--- name: Container registry purge on: schedule: - cron: "0 0 * * SUN" workflow_dispatch: inputs: {} jobs: purge: name: Purge old images runs-on: ubuntu-22.04 steps: - name: Log in to Azure uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 with: creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} - name: Purge images env: REGISTRY: bitwardenprod AGO_DUR_VER: "180d" AGO_DUR: "30d" run: | REPO_LIST=$(az acr repository list -n $REGISTRY -o tsv) for REPO in $REPO_LIST do PURGE_LATEST="" PURGE_VERSION="" PURGE_ELSE="" TAG_LIST=$(az acr repository show-tags -n $REGISTRY --repository $REPO -o tsv) for TAG in $TAG_LIST do if [ $TAG = "latest" ] || [ $TAG = "dev" ]; then PURGE_LATEST+="--filter '$REPO:$TAG' " elif [[ $TAG =~ [0-9]+\.[0-9]+\.[0-9]+ ]]; then PURGE_VERSION+="--filter '$REPO:$TAG' " else PURGE_ELSE+="--filter '$REPO:$TAG' " fi done if [ ! -z "$PURGE_LATEST" ] then PURGE_LATEST_CMD="acr purge $PURGE_LATEST --ago $AGO_DUR_VER --untagged --keep 1" az acr run --cmd "$PURGE_LATEST_CMD" --registry $REGISTRY /dev/null & fi if [ ! -z "$PURGE_VERSION" ] then PURGE_VERSION_CMD="acr purge $PURGE_VERSION --ago $AGO_DUR_VER --untagged" az acr run --cmd "$PURGE_VERSION_CMD" --registry $REGISTRY /dev/null & fi if [ ! -z "$PURGE_ELSE" ] then PURGE_ELSE_CMD="acr purge $PURGE_ELSE --ago $AGO_DUR --untagged" az acr run --cmd "$PURGE_ELSE_CMD" --registry $REGISTRY /dev/null & fi wait done check-failures: name: Check for failures if: always() runs-on: ubuntu-22.04 needs: [purge] steps: - name: Check if any job failed if: | (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/rc' || github.ref == 'refs/heads/hotfix-rc') && contains(needs.*.result, 'failure') run: exit 1 - name: Log in to Azure - CI subscription uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7 if: failure() with: creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }} - name: Retrieve secrets id: retrieve-secrets uses: bitwarden/gh-actions/get-keyvault-secrets@main if: failure() with: keyvault: "bitwarden-ci" secrets: "devops-alerts-slack-webhook-url" - name: Notify Slack on failure uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0 if: failure() env: SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} with: status: ${{ job.status }}