build(deps): bump dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.2.1

[dependabot]

Bumps dataaxiom/ghcr-cleanup-action from 1.0.16 to 1.2.1.

Release notes

Sourced from dataaxiom/ghcr-cleanup-action's releases.

v1.2.1

• fix: tolerate every 404 on package version delete (was: fail on the second) (fix #121)
• fix: eliminate spurious "wasn't found" warnings from cosign signature dual-cascade race
• fix: per-image log buffer flushes audit trail even when a cascade errors mid-flight

v1.2.0

• feature: cross-run manifest cache; warm runs only fetch newly-published manifests (hit rate logged)
• perf: parallel API throughout — package pagination, manifest fetches, untag PUTs, child/referrer deletes
• perf: batched untagging — one reload per batch instead of one per tag
• perf: push token reuse across untag PUTs + 429/secondary rate-limit retries on registry auth
• fix: repository input is now informational; cleanup uses owner + package directly (supports unlinked / cross-account packages)
• log volume cap at 1000 lines per group (info); per-image log output buffered to avoid interleaving under concurrent deletes
• package version upgrades

v1.1.0

• fix: preserve OCI 1.1 subject-bearing referrers (cosign sigstore-bundles, attestations) during cleanup — were silently deleted as untagged #71
• fix: keep-n-tagged now gates untag operations; a matched tag is not stripped from an image that keep-n-tagged would protect (#99, #101)
• fix: shared multi-arch platform digests no longer cascade-deleted when one of multiple parent indexes is removed (#91)
• fix: delete-partial-images excludes fully ghost images #112
• fix: Octokit error output visible at all log levels (was suppressed when log-level was error or warn)
• fix: expand-packages rejects fine-grained PATs upfront with a clear message
• fix: setFailed message no longer overwritten by an empty Error in early-failure paths
• feat: ReDoS guard on user-supplied regex (delete-tags, exclude-tags, package) when use-regex: true
• feat: code refactor/split, removal of anys where possible using typed classes
• chore(deps): Node.js 24
• docs: README rewrite + Limitations section (5,000-download undeletable policy, nested-manifest non-support)

Commits

• f092b48 Merge pull request #122 from rohanmars/main
• fa3daf5 ci: hoist fork-PR approval gate to a single job (was per matrix entry)
• c1ba289 fix: synchronously claim digests before delete to prevent concurrent duplicat...
• f5e37e7 fix: tolerate all 404s on package version delete; always flush per-tree log b...
• 374e202 Merge pull request #120 from rohanmars/code-review
• e1e6176 perf: cap per-listing log volume at 1000 lines (truncate at INFO)
• 6516895 fix: drop the post-reload untag-ops invariant assertion (3.1.5 retraction)
• 5a020af feat: buffer deleteImage logs per top-level tree, flush atomically
• 8263ff3 chore: refresh dependencies to latest patches within current ranges
• 5a3f4cc chore: update coverage badge to 94.47%
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)