Add monthly CronJob to clean ARC runner cargo/npm caches

[brandonrc]

Summary

• New raw manifest e2e/runner-cache-cleanup-cronjob.yaml (follows the e2e/ raw-manifest pattern, e.g. dind-registry-mirror-configmap.yaml)
• Monthly CronJob (0 5 1 * *) in arc-runners that mounts the shared /home/runner-cache hostPath and prunes:
  • cargo-home/registry/src/* and cargo-home/registry/cache/* (~750M today; cargo re-fetches on demand)
  • npm/* (npm cache)
• Explicitly skips sccache/ (self-evicts via SCCACHE_CACHE_SIZE) and cargo-home/bin (baked tool binaries)
• concurrencyPolicy: Forbid, activeDeadlineSeconds: 1800, runAsUser: 0 (cache files are root-created), busybox image

Race with live CI jobs

Deleting registry files while a cargo build reads them can fail that build. Kept simple per scope: scheduled at 05:00 on the 1st (quiet hour), risk documented in the manifest header; cargo re-downloads missing files in most cases and a CI retry recovers otherwise. No in-cluster kubectl/RBAC added.

Test plan

• kubectl apply --dry-run=server clean
• Applied to cluster; manual test-fire via kubectl create job --from=cronjob/runner-cache-cleanup completed, logs show correct paths cleaned and sccache/cargo-home/bin skipped (evidence in comments)

🤖 Generated with Claude Code

[github-actions]

Missing linked issue

This PR does not reference a tracking issue in its body. Every PR must link to an issue in this repository so we can trace work back to a planned change.

How to fix

1. Edit the PR description and add a line like Closes #123, Fixes #123, or Resolves #123 referring to an open issue in artifact-keeper/artifact-keeper-iac.
2. Save the description. This check will re-run automatically.

Accepted keywords (case-insensitive, any tense): close, closes, closed, fix, fixes, fixed, resolve, resolves, resolved.

Policy reference: see the PR template.

Maintainer bypass: apply the no-issue-required label to this PR to skip the check (use sparingly, e.g. for trivial typo fixes or release-tag chores).

[brandonrc]

Apply + test-fire evidence (node rocky, 2026-06-12)

$ kubectl apply -f e2e/runner-cache-cleanup-cronjob.yaml
cronjob.batch/runner-cache-cleanup created
$ kubectl get cronjob -n arc-runners
NAME                   SCHEDULE    SUSPEND   ACTIVE   LAST SCHEDULE   AGE
runner-cache-cleanup   0 5 1 * *   False     0        <none>          0s

Manual test-fire (kubectl create job --from=cronjob/runner-cache-cleanup runner-cache-cleanup-manual-test -n arc-runners) completed; job logs:

== runner-cache cleanup: Fri Jun 12 04:13:48 UTC 2026 ==
-- before --
621.6M  /cache/cargo-home/registry/src
126.3M  /cache/cargo-home/registry/cache
17.0M   /cache/npm
SKIP /cache/sccache (self-evicts via SCCACHE_CACHE_SIZE)
SKIP /cache/cargo-home/bin (baked tool binaries)
CLEAN /cache/cargo-home/registry/src
CLEAN /cache/cargo-home/registry/cache
CLEAN /cache/npm
-- after --
0  /cache/cargo-home/registry/src
0  /cache/cargo-home/registry/cache
0  /cache/npm
== done ==

Host verification after run:

• sccache/ untouched: 11G before and after
• cargo-home/registry/{src,cache} and npm/ emptied (dirs themselves preserved, CACHEDIR.TAG and registry/index intact, dot-files like .global-cache untouched since the glob skips them)
• cargo-home/bin does not currently exist on this host (tool binaries appear to be baked into the runner image instead); the script explicitly avoids it regardless, so it will survive if/when it appears