python/.github/workflows/cache.yml at main · snowdreamtech/python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
# Copyright (c) 2026 SnowdreamTech. All rights reserved.
# Licensed under the MIT License. See LICENSE file in the project root for full license information.

---
# GitHub Cache Management
# Purpose: Automatically clears stale GitHub Actions caches to optimize storage and prevents build pollution.
# Trigger: Manual execution (workflow_dispatch) with optional branch/tag filtering.
# Permissions:
#   - actions: write (Required to delete caches via the GitHub API).
#   - contents: read (Required for repository metadata access).
# Concurrency:
#   - group: ${{ github.workflow }}-${{ github.ref }} (Prevents overlapping cleanup runs).
#   - cancel-in-progress: false (Cleanup should always complete to ensure consistent state).
# Design:
#   - Uses POSIX-compliant shell for maximum compatibility with runner environments.
#   - Implements safe-fail logic (set +e) for non-critical cleanup tasks.

name: "🧹 Cache Cleanup"

"on":
  schedule:
    # Staggered to avoid peak load times on GitHub's infrastructure
    - cron: "0 16 * * 0"
  workflow_dispatch:

permissions: {}

env:
  UNIRTM_LOCKED: 1

jobs:
  cleanup:
    name: "🧹 Cache Sanitation Maintenance"
    runs-on: ubuntu-latest
    concurrency:
      group: cache-${{ github.workflow }}-${{ github.ref }}
      cancel-in-progress: true
    permissions:
      actions: write # Required to delete caches via the GitHub API
      contents: read # Required for repository metadata access
    timeout-minutes: 40 # 10m is more than enough for cache list/delete operations
    steps:
      - name: "🔒 Harden Runner"
        uses: step-security/harden-runner@9af89fc71515a100421586dfdb3dc9c984fbf411 # v2.19.4
        with:
          disable-sudo: true
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            raw.githubusercontent.com:443
            objects.githubusercontent.com:443
            pkg-containers.githubusercontent.com:443
            avatars.githubusercontent.com:443
            github.com:443
            packages.microsoft.com:443
            archive.ubuntu.com:80
            archive.ubuntu.com:443
            security.ubuntu.com:80
            security.ubuntu.com:443
            ports.ubuntu.com:80
            ports.ubuntu.com:443
            keyserver.ubuntu.com:80
            keyserver.ubuntu.com:443
            changelogs.ubuntu.com:80
            changelogs.ubuntu.com:443
            deb.debian.org:80
            deb.debian.org:443
            security.debian.org:80
            security.debian.org:443
            snapshot.debian.org:80
            snapshot.debian.org:443
            dl.rockylinux.org:443
            mirrors.rockylinux.org:443
            mirror.centos.org:443
            vault.centos.org:443
            isv-data.centos.org:443
            mirrorlist.centos.org:80
            mirrorlist.centos.org:443
            cdn.redhat.com:443
            cdn-ubi.redhat.com:443
            access.redhat.com:443
            sso.redhat.com:443
            dl-cdn.alpinelinux.org:443
            registry.npmjs.org:443
            registry.yarnpkg.com:443
            pypi.org:443
            files.pythonhosted.org:443
            proxy.golang.org:443
            sum.golang.org:443
            index.crates.io:443
            static.rust-lang.org:443
            packagist.org:443
            repo.maven.apache.org:443
            golang.org:443
            pkg.go.dev:443
            dl.google.com:443
            rubygems.org:443
            registry.terraform.io:443
            formulae.brew.sh:443
            repo.yarnpkg.com:443
            ghcr.io:443
            production.cloudflare.docker.com:80
            production.cloudflare.docker.com:443
            registry-1.docker.io:443
            auth.docker.io:443
            docker.io:443
            quay.io:443
            cdn.quay.io:443
            docker-images-prod.s3.us-west-2.amazonaws.com:443
            docker-images-prod.s3.us-east-1.amazonaws.com:443
            docker-images-prod.s3.amazonaws.com:443
            s3.amazonaws.com:443
            s3.us-west-2.amazonaws.com:443
            s3.us-east-1.amazonaws.com:443
            osv-vulnerabilities.storage.googleapis.com:443
            api.osv.dev:443
            get.trivy.dev:443
            aquasecurity.github.io:443
            tuf-repo-cdn.sigstore.dev:443
            oauth2.sigstore.dev:443
            rekor.sigstore.dev:443
            fulcio.sigstore.dev:443
            api.sigstore.dev:443
      - name: "🧹 Prune Inactive GitHub Caches"
        shell: sh # POSIX compliant shell for better portability
        run: |
          gh extension install actions/gh-actions-cache

          echo "Fetching list of cache keys..."
          cacheKeys=$(gh actions-cache list \
            -R "$REPO" -B "$BRANCH" -L 100 \
            --sort created-at --order desc | cut -f 1)

          # set +e: don't fail the whole job if one deletion fails (e.g., race condition)
          set +e
          echo "Deleting caches..."
          for cacheKey in $cacheKeys
          do
              gh actions-cache delete "$cacheKey" -R "$REPO" -B "$BRANCH" --confirm
          done
          echo "Cleanup completed successfully."
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO: ${{ github.repository }}
          BRANCH: ${{ github.ref }}