From a1f34b5de417e5887a870df42b9a1f3e8356b04d Mon Sep 17 00:00:00 2001
From: Vince Grassia <593223+vgrassia@users.noreply.github.com>
Date: Thu, 27 Jan 2022 16:28:12 -0500
Subject: [PATCH] Add Container Registry Purge workflow (#1826)

---
 .../workflows/container-registry-purge.yml    | 77 +++++++++++++++++++
 1 file changed, 77 insertions(+)
 create mode 100644 .github/workflows/container-registry-purge.yml

diff --git a/.github/workflows/container-registry-purge.yml b/.github/workflows/container-registry-purge.yml
new file mode 100644
index 0000000000..37726ec1b2
--- /dev/null
+++ b/.github/workflows/container-registry-purge.yml
@@ -0,0 +1,77 @@
+---
+name: Container Registry Purge
+
+on:
+  schedule:
+    - cron: '0 0 * * SUN'
+  workflow_dispatch:
+    inputs: {}
+
+jobs:
+  purge:
+    name: Purge old images
+    runs-on: ubuntu-20.04
+    strategy:
+      matrix:
+        include:
+          - name: bitwardenqa
+          - name: bitwardenprod
+    steps:
+      - name: Login to Azure
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Purge images
+        env:
+          REGISTRY: ${{ matrix.name }}
+          AGO_DUR: "30d"
+        run: |
+          REPO_LIST=$(az acr repository list -n $REGISTRY -o tsv)
+          for REPO in $REPO_LIST
+          do
+            PURGE_CMD="acr purge --filter '$REPO:.*' --ago $AGO_DUR --untagged --dry-run"
+            az acr run --cmd "$PURGE_CMD" --registry $REGISTRY /dev/null
+          done
+
+
+  check-failures:
+    name: Check for failures
+    if: always()
+    runs-on: ubuntu-20.04
+    needs:
+      - purge
+    steps:
+      - name: Check if any job failed
+        if: |
+          github.ref == 'refs/heads/master'
+          || github.ref == 'refs/heads/rc'
+          || github.ref == 'refs/heads/hotfix'
+        env:
+          PURGE_STATUS: ${{ needs.purge.result }}
+        run: |
+          if [ "$PURGE_STATUS" = "failure" ]; then
+              exit 1
+          fi
+
+      - name: Login to Azure - Prod Subscription
+        uses: Azure/login@1f63701bf3e6892515f1b7ce2d2bf1708b46beaf
+        if: failure()
+        with:
+          creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }}
+
+      - name: Retrieve secrets
+        id: retrieve-secrets
+        uses: Azure/get-keyvault-secrets@470858ec5d16542d1a87e1998c0988130ef304dd
+        if: failure()
+        with:
+          keyvault: "bitwarden-prod-kv"
+          secrets: "devops-alerts-slack-webhook-url"
+
+      - name: Notify Slack on failure
+        uses: act10ns/slack@186ef8b81dc1f91522af6998d8019e2e886da2ca  # v1.2.2
+        if: failure()
+        env:
+          SLACK_WEBHOOK_URL: ${{ steps.retrieve-secrets.outputs.devops-alerts-slack-webhook-url }}
+        with:
+          status: ${{ job.status }}