I had to go full Rube Goldberg to clean up old image tags from closed PRs, while still leaving deletion of untagged image to the ECR repo's own lifecycle policy. Never go full Rube Goldberg:
name: ECR Retention Policy
on:
pull_request:
types:
- closed
workflow_call:
workflow_dispatch:
jobs:
clean-unused-ecr:
name: Delete unused container images
runs-on: runs-on,runner=2cpu-linux-x64,run-id=${{ github.run_id }},image=ecr_login_image
steps:
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.RUNS_ON_AWS_REGION }}
- name: AWS ECR Login
id: login-ecr
uses: aws-actions/amazon-ecr-login@v2
- name: AWS ECR Info
shell: bash
run: |
echo "ECR_REGISTRY=${{ steps.login-ecr.outputs.registry }}" >> $GITHUB_ENV
echo "ECR_REPO=$(basename ${{ github.repository }})" >> $GITHUB_ENV
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v5
with:
images: ${{ env.ECR_REGISTRY }}/${{ env.ECR_REPO }}
flavor: suffix=-
tags: type=raw,value=${{ github.head_ref || github.ref_name }}
# NOTE: This is convoluted because AWS ECR has no simple way to untag image without deletion
# given we want to leave deletion of untagged image to the ECR repo's own lifecycle policy
# https://stackoverflow.com/questions/70065254/remove-ecr-image-tag-despite-imagereferencedbymanifestlist-error
# https://github.com/aws/containers-roadmap/issues/1567
- name: AWS ECR Cleanup
shell: bash
run: |
REPO_EXISTS=$(aws ecr describe-repositories --repository-names $ECR_REPO 2>&1 || true)
if echo "${REPO_EXISTS}" | grep -q 'RepositoryNotFoundException'; then
echo "Repository not found, skipping cleanup."
exit 0
fi
IMAGE_TAGS=$(aws ecr list-images --repository-name $ECR_REPO --query 'imageIds[*].imageTag' --output text)
docker pull busybox
docker tag busybox $ECR_REGISTRY/$ECR_REPO:_
docker push $ECR_REGISTRY/$ECR_REPO:_
TEMP_IMAGE=$(
aws ecr batch-get-image \
--repository-name $ECR_REPO \
--image-ids imageTag=_ )
TEMP_MANIFEST=$(echo $TEMP_IMAGE | jq -r '.images[].imageManifest')
TEMP_DIGEST=$(echo $TEMP_IMAGE | jq -r '.images[].imageId.imageDigest')
TAG_PREFIX=$(echo ${{ fromJSON(steps.docker_meta.outputs.json).tags[0] }} | cut -d: -f2)
for TAG in $IMAGE_TAGS
do
if [[ $TAG == $TAG_PREFIX* ]]; then
docker tag busybox $ECR_REGISTRY/$ECR_REPO:$TAG
docker push $ECR_REGISTRY/$ECR_REPO:$TAG
echo "Untaged image $TAG"
fi
done
# Delete the temporary image by digest
aws ecr batch-delete-image \
--repository-name $ECR_REPO \
--image-ids imageDigest=$TEMP_DIGEST
Wow, the COPY directive got a lot more powerful. I've been waiting for the --parent flag for years, while the --exclude argument is also a nice touch. Didn't know of the /./ pivot point before, but that's handy.
Before this, I've just been using a intermediary leaf stage within a multi-stage build process to copy the build context and filter the dependency lock files of the entire super project into a matching parent structure that I could then deterministically copy from.
Ah man, I'm with a project that already uses a poly repo setup and am starting an integration repo using submodules to coordinate the Dev environment and unify with CI/CD. Sub modules have been great for introspection and and versioning, rather than relying on some opaque configuration file to check out all the different poly repos at build time. I can click the the sub module links on GitHub and redirect right to the reference commit, while many IDEs can also already associate the respective git tag for each sub module when opening from the super project.
I was kind of bummed to hear that working trees didn't have full support with some modules. I haven't used working trees with this super project yet, but what did you find about its incompatibility with some modules? Are there certain porcelain commands just not supported, or certain behaviors don't work as expected? Have you tried the global git config to enable recursive over sub modules by default?
I fell for it. It took me a minute into the game time to figure what was up and double check today's date.
Does the live iso created by this process include the dependencies or kernel modules upon live boot? E.g. could I use this to create an ISO image that includes, or pre bakes, any custom or necessary drivers for Nvidia GPUs or finicky Wi-Fi cards when used/booted as just a live USB? That could really help when you'd otherwise have a chicken and egg problem after a hard drive failure and no live USB to safe boot with working networking or display output.
I'm going to try and set one up for the rest of my project team. Looks like a neat way to simplify install setup.
I'm using a recent 42" LG OLED TV as a large affordable PC monitor in order to support 4K@120Hz+HDR@10bit, which is great for gaming or content creation that can appreciate the screen real estate. Anything in the proper PC Monitor market similarly sized or even slightly smaller costs way more per screen area and feature parity.
Unfortunately such TVs rarely include anything other than HDMI for digital video input, regardless of the growing trend connecting gaming PCs in the living room, like with fiber optic HDMI cables. I actually went with a GPU with more than one HDMI output so I could display to both TVs in the house simultaneously.
Also, having an API as well as a remote to control my monitor is kind of nice. Enough folks are using LG TVs as monitors for this midsize range that there even open source projects to entirely mimic conventional display behaviors:
I also kind of like using the TV as simple KVMs with less cables. For example with audio, I can independently control volume and mux output to either speakers or multiple Bluetooth devices from the TV, without having fiddle around with repairing Bluetooth peripherals to each PC or gaming console. That's particularly nice when swapping from playing games on the PC to watching movies on a Chromecast with a friend over two pairs of headphones, while still keeping the house quite for the family. That kind of KVM functionality and connectivity is still kind of a premium feature for modest priced PC monitors. Of course others find their own use cases for hacking the TV remote APIs:
Didn't know about this case history with Nintendo, nor the name for the common exploit used:
Nice! Thanks for the clarification.
I was more curious about horizontal/vertical scroll snapping of text, given if the underlying vim properties are still limited to terminal style rendering of whole fractions of text lines and fixed characters, then it's less of a concern what exactly the GUI front end is.
Are you using the PWA, self hosted or via code spaces/other VPS? With which web browser?
I tried hosting code server via termux for a while, but a user proot felt too slow, even if the PWA UI ran silky smooth.
Perhaps when my warranty runs out I'll root the device to switch to using a proper chroot instead.
Do you use it combined with terminal emulators?
Wouldn't that result in vertical scroll snapping to textual lines, and horizontal scroll snapping to character widths?
A personal preference I suppose for navigation, but a bit jumpy to read from while moving rapidly.
Tagging an image is simply associating a string value to an image pushed to a container registry, as a human readable identifier. Unlike an image ID or image digest sha, an image tag is only loosely associated, and can be remapped later to another image in the same registry repo, e.g
latest. Untagging is simply removing the tag from the registry, but not necessarily the associated image itself.