# Artifact Retention Policies Configuration # # This file defines retention policies for different types of artifacts generated # during CI/CD processes to optimize storage costs while maintaining compliance # and debugging capabilities. # Default retention for most build artifacts default_retention_days: 30 # Artifact type specific retention policies artifact_types: # Build outputs and container images build_artifacts: retention_days: 14 description: "Consolidated build outputs, SLSA bundles, and build logs" compression_level: 6 # Security scan results and reports security_reports: retention_days: 90 # Longer retention for compliance description: "Security scan results, SARIF reports, and gate enforcement results" compression_level: 9 # Maximum compression for storage efficiency # Temporary/intermediate artifacts intermediate: retention_days: 7 description: "Temporary build outputs, caches, and intermediate files" compression_level: 6 # Test results and coverage reports test_results: retention_days: 30 description: "Unit test results, integration test outputs, and coverage reports" compression_level: 6 # Documentation and static analysis documentation: retention_days: 60 description: "Generated documentation, linting reports, and static analysis results" compression_level: 6 # SBOM reports (Software Bill of Materials) sbom_reports: retention_days: 365 # One year for audit and compliance requirements description: "Software Bill of Materials reports generated by anchore/sbom-action and actions/attest" compression_level: 9 # Maximum compression for storage efficiency # Compliance and audit artifacts compliance: retention_days: 365 # One year for audit requirements description: "Compliance reports, audit logs, and regulatory artifacts" compression_level: 9 # Repository-specific overrides # These can be customized per repository based on specific requirements overrides: hve-core: # Security reports need longer retention for this project security_reports: retention_days: 120 reason: "Enhanced security monitoring requirements" # Build artifacts can be shorter due to frequent releases build_artifacts: retention_days: 10 reason: "Frequent release cycle with automated deployments" # Azure DevOps specific settings # Note: Azure DevOps retention is typically managed at organization level # These are guidelines for pipeline configuration azure_devops: # Default artifact retention (if not specified, uses organization default) default_retention_days: 30 # Artifact cleanup strategies cleanup_strategies: - name: "Delete successful build artifacts after releases" enabled: true conditions: - release_deployed: true - build_status: succeeded - age_days: 7 - name: "Keep failed build artifacts longer for debugging" enabled: true conditions: - build_status: failed - retention_days: 60 # GitHub Actions specific settings github_actions: # Default retention for upload-artifact action default_retention_days: 30 # Compression settings for different artifact types compression: security_reports: 9 # Maximum compression sbom_reports: 9 # Maximum compression for compliance artifacts build_outputs: 6 # Balanced compression/speed test_results: 6 # Balanced compression/speed logs: 3 # Minimal compression for quick access # Action-to-artifact mappings # Maps GitHub Actions to the artifact types they produce, with SHA-pinned references # for traceability and supply chain security validation. action_mappings: security_reports: - name: "github/codeql-action/analyze" version: "v3.27.0" sha: "ce729e4d353d580e6cacd6a8cf2921b72e5e310a" - name: "github/codeql-action/upload-sarif" version: "v3.27.0" sha: "ce729e4d353d580e6cacd6a8cf2921b72e5e310a" - name: "ossf/scorecard-action" version: "v2.4.3" sha: "4eaacf0543bb3f2c246792bd56e8cdeffafb205a" - name: "actions/dependency-review-action" version: "v4.3.4" sha: "3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261" build_artifacts: - name: "actions/upload-artifact" version: "v4.4.3" sha: "b7c566a772e6b6bfb58ed0dc250532a479d7789f" - name: "actions/attest-build-provenance" version: "v4.1.0" sha: "a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32" test_results: - name: "codecov/codecov-action" version: "v5.5.2" sha: "671740ac38dd9b0130fbe1cec585b89eea48d3de" sbom_reports: - name: "anchore/sbom-action" version: "v0.22.2" sha: "28d71544de8eaf1b958d335707167c5f783590ad" - name: "actions/attest" version: "v4.1.0" sha: "59d89421af93a897026c735860bf21b6eb4f7b26" # Storage optimization recommendations optimization: compression: enabled: true default_level: 6 max_level: 9 cleanup: # Automatic cleanup of expired artifacts auto_cleanup: true # Notification before cleanup notify_before_cleanup_days: 7 monitoring: # Track storage usage track_storage_usage: true # Alert thresholds storage_alert_threshold_gb: 1000 artifact_count_threshold: 10000 # Compliance and audit requirements compliance: # Minimum retention for audit purposes minimum_audit_retention_days: 90 # Required artifact types for compliance required_artifacts: - security_scan_results - dependency_audit_reports - build_provenance_data - test_execution_logs - sbom_reports # Data protection and privacy data_protection: # Encrypt sensitive artifacts encrypt_sensitive_data: true # Anonymize logs where possible anonymize_logs: true # Geographic data residency requirements data_residency: "us-east" # Cost optimization metrics cost_optimization: # Target storage cost per month (USD) target_monthly_cost: 50 # Storage efficiency targets compression_ratio_target: 0.3 # 70% size reduction # Cleanup efficiency cleanup_frequency_days: 7 # Monitoring and reporting generate_cost_reports: true report_frequency: "weekly"