From b1112bbbd5172bcb05f6e36f0b1bee5832f03296 Mon Sep 17 00:00:00 2001
From: Donavan Fritz <dfritz@netflix.com>
Date: Wed, 6 May 2026 08:07:18 -0500
Subject: [PATCH] initial: action/image-push @v1

---
 README.md   | 43 ++++++++++++++++++++++++++++++
 action.yaml | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 118 insertions(+)
 create mode 100644 README.md
 create mode 100644 action.yaml

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..ecd0450
--- /dev/null
+++ b/README.md
@@ -0,0 +1,43 @@
+# action/image-push
+
+Composite Gitea Action that pushes a locally-built image to
+`code.fritzlab.net` and prunes old numeric tags via the Gitea package API.
+
+Pair with `action/image-build` — image-build loads the image to the runner's
+local Docker daemon, image-push uploads it.
+
+## Usage
+
+```yaml
+- uses: actions/checkout@v4
+- uses: https://code.fritzlab.net/action/image-build@v1
+  with:
+    image: code.fritzlab.net/fritzlab/chrony
+- uses: https://code.fritzlab.net/action/image-push@v1
+  with:
+    image: code.fritzlab.net/fritzlab/chrony
+    token: ${{ secrets.CI_BOT_TOKEN }}
+    org: fritzlab
+    name: chrony
+```
+
+## Inputs
+
+| Name | Required | Default | Description |
+|---|---|---|---|
+| `image` | yes | — | Full image name without tag. |
+| `tag` | no | `github.run_number` | Tag to push (must already exist locally). |
+| `token` | yes | — | `CI_BOT_TOKEN` — registry login + cleanup API. |
+| `org` | yes | — | Gitea org for package API (`fritzlab`, `dns`). |
+| `name` | yes | — | Package name as registered in the registry. |
+| `latest` | no | `true` | Also push a `:latest` tag. |
+| `keep` | no | `3` | Numeric tags to retain. Older are deleted. |
+
+## Behavior
+
+1. `docker login code.fritzlab.net` as `ci-bot`.
+2. `docker push <image>:<tag>`.
+3. If `latest=true`, also `docker push <image>:latest`.
+4. Prune: list numeric tags from Gitea package API, keep the newest `keep`,
+   delete the rest. Failures here do not fail the workflow
+   (`continue-on-error: true`).
diff --git a/action.yaml b/action.yaml
new file mode 100644
index 0000000..992688f
--- /dev/null
+++ b/action.yaml
@@ -0,0 +1,75 @@
+name: Push Image
+description: Push a locally-built image to code.fritzlab.net and prune old numeric tags.
+inputs:
+  image:
+    description: Full image name without tag (e.g. code.fritzlab.net/fritzlab/chrony)
+    required: true
+  tag:
+    description: Tag to push. Defaults to github.run_number when empty.
+    required: false
+    default: ''
+  token:
+    description: CI_BOT_TOKEN — registry login + Gitea package API for cleanup
+    required: true
+  org:
+    description: Gitea org for package API (e.g. fritzlab, dns)
+    required: true
+  name:
+    description: Package/image name (e.g. chrony, base, runner)
+    required: true
+  latest:
+    description: Also push a :latest tag
+    required: false
+    default: 'true'
+  keep:
+    description: Numeric tags to retain after prune; older ones are deleted
+    required: false
+    default: '3'
+runs:
+  using: composite
+  steps:
+    - name: Log in to registry
+      uses: docker/login-action@v3
+      with:
+        registry: code.fritzlab.net
+        username: ci-bot
+        password: ${{ inputs.token }}
+
+    - name: Push
+      shell: bash
+      env:
+        IMAGE: ${{ inputs.image }}
+        TAG_INPUT: ${{ inputs.tag }}
+        RUN_NUMBER: ${{ github.run_number }}
+        LATEST: ${{ inputs.latest }}
+      run: |
+        set -euo pipefail
+        TAG="${TAG_INPUT:-$RUN_NUMBER}"
+        echo "Pushing ${IMAGE}:${TAG}"
+        docker push "${IMAGE}:${TAG}"
+        if [ "$LATEST" = "true" ]; then
+          docker tag "${IMAGE}:${TAG}" "${IMAGE}:latest"
+          echo "Pushing ${IMAGE}:latest"
+          docker push "${IMAGE}:latest"
+        fi
+
+    - name: Prune old tags
+      continue-on-error: true
+      shell: bash
+      env:
+        TOKEN: ${{ inputs.token }}
+        ORG: ${{ inputs.org }}
+        NAME: ${{ inputs.name }}
+        KEEP: ${{ inputs.keep }}
+      run: |
+        set -euo pipefail
+        tea login add --name ci --url https://code.fritzlab.net \
+          --token "$TOKEN" --no-version-check >/dev/null 2>&1 || true
+        tea api "/packages/${ORG}?type=container" \
+          | jq -r --arg n "$NAME" \
+              '.[] | select(.name==$n) | select(.version | test("^[0-9]+$")) | .version' \
+          | sort -n | head -n -"$KEEP" \
+          | while read -r tag; do
+              echo "deleting ${NAME}:$tag"
+              tea api -X DELETE "/packages/${ORG}/container/${NAME}/${tag}"
+            done