---
name: Container Registry Purge

on:
  schedule:
    - cron: '0 0 * * SUN'
  workflow_dispatch:
    inputs: {}

jobs:
  purge:
    name: Purge old images
    runs-on: ubuntu-20.04
    strategy:
      fail-fast: false
      matrix:
        include:
          - name: bitwardenqa
          - name: bitwardenprod
    steps:
      - name: Login to Azure
        if: matrix.name == 'bitwardenprod'
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Login to Azure
        if: matrix.name == 'bitwardenqa'
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        with:
          creds: ${{ secrets.AZURE_QA_KV_CREDENTIALS }}

      - name: Purge images
        env:
          REGISTRY: ${{ matrix.name }}
          AGO_DUR_VER: "180d"
          AGO_DUR: "30d"
        run: |
          REPO_LIST=$(az acr repository list -n $REGISTRY -o tsv)
          for REPO in $REPO_LIST
          do
            TAG_LIST=$(az acr repository show-tags -n $REGISTRY --repository $REPO -o tsv)
            for TAG in $TAG_LIST
            do
              if [ $TAG = "latest" ] || [ $TAG = "dev" ]; then
                PURGE_CMD="acr purge --filter '$REPO:$TAG' --ago $AGO_DUR_VER --untagged --keep 1"
              elif [[ $TAG =~ [0-9]+\.[0-9]+\.[0-9]+ ]]; then
                PURGE_CMD="acr purge --filter '$REPO:$TAG' --ago $AGO_DUR_VER --untagged"
              else
                PURGE_CMD="acr purge --filter '$REPO:$TAG' --ago $AGO_DUR --untagged"
              fi
              az acr run --cmd "$PURGE_CMD" --registry $REGISTRY /dev/null
            done
          done


  check-failures:
    name: Check for failures
    if: always()
    runs-on: ubuntu-20.04
    needs:
      - purge
    steps:
      - name: Check if any job failed
        if: |
          github.ref == 'refs/heads/master'
          || github.ref == 'refs/heads/rc'
          || github.ref == 'refs/heads/hotfix-rc'
        env:
          PURGE_STATUS: ${{ needs.purge.result }}
        run: |
          if [ "$PURGE_STATUS" = "failure" ]; then
              exit 1
          fi

      - name: Login to Azure - Prod Subscription
        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
        if: failure()
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: Azure/get-keyvault-secrets@b5c723b9ac7870c022b8c35befe620b7009b336f
        if: failure()
        with:
          keyvault: "bitwarden-prod-kv"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
        uses: act10ns/slack@da3191ebe2e67f49b46880b4633f5591a96d1d33
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
        with:
          status: ${{ job.status }}