# AE Docker CI Cache Policy (recommendation)

Purpose
- Provide a straightforward policy to keep build caches useful but bounded.

Recommendations
- Primary CI cache: **registry-based buildx cache** (preferred). Use a single cache ref (e.g. `ghcr.io/ORG/REPO:cache`) reused by CI builds.
- Local dev cache: use `--cache-to type=local` for fast iteration but prune periodically.
- Retention: keep registry cache for 30 days by default. Implement registry GC or lifecycle rule to delete older cache blobs.

Rotation strategy
- Option A (simple): CI always writes to the same cache ref `:cache`. Periodically (monthly) run a job to `docker pull` and `docker image rm` older tags if you use date-based tagging.
- Option B (date-tag): CI writes cache to `cache-YYYYMMDD` and a small scheduled job deletes tags older than 30 days.

Pruning commands (developer)
- Remove local build cache older than 72 hours:
  ```bash
  docker builder prune --filter "until=72h" --force
  ```
- Remove all builder cache (aggressive):
  ```bash
  docker builder prune --all --force
  ```

CI runner requirements
- `docker` and `docker buildx` available in runner environment.
- Registry credentials provided via CI secrets with permission to push/pull images.

Security & Secrets
- Do not store registry credentials in repo. Use CI secret storage.