--- name: Container Registry Purge on: schedule: - cron: '0 0 * * SUN' workflow_dispatch: inputs: {} jobs: purge: name: Purge old images runs-on: ubuntu-20.04 steps: - name: Login to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - name: Purge images env: REGISTRY: bitwardenprod AGO_DUR_VER: "180d" AGO_DUR: "30d" run: | REPO_LIST=$(az acr repository list -n $REGISTRY -o tsv) for REPO in $REPO_LIST do PURGE_LATEST="" PURGE_VERSION="" PURGE_ELSE="" TAG_LIST=$(az acr repository show-tags -n $REGISTRY --repository $REPO -o tsv) for TAG in $TAG_LIST do if [ $TAG = "latest" ] || [ $TAG = "dev" ]; then PURGE_LATEST+="--filter '$REPO:$TAG' " elif [[ $TAG =~ [0-9]+\.[0-9]+\.[0-9]+ ]]; then PURGE_VERSION+="--filter '$REPO:$TAG' " else PURGE_ELSE+="--filter '$REPO:$TAG' " fi done if [ ! -z "$PURGE_LATEST" ] then PURGE_LATEST_CMD="acr purge $PURGE_LATEST --ago $AGO_DUR_VER --untagged --keep 1" az acr run --cmd "$PURGE_LATEST_CMD" --registry $REGISTRY /dev/null & fi if [ ! -z "$PURGE_VERSION" ] then PURGE_VERSION_CMD="acr purge $PURGE_VERSION --ago $AGO_DUR_VER --untagged" az acr run --cmd "$PURGE_VERSION_CMD" --registry $REGISTRY /dev/null & fi if [ ! -z "$PURGE_ELSE" ] then PURGE_ELSE_CMD="acr purge $PURGE_ELSE --ago $AGO_DUR --untagged" az acr run --cmd "$PURGE_ELSE_CMD" --registry $REGISTRY /dev/null & fi wait done check-failures: name: Check for failures if: always() runs-on: ubuntu-20.04 needs: - purge steps: - name: Check if any job failed if: | github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc' env: PURGE_STATUS: ${{ needs.purge.result }} run: | if [ "$PURGE_STATUS" = "failure" ]; then exit 1 fi - name: Login to Azure - CI subscription uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 if: failure() with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main if: failure() with: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} with: status: ${{ job.status }}