Skip to content

Bump dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.2.2 in the github_actions group#1766

Merged
TimPansino merged 1 commit into
mainfrom
dependabot/github_actions/github_actions-d669a0c368
Jun 15, 2026
Merged

Bump dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.2.2 in the github_actions group#1766
TimPansino merged 1 commit into
mainfrom
dependabot/github_actions/github_actions-d669a0c368

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the github_actions group with 1 update: dataaxiom/ghcr-cleanup-action.

Updates dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.2.2

Release notes

Sourced from dataaxiom/ghcr-cleanup-action's releases.

v1.2.2

  • feature: skip-regex-checks input bypasses regex length/ReDoS guards for intentionally large patterns (fix #128)

v1.2.1

  • fix: tolerate every 404 on package version delete (was: fail on the second) (fix #121)
  • fix: eliminate spurious "wasn't found" warnings from cosign signature dual-cascade race
  • fix: per-image log buffer flushes audit trail even when a cascade errors mid-flight

v1.2.0

  • feature: cross-run manifest cache; warm runs only fetch newly-published manifests (hit rate logged)
  • perf: parallel API throughout — package pagination, manifest fetches, untag PUTs, child/referrer deletes
  • perf: batched untagging — one reload per batch instead of one per tag
  • perf: push token reuse across untag PUTs + 429/secondary rate-limit retries on registry auth
  • fix: repository input is now informational; cleanup uses owner + package directly (supports unlinked / cross-account packages)
  • log volume cap at 1000 lines per group (info); per-image log output buffered to avoid interleaving under concurrent deletes
  • package version upgrades

v1.1.0

  • fix: preserve OCI 1.1 subject-bearing referrers (cosign sigstore-bundles, attestations) during cleanup — were silently deleted as untagged #71
  • fix: keep-n-tagged now gates untag operations; a matched tag is not stripped from an image that keep-n-tagged would protect (#99, #101)
  • fix: shared multi-arch platform digests no longer cascade-deleted when one of multiple parent indexes is removed (#91)
  • fix: delete-partial-images excludes fully ghost images #112
  • fix: Octokit error output visible at all log levels (was suppressed when log-level was error or warn)
  • fix: expand-packages rejects fine-grained PATs upfront with a clear message
  • fix: setFailed message no longer overwritten by an empty Error in early-failure paths
  • feat: ReDoS guard on user-supplied regex (delete-tags, exclude-tags, package) when use-regex: true
  • feat: code refactor/split, removal of anys where possible using typed classes
  • chore(deps): Node.js 24
  • docs: README rewrite + Limitations section (5,000-download undeletable policy, nested-manifest non-support)
Commits
  • d52806a Merge pull request #129 from rohanmars/main
  • 7f28f9d feat: add skip-regex-checks input to opt out of regex safety guards
  • f092b48 Merge pull request #122 from rohanmars/main
  • fa3daf5 ci: hoist fork-PR approval gate to a single job (was per matrix entry)
  • c1ba289 fix: synchronously claim digests before delete to prevent concurrent duplicat...
  • f5e37e7 fix: tolerate all 404s on package version delete; always flush per-tree log b...
  • 374e202 Merge pull request #120 from rohanmars/code-review
  • e1e6176 perf: cap per-listing log volume at 1000 lines (truncate at INFO)
  • 6516895 fix: drop the post-reload untag-ops invariant assertion (3.1.5 retraction)
  • 5a020af feat: buffer deleteImage logs per top-level tree, flush atomically
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the github_actions group with 1 update: [dataaxiom/ghcr-cleanup-action](https://github.com/dataaxiom/ghcr-cleanup-action).


Updates `dataaxiom/ghcr-cleanup-action` from 1.0.16 to 1.2.2
- [Release notes](https://github.com/dataaxiom/ghcr-cleanup-action/releases)
- [Commits](dataaxiom/ghcr-cleanup-action@cd0cdb9...d52806a)

---
updated-dependencies:
- dependency-name: dataaxiom/ghcr-cleanup-action
  dependency-version: 1.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github_actions
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file. github_actions Pull requests that update GitHub Actions code. labels Jun 15, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 15, 2026 16:14
@github-actions

Copy link
Copy Markdown

MegaLinter analysis: Success

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ ACTION actionlint 9 0 0 0.9s
✅ MARKDOWN markdownlint 7 0 0 0 1.12s
✅ PYTHON ruff 1039 0 0 0 0.78s
✅ PYTHON ruff-format 1039 0 0 0 0.32s
✅ YAML prettier 23 0 0 0 1.37s
✅ YAML v8r 23 0 0 4.68s
✅ YAML yamllint 23 0 0 0.84s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@TimPansino TimPansino merged commit b24828e into main Jun 15, 2026
60 of 61 checks passed
@TimPansino TimPansino deleted the dependabot/github_actions/github_actions-d669a0c368 branch June 15, 2026 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file. github_actions Pull requests that update GitHub Actions code.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant