From 2acfeed12e276942f8f30ca28510a47fa6e8fa24 Mon Sep 17 00:00:00 2001
From: vikingowl <christian@nachtigall.dev>
Date: Tue, 28 Apr 2026 14:37:13 +0200
Subject: [PATCH] chore(ci): prune old SHA-tagged images, keep last 10 per
 pipeline

---
 .woodpecker/backend.yaml | 28 ++++++++++++++++++++++++++++
 .woodpecker/web.yaml     | 26 ++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)

diff --git a/.woodpecker/backend.yaml b/.woodpecker/backend.yaml
index 649f49d..7131bb7 100644
--- a/.woodpecker/backend.yaml
+++ b/.woodpecker/backend.yaml
@@ -78,3 +78,31 @@ steps:
     when:
       - event: push
         branch: main
+
+  # Prune old SHA-tagged backend images. Keeps the 10 most recent commits
+  # that touched backend/ — HEAD is always in that set. Manifest deletion
+  # only frees registry storage if Zot GC is enabled on itsh.dev.
+  prune:
+    image: alpine:3.21
+    depends_on: [deploy]
+    environment:
+      REGISTRY_USER:
+        from_secret: registry_user
+      REGISTRY_PASSWORD:
+        from_secret: registry_password
+    commands:
+      - apk add --no-cache curl git
+      - curl -fsSL https://github.com/google/go-containerregistry/releases/download/v0.20.6/go-containerregistry_Linux_x86_64.tar.gz | tar -xz -C /usr/local/bin/ crane
+      - git log -n 10 --format='%h' -- backend/ .woodpecker/backend.yaml | sort -u > /tmp/keep
+      - echo "$REGISTRY_PASSWORD" | crane auth login registry.itsh.dev -u "$REGISTRY_USER" --password-stdin
+      - REPO=registry.itsh.dev/vikingowl/marktvogt.de/backend
+      - |
+        for tag in $(crane ls $REPO); do
+          if ! grep -qx "$tag" /tmp/keep; then
+            echo "pruning $REPO:$tag"
+            crane delete $REPO:$tag || true
+          fi
+        done
+    when:
+      - event: push
+        branch: main
diff --git a/.woodpecker/web.yaml b/.woodpecker/web.yaml
index 58208d5..7a13d05 100644
--- a/.woodpecker/web.yaml
+++ b/.woodpecker/web.yaml
@@ -56,3 +56,29 @@ steps:
     when:
       - event: push
         branch: main
+
+  # See backend.yaml for the prune-step rationale.
+  prune:
+    image: alpine:3.21
+    depends_on: [deploy]
+    environment:
+      REGISTRY_USER:
+        from_secret: registry_user
+      REGISTRY_PASSWORD:
+        from_secret: registry_password
+    commands:
+      - apk add --no-cache curl git
+      - curl -fsSL https://github.com/google/go-containerregistry/releases/download/v0.20.6/go-containerregistry_Linux_x86_64.tar.gz | tar -xz -C /usr/local/bin/ crane
+      - git log -n 10 --format='%h' -- web/ .woodpecker/web.yaml | sort -u > /tmp/keep
+      - echo "$REGISTRY_PASSWORD" | crane auth login registry.itsh.dev -u "$REGISTRY_USER" --password-stdin
+      - REPO=registry.itsh.dev/vikingowl/marktvogt.de/web
+      - |
+        for tag in $(crane ls $REPO); do
+          if ! grep -qx "$tag" /tmp/keep; then
+            echo "pruning $REPO:$tag"
+            crane delete $REPO:$tag || true
+          fi
+        done
+    when:
+      - event: push
+        branch: main