template/.github/workflows/cache.yml at main · snowdreamtech/template · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
---
# GitHub Cache Management
# Purpose: Automatically clears stale GitHub Actions caches to optimize storage and prevents build pollution.
# Trigger: Manual execution (workflow_dispatch) with optional branch/tag filtering.
# Permissions:
#   - actions: write (Required to delete caches via the GitHub API).
#   - contents: read (Required for repository metadata access).
# Concurrency:
#   - group: ${{ github.workflow }}-${{ github.ref }} (Prevents overlapping cleanup runs).
#   - cancel-in-progress: false (Cleanup should always complete to ensure consistent state).
# Design:
#   - Uses POSIX-compliant shell for maximum compatibility with runner environments.
#   - Implements safe-fail logic (set +e) for non-critical cleanup tasks.

name: "🧹 Cache Cleanup"

"on":
  schedule:
    # Staggered to avoid peak load times on GitHub's infrastructure
    - cron: "0 16 * * 0"
  workflow_dispatch:

permissions: {}

env:
  MISE_LOCKED: 1

jobs:
  cleanup:
    name: "🧹 Cache Sanitation Maintenance"
    runs-on: ubuntu-latest
    concurrency:
      group: cache-${{ github.workflow }}-${{ github.ref }}
      cancel-in-progress: true
    permissions:
      actions: write # Required to delete caches via the GitHub API
      contents: read # Required for repository metadata access
    timeout-minutes: 40 # 10m is more than enough for cache list/delete operations
    steps:
      - name: "🔒 Harden Runner (Security Egress Audit)"
        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
        with:
          egress-policy: block
          allowed-endpoints: >
            api.github.com:443
            *.githubusercontent.com:443
            github.com:443
            mise.run:443
            install.mise.jdx.dev:443
            *.mise.jdx.dev:443

      - name: "🧹 Prune Inactive GitHub Caches"
        shell: sh # POSIX compliant shell for better portability
        run: |
          gh extension install actions/gh-actions-cache

          echo "Fetching list of cache keys..."
          cacheKeys=$(gh actions-cache list \
            -R "$REPO" -B "$BRANCH" -L 100 \
            --sort created-at --order desc | cut -f 1)

          # set +e: don't fail the whole job if one deletion fails (e.g., race condition)
          set +e
          echo "Deleting caches..."
          for cacheKey in $cacheKeys
          do
              gh actions-cache delete "$cacheKey" -R "$REPO" -B "$BRANCH" --confirm
          done
          echo "Cleanup completed successfully."
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          REPO: ${{ github.repository }}
          BRANCH: ${{ github.ref }}