fix: GHCR cleanup workflow; requires PAT (#7)

statnett · Oct 2, 2023 · d74f41a · d74f41a
1 parent 6d05ba1
commit d74f41a
Showing 1 changed file with 7 additions and 10 deletions.
diff --git a/.github/workflows/clean-ghcr.yaml b/.github/workflows/clean-ghcr.yaml
@@ -15,23 +15,18 @@ on:
         default: A week ago UTC
         description: The timezone-aware datetime you want to delete container versions that are older than.
     secrets:
-      STATNETT_BOT_APP_ID:
-        required: true
-      STATNETT_BOT_PRIVATE_KEY:
+      PAT:
         required: true
+        description: |
+          You need to pass a (classic) personal access token (PAT) with access to the container registry.
+          Specifically, you need to grant it the following scopes: read:packages and delete:packages.
 
 jobs:
   clean-ghcr:
     runs-on: ubuntu-latest
     permissions:
       packages: write
     steps:
-      - id: token
-        uses: tibdex/github-app-token@v1
-        with:
-          app_id: ${{ secrets.STATNETT_BOT_APP_ID }}
-          private_key: ${{ secrets.STATNETT_BOT_PRIVATE_KEY }}
-
       - name: Delete untagged container images according to cut-off
         uses: snok/container-retention-policy@v2
         with:
@@ -40,4 +35,6 @@ jobs:
           account-type: org
           org-name: statnett
           untagged-only: true
-          token: ${{ steps.token.outputs.token }}
+          # FIXME: Remove requirement for classic PAT when available
+          # See https://github.com/snok/container-retention-policy/issues/27
+          token: ${{ secrets.PAT }}