bitwarden-server/.github/workflows/container-registry-purge.yml

---
name: Container registry purge

on:
  schedule:
    - cron: "0 0 * * SUN"
  workflow_dispatch:
    inputs: {}

jobs:
  purge:
    name: Purge old images
    runs-on: ubuntu-22.04
    steps:
      - name: Log in to Azure
        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
        with:
          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}

      - name: Purge images
        env:
          REGISTRY: bitwardenprod
          AGO_DUR_VER: "180d"
          AGO_DUR: "30d"
        run: |
          REPO_LIST=$(az acr repository list -n $REGISTRY -o tsv)
          for REPO in $REPO_LIST
          do

            PURGE_LATEST=""
            PURGE_VERSION=""
            PURGE_ELSE=""

            TAG_LIST=$(az acr repository show-tags -n $REGISTRY --repository $REPO -o tsv)
            for TAG in $TAG_LIST
            do
              if [ $TAG = "latest" ] || [ $TAG = "dev" ]; then
                PURGE_LATEST+="--filter '$REPO:$TAG' "
              elif [[ $TAG =~ [0-9]+\.[0-9]+\.[0-9]+ ]]; then
                PURGE_VERSION+="--filter '$REPO:$TAG' "
              else
                PURGE_ELSE+="--filter '$REPO:$TAG' "
              fi
            done

            if [ ! -z "$PURGE_LATEST" ]
            then
              PURGE_LATEST_CMD="acr purge $PURGE_LATEST --ago $AGO_DUR_VER --untagged --keep 1"
              az acr run --cmd "$PURGE_LATEST_CMD" --registry $REGISTRY /dev/null &
            fi

            if [ ! -z "$PURGE_VERSION" ]
            then
              PURGE_VERSION_CMD="acr purge $PURGE_VERSION --ago $AGO_DUR_VER --untagged"
              az acr run --cmd "$PURGE_VERSION_CMD" --registry $REGISTRY /dev/null &
            fi

            if [ ! -z "$PURGE_ELSE" ]
            then
              PURGE_ELSE_CMD="acr purge $PURGE_ELSE --ago $AGO_DUR --untagged"
              az acr run --cmd "$PURGE_ELSE_CMD" --registry $REGISTRY /dev/null &
            fi

            wait

          done          

  check-failures:
    name: Check for failures
    if: always()
    runs-on: ubuntu-22.04
    needs: [purge]
    steps:
      - name: Check if any job failed
        if: |
          (github.ref == 'refs/heads/main'
          || github.ref == 'refs/heads/rc'
          || github.ref == 'refs/heads/hotfix-rc')
          && contains(needs.*.result, 'failure')          
        run: exit 1

      - name: Log in to Azure - CI subscription
        uses: Azure/login@92a5484dfaf04ca78a94597f4f19fea633851fa2 # v1.4.7
        if: failure()
        with:
          creds: ${{ secrets.AZURE_KV_CI_SERVICE_PRINCIPAL }}

      - name: Retrieve secrets
        id: retrieve-secrets
        uses: bitwarden/gh-actions/get-keyvault-secrets@main
        if: failure()
        with:
          keyvault: "bitwarden-ci"
          secrets: "devops-alerts-slack-webhook-url"

      - name: Notify Slack on failure
        uses: act10ns/slack@ed1309ab9862e57e9e583e51c7889486b9a00b0f # v2.0.0
        if: failure()
        env:
          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
        with:
          status: ${{ job.status }}