, just some things to consider here.

This cleanup job is quite aggressive, the otel demo release cadence is usually every few months when a number of changes have accumulated. This job would run every day which give that release cadence is very high. However, we do have a nightly build of images. Also another thing to consider is users of older images in the github container registry, the demo is used a lot by different users to showcase how to instrument a cloud service, we may break a lot of demo's by removing older versions of images.

For example using min-versions-to-keep: 5 would only keep less than a week of images in the nightly builds.

It would be great to hear from the maintainers here @open-telemetry/demo-maintainers .

[AnjaliMishra1st]

Thanks for the helpful feedback!
I’ve updated the workflow to run weekly instead of daily and increased the number of versions to keep for safer retention.
Please let me know if this looks better or if further adjustments are needed.

[github-actions]

This PR was marked stale due to lack of activity. It will be closed in 7 days.

[AnjaliMishra1st]

Hi maintainers 👋
Just a gentle follow-up on this PR. Based on earlier feedback, I’ve updated the workflow to run weekly and increased the number of retained versions to make it safer for users.
Could you please review when you have time? I’d really appreciate your feedback.

@open-telemetry/demo-maintainers
@osullivandonal
Thanks again! 🙂

[julianocosta89]

@AnjaliMishra1st sorry for the delay, last week was KubeCon and I'm still playing catch!
Regarding this PR I think we need to adjust a couple of things.

The Demo currently releases nightly builds, but we also have releases.
If I understood this gh workflow correctly, that will clean up everything that is older than 20 versions, but it doesn't differentiate releases from nightly builds.
Which means that if we run this today, we would remove versions 2.2.0, 2.1.3, and so on.

Ideally the clean up would run just for the nightly builds.

[AnjaliMishra1st]

Hi @julianocosta89 👋🏽
Thanks for the detailed feedback — that makes sense!
I understand that the workflow should not delete release versions and should only target nightly builds.
I’ll update the workflow to restrict cleanup to nightly images only and keep all release versions safe.

I’ll push the changes soon. Thanks again! 🙂

[puckpuck]

Is there a way we can run this in some kind of dry-run mode first to see what images it would delete?

[AnjaliMishra1st]

Hi @julianocosta89 @puckpuck
Thank you for the helpful feedback! I’ve updated the workflow to include a dry-run mode and to restrict cleanup to nightly builds only, ensuring release versions remain safe.
Whenever you have time, I’d really appreciate your review and any further suggestions. Thank you! 🙂

[puckpuck]

This looks fine. As it's configured right now nothing destructive will happen, and at 3am it will execute in dry_run mode producing a list of images that it would delete.

If that looks good, we can do another PR to update the dry_run setting to be false.

[puckpuck]

@AnjaliMishra1st it's failing the yamllint and checklicense checks. We need to add a license copyright header to the file (see other GH action workflows for an example), and yamllint is likely extra white space or empty lines. The failed check output will have better details on the offending entries.

[Copilot]

Pull request overview

Adds a GitHub Actions workflow intended to prune older GHCR container image versions to reduce registry storage usage in open-telemetry/opentelemetry-demo.

Changes:

• Introduces a new scheduled + manually-dispatchable workflow for GHCR cleanup.
• Uses GitHub CLI (gh api) to list container package versions and delete matching versions (currently based on nightly-* tags).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Kielek]

After hash add some comment related to version, see other files

[Kielek]

All other GH actions pins versions to the exact commit + tag comment.
It should be applied also here.

[AnjaliMishra1st]

Good catch, I’ve updated this to use a pinned commit SHA and added a version comment for consistency with other workflows.

[Kielek]

are you sure that it is needed? I think that GitHub CLI should be available by default on all-defualt runmers.

[AnjaliMishra1st]

You're right, I’ve removed the installation step since GitHub CLI is already available on default runners.

[Kielek]

I think that this one is also not-necessary. In OTel .NET repository there is usage of gh-cli, but there is no need to login.

[AnjaliMishra1st]

Thanks for pointing this out, removed the unnecessary authentication step.

[Kielek]

After hash add some comment related to version, see other files

[AnjaliMishra1st]

Hi @Kielek @julianocosta89 @puckpuck
Thanks for the helpful feedback!
I’ve made the suggested updates:

• Pinned checkout action with SHA
• Removed unnecessary GitHub CLI setup
• Added required permissions
• Fixed dry-run logic and pagination
• Ensured safe deletion with break and tag handling
  I’ve kept the package name as-is for now—happy to adjust if needed.
  Please let me know if anything else should be improved. Thanks!