Overview

"Project Cleanup" is a GitLab automation tool that analyzes projects within a namespace and identifies resources that should be removed based on configurable criteria. It deletes branches, protected branch rules, containers, or packages based on configuration rules. Those configuration rules can be specified at the group level or at the individual project level, allowing full control over how the deletions occur within the namespace.

The tool generates detailed Markdown reports showing what was removed and what was kept, including the rationale for why that particular decision was made.

Overall Design

This is one piece of an overall strategy used internally at The Open Group. Many of the design decisions here are due to integration with existing infrastructure tools of that strategy, which is not publicly available.

The inputs to the cleanup script are a list of all objects on a GitLab server (see Input Files) and a configuration file that specifies actions to take on some subset of those objects. The subset is defined by the "scope" — which is both listed in the configuration file and provided as a command line argument to the cleanup script. This is done so that the cleanup script can be run by a highly privileged service account, while the config file is managed by individuals overseeing a single GitLab Group. The scope argument (provided by the privileged user) and the configuration file (provided by the Group owners) must match, and the Group owners are not able to affect projects outside of their assigned namespace.

This cleanup is designed to run every night, and the output files documenting the items that were kept/removed are designed to be placed in a separate Git repository that only stores log outputs. That allows the Group owners to review the nightly actions of the cleanup script, while not having the commits clutter the Configuration File’s repository.