Split from #421 (Fix 3, originally filed as a suggestion). When build+push succeeds but a later step fails (cosign, GitOps artifact upload, Helm dispatch), the image is left in the registry unsigned and without a GitOps record, with no rollback.
Proposed
Optional cleanup_on_failure input (default false) running an if: failure() step/job that removes images published in the current run:
- DockerHub:
DELETE /v2/repositories/{namespace}/{repository}/tags/{tag} (requires a delete-scoped token).
- GHCR:
gh api -X DELETE /orgs/{org}/packages/container/{package}/versions/{version_id}.
- Target only tags published in the current run.
- When the registry has immutability (deletion impossible), emit a warning with the digest and manual remediation steps — not a hard failure.
Why a dedicated issue/PR
This is the highest-risk item of #421: it requires delete-scoped credentials and interacts with tag immutability. It deserves its own design and review rather than riding along with the lower-risk fixes. Marked as a suggestion by the original reporter.
Related: #421
Split from #421 (Fix 3, originally filed as a suggestion). When build+push succeeds but a later step fails (cosign, GitOps artifact upload, Helm dispatch), the image is left in the registry unsigned and without a GitOps record, with no rollback.
Proposed
Optional
cleanup_on_failureinput (defaultfalse) running anif: failure()step/job that removes images published in the current run:DELETE /v2/repositories/{namespace}/{repository}/tags/{tag}(requires a delete-scoped token).gh api -X DELETE /orgs/{org}/packages/container/{package}/versions/{version_id}.Why a dedicated issue/PR
This is the highest-risk item of #421: it requires delete-scoped credentials and interacts with tag immutability. It deserves its own design and review rather than riding along with the lower-risk fixes. Marked as a suggestion by the original reporter.
Related: #421