diff --git a/.github/workflows/container-registry-purge.yml b/.github/workflows/container-registry-purge.yml new file mode 100644 index 0000000000..37726ec1b2 --- /dev/null +++ b/.github/workflows/container-registry-purge.yml @@ -0,0 +1,77 @@ +--- +name: Container Registry Purge + +on: + schedule: + - cron: '0 0 * * SUN' + workflow_dispatch: + inputs: {} + +jobs: + purge: + name: Purge old images + runs-on: ubuntu-20.04 + strategy: + matrix: + include: + - name: bitwardenqa + - name: bitwardenprod + steps: + - name: Login to Azure + uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + with: + creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + + - name: Purge images + env: + REGISTRY: ${{ matrix.name }} + AGO_DUR: "30d" + run: | + REPO_LIST=$(az acr repository list -n $REGISTRY -o tsv) + for REPO in $REPO_LIST + do + PURGE_CMD="acr purge --filter '$REPO:.*' --ago $AGO_DUR --untagged --dry-run" + az acr run --cmd "$PURGE_CMD" --registry $REGISTRY /dev/null + done + + + check-failures: + name: Check for failures + if: always() + runs-on: ubuntu-20.04 + needs: + - purge + steps: + - name: Check if any job failed + if: | + github.ref == 'refs/heads/master' + || github.ref == 'refs/heads/rc' + || github.ref == 'refs/heads/hotfix' + env: + PURGE_STATUS: ${{ needs.purge.result }} + run: | + if [ "$PURGE_STATUS" = "failure" ]; then + exit 1 + fi + + - name: Login to Azure - Prod Subscription + uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf + if: failure() + with: + creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} + + - name: Retrieve secrets + id: retrieve-secrets + uses: Azure/get-keyvault-secrets@470858ec5d16542d1a87e1998c0988130ef304dd + if: failure() + with: + keyvault: "bitwarden-prod-kv" + secrets: "devops-alerts-slack-webhook-url" + + - name: Notify Slack on failure + uses: act10ns/slack@186ef8b81dc1f91522af6998d8019e2e886da2ca # v1.2.2 + if: failure() + env: + SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }} + with: + status: ${{ job.status }}