ci(devcontainer): immutable :sha tag + prune stale build intermediates

[bilby91]

Independent pipeline improvement (does not touch the build config, so it's orthogonal to the arm64 fix in #92).

What

1. Immutable :sha-<commit> tag on the multi-arch manifest, alongside :latest — lets you pin a known-good prebuild or roll back.
2. Best-effort prune of the per-arch build-<run_id>-* intermediates that devcontainers/ci is forced to push (it can't push digest-only), so they stop accumulating in GHCR.

Safety

The current run's build-* intermediates share image digests with the children of the :latest manifest list — deleting those versions would corrupt :latest. The prune guards against this:

• Reads the digests referenced by the just-pushed :latest and never deletes a version with one of those digests.
• Never touches versions tagged latest or sha-*.
• Only targets build-*-tagged versions.
• continue-on-error: true — a cleanup/permission failure can never block a published image.

Net effect: current run's intermediates are preserved (they back :latest); stale intermediates from prior runs whose content changed get cleaned up.

Note

Both behaviors only exercise once the merge job runs, which needs both arch builds green — i.e. after #92 lands. The prune is intentionally conservative + non-fatal; if the GHCR delete perms differ from expectation it'll just log and move on, and we can tune in a follow-up without risk to :latest.

🤖 Generated with Claude Code

[coderabbitai]

Warning

Review limit reached

@bilby91, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 1 hour, 3 minutes, and 22 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more credits in the billing tab to continue.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c4492e65-2e87-4fd7-ad01-85aa14708e7f

📥 Commits

Reviewing files that changed from the base of the PR and between c7e3082 and e1aadbb.

📒 Files selected for processing (1)

• .github/workflows/devcontainer-cache.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch pipeline-tagging-improvements

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}