If you only have one rule, it will indeed delete your Stable images.
However, you can accomplish this with 2 rules in a policy. A rule at priority 10 will keep your Stable images (16.XXXX) safe, and a rule at priority 20 will 'see' the number of tags with your Unstable versions (16_XXXX) but will be unable to ever delete a Stable image because it is at a higher priority. Here's an example:
{
"rules": [
{
"rulePriority": 10,
"description": "Keep Stable Images",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["16."],
"countType": "imageCountMoreThan",
"countNumber": 9999
},
"action": {
"type": "expire"
}
},
{
"rulePriority": 20,
"description": "Delete Old Unstable Images",
"selection": {
"tagStatus": "tagged",
"tagPrefixList": ["16_"],
"countType": "imageCountMoreThan",
"countNumber": 500
},
"action": {
"type": "expire"
}
}
]
}
Source: I wrote the rule evaluation logic for Lifecycle Policies :) You can also check the docs, at the bottom of this page describes some facts about the system that users can take advantage of: https://docs.aws.amazon.com/AmazonECR/latest/userguide/LifecyclePolicies.html
An image that matches the tagging requirements of a rule cannot be expired by a rule with a lower priority.
