As a part of the deploy stage in Github Actions, I build and push my images to GCP’s Artifacts Registry:

- name: Authenticate to Google Cloud
  id: auth
  uses: google-github-actions/auth@v1
  with:
    credentials_json: ${{ secrets.GOOGLE_CREDENTIALS }}

- name: Configure Docker to use gcloud for auth
  run: gcloud --quiet auth configure-docker

  ...

- name: Setup Docker Buildx
  uses: docker/setup-buildx-action@v3

- name: Build and push image
  uses: docker/build-push-action@v5
  with:
    context: .
    build-args: |
      PYPI_USERNAME=${{ secrets.PYPI_USERNAME }}
      PYPI_PASSWORD=${{ secrets.PYPI_PASSWORD }}
    push: true
    tags: "${{ env.DOCKER_IMAGE }}:${{ github.sha }}"
    cache-from: type=gha,scope=${{ env.DOCKER_IMAGE }}
    cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE }}

The images are tagged with the commit’s SHA.

Now, I want to periodically cross-reference images that are actually in use in my GKE cluster and those that are present in the registry — and clean up the unused ones. Retrieving lists of images is easy:

• For the registry: gcloud artifacts docker images list us-docker.pkg.dev/PROJECT_ID/gcr.io --include-tags
• For the cluster: kubectl get pods --all-namespaces -o jsonpath="{..image}"

But what are those untagged images in my registry and why don’t the tagged ones have size?

I guess those are the underlying layers or whatnot, the main question is: using which combination of flags and arguments should I delete an image (and all its auxiliary stuff) associated with a particular tag? See: https://cloud.google.com/sdk/gcloud/reference/artifacts/docker/images/delete.

I’m mostly concerned with not leaving any leftovers behind, while also not breaking anything not related to the tagged image I want to purge

UPDATE: Tried deleting by tag, leftovers are still there in the UI.

before:

after: