Skip to content

JTaeuber/prune-orphaned-cosign-sig

Use this GitHub action with your project
Add this Action to an existing workflow or create a new one
View on Marketplace
BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

34 Commits
.github
.github
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
action.yaml
action.yaml
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
prunecosign.go
prunecosign.go
 
 

Repository files navigation

prune-orphaned-cosign-sig

prune-orphaned-cosign-sig is a GitHub Action that removes cosign signatures from a GHCR repository when their corresponding versions no longer exists.

⚠️ Word of caution

As this action is destructive, it's recommended to test any changes to the configuration of the action with a dry-run to ensure the expected signatures are matched for pruning.

Quick start

Pruning all orphaned cosign signatures for an organization:

steps:
  - name: Prune
    uses: jtaeuber/[email protected]
    with:
      gh_token: ${{ secrets.YOUR_TOKEN }}
      gh_org: your-org
      package_name: your-package
      dry-run: true # Dry-run first, then change to `false`

Permissions

This action uses the Github Rest API PackageDeleteVersion() function for users and orgs which states:

OAuth app tokens and personal access tokens (classic) need the read:packages and delete:packages scopes to use this endpoint. In addition: [...] If package_type is container, you must also have admin permissions to the container you want to delete.

As a result, for this action to work, the token must be associated to a user who has admin permissions for both the organization and the package. If this is not the case, then dry-runs will work as expected but actual runs will fail with a Package not found error when attempting to delete versions.

Inputs

gh_token

Required Secret access token with scopes packages:read and packages:delete and write permissions on the targeted container. See Creating a personal access token for more details about GitHub access tokens.

gh_org

Name of the organization owning the container package.

⚠️ This input is mutually exclusive with input user. Only one of the 2 can be used at any time. If neither are provided, then the packages of the authenticated user (cf. gh_token) are considered.

gh_user

Name of the user owning the package.

⚠️ This input is mutually exclusive with input organization. Only one of the 2 can be used at any time. If neither are provided, then the packages of the authenticated user (cf. gh_token) are considered.

package_name

Required Name of the package for which signatures should be pruned.

dry-run

Optional Boolean controlling whether to execute the action as a dry-run. When true the action will print out details of the version that will be pruned without actually deleting them. Defaults to false.

As this action is destructive, it's recommended to test any changes to the configuration of the action with a dry-run to ensure the expected versions are matched for pruning.

About

Prune orphaned cosign signatures from ghcr.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases 2

v0.2.0 Latest
Mar 12, 2025
+ 1 release

Packages

 
 
 

Contributors 2

  •  
  •  

Languages