Skip to content

build: optional cleanup_on_failure for pushed images on downstream failure #451

Description

@bedatty

Split from #421 (Fix 3, originally filed as a suggestion). When build+push succeeds but a later step fails (cosign, GitOps artifact upload, Helm dispatch), the image is left in the registry unsigned and without a GitOps record, with no rollback.

Proposed

Optional cleanup_on_failure input (default false) running an if: failure() step/job that removes images published in the current run:

  • DockerHub: DELETE /v2/repositories/{namespace}/{repository}/tags/{tag} (requires a delete-scoped token).
  • GHCR: gh api -X DELETE /orgs/{org}/packages/container/{package}/versions/{version_id}.
  • Target only tags published in the current run.
  • When the registry has immutability (deletion impossible), emit a warning with the digest and manual remediation steps — not a hard failure.

Why a dedicated issue/PR

This is the highest-risk item of #421: it requires delete-scoped credentials and interacts with tag immutability. It deserves its own design and review rather than riding along with the lower-risk fixes. Marked as a suggestion by the original reporter.

Related: #421

Metadata

Metadata

Assignees

Labels

bugSomething is not working as expectedtriageNeeds initial assessment by the DevOps team

Type

No type
No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions