mirror of
https://github.com/fleetdm/fleet
synced 2026-04-21 13:37:30 +00:00
854fa2af62
<!-- Add the related story/sub-task/bug number, like Resolves #123, or remove if NA --> **Related issue:** Resolves #42691 # Checklist for submitter If some of the following don't apply, delete the relevant line. - [ ] Changes file added for user-visible changes in `changes/`, `orbit/changes/` or `ee/fleetd-chrome/changes`. See [Changes files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/guides/committing-changes.md#changes-files) for more information. n/a ## Testing - [ ] Added/updated automated tests - [X] QA'd all new/changed functionality manually - I ran the updated snapshot action on this branch and verified that it pushed the branch-tagged image, but not the SHA-tagged one. - I ran the cleanup script in dry-run mode and verified that it didn't expect to delete any non-sha-tagged images - I wasn't able to test the delete-image-on-branch-delete action for obvious reasons. - I haven't tested the cleanup script in non-dry-run mode... I could do on my personal dockerhub... <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Release Notes * **New Features** * Automated cleanup of Docker images when development branches are deleted to maintain registry hygiene. * New utility for managing and cleaning up legacy Docker image tags. * **Chores** * Enhanced Docker image tagging in snapshot builds with improved branch name handling. <!-- end of auto-generated comment: release notes by coderabbit.ai -->
86 lines
3.2 KiB
YAML
86 lines
3.2 KiB
YAML
name: Docker cleanup (branch deletion)
|
|
|
|
on:
|
|
delete:
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
cleanup:
|
|
# Only run for branch deletions (not tag deletions) in the fleetdm/fleet repo.
|
|
if: ${{ github.event.ref_type == 'branch' && github.repository == 'fleetdm/fleet' }}
|
|
runs-on: ubuntu-latest
|
|
environment: Docker Hub
|
|
steps:
|
|
- name: Sanitize branch name
|
|
id: sanitize
|
|
env:
|
|
BRANCH: ${{ github.event.ref }}
|
|
run: |
|
|
SANITIZED="${BRANCH//\//-}"
|
|
echo "TAG=$SANITIZED" >> $GITHUB_OUTPUT
|
|
|
|
- name: Skip protected branches
|
|
id: check_protected
|
|
env:
|
|
TAG: ${{ steps.sanitize.outputs.TAG }}
|
|
run: |
|
|
if [[ "$TAG" == "main" || "$TAG" == rc-minor-* || "$TAG" == rc-patch-* ]]; then
|
|
echo "skip=true" >> $GITHUB_OUTPUT
|
|
echo "Skipping cleanup for protected branch tag: $TAG"
|
|
else
|
|
echo "skip=false" >> $GITHUB_OUTPUT
|
|
fi
|
|
|
|
- name: Delete tag from Docker Hub
|
|
if: steps.check_protected.outputs.skip == 'false'
|
|
env:
|
|
TAG: ${{ steps.sanitize.outputs.TAG }}
|
|
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
DOCKERHUB_ACCESS_TOKEN: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
|
|
run: |
|
|
# Authenticate and get JWT
|
|
TOKEN=$(curl -s -X POST "https://hub.docker.com/v2/users/login/" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"username\": \"$DOCKERHUB_USERNAME\", \"password\": \"$DOCKERHUB_ACCESS_TOKEN\"}" \
|
|
| jq -r .token)
|
|
|
|
# Bail if the token is empty (authentication failed)
|
|
if [[ -z "$TOKEN" ]]; then
|
|
echo "Failed to authenticate with Docker Hub. Check credentials."
|
|
exit 1
|
|
fi
|
|
|
|
# Delete the tag (ignore 404 — tag may not exist)
|
|
HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X DELETE \
|
|
"https://hub.docker.com/v2/repositories/fleetdm/fleet/tags/${TAG}/" \
|
|
-H "Authorization: Bearer $TOKEN")
|
|
|
|
if [[ "$HTTP_STATUS" == "204" ]]; then
|
|
echo "Deleted Docker Hub tag: $TAG"
|
|
elif [[ "$HTTP_STATUS" == "404" ]]; then
|
|
echo "Docker Hub tag not found (already deleted or never published): $TAG"
|
|
else
|
|
echo "Unexpected response from Docker Hub: HTTP $HTTP_STATUS"
|
|
exit 1
|
|
fi
|
|
|
|
- name: Delete tag from Quay.io
|
|
if: steps.check_protected.outputs.skip == 'false'
|
|
env:
|
|
TAG: ${{ steps.sanitize.outputs.TAG }}
|
|
QUAY_REGISTRY_PASSWORD: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
|
|
run: |
|
|
HTTP_STATUS=$(curl -s -o /dev/null -w "%{http_code}" -X DELETE \
|
|
"https://quay.io/api/v1/repository/fleetdm/fleet/tag/${TAG}" \
|
|
-H "Authorization: Bearer $QUAY_REGISTRY_PASSWORD")
|
|
|
|
if [[ "$HTTP_STATUS" == "204" || "$HTTP_STATUS" == "200" ]]; then
|
|
echo "Deleted Quay.io tag: $TAG"
|
|
elif [[ "$HTTP_STATUS" == "404" ]]; then
|
|
echo "Quay.io tag not found (already deleted or never published): $TAG"
|
|
else
|
|
echo "Unexpected response from Quay.io: HTTP $HTTP_STATUS"
|
|
exit 1
|
|
fi
|