fix delete

Author: anthony-nhs

.github/scripts/delete_unused_images.sh

@@ -1,25 +1,39 @@
 #!/usr/bin/env bash
 
 DRY_RUN=false
+DELETE_PR=false
+DELETE_CI=false
 
 while [[ $# -gt 0 ]]; do
 	case "$1" in
 		--dry-run|-n)
 			DRY_RUN=true
 			shift
 			;;
+		--delete-pr)
+			DELETE_PR=true
+			shift
+			;;
+		--delete-ci)
+			DELETE_CI=true
+			shift
+			;;
 		--help|-h)
-			echo "Usage: $0 [--dry-run]"
+			echo "Usage: $0 [--dry-run] [--delete-pr] [--delete-ci]"
 			exit 0
 			;;
 		*)
 			echo "Unknown option: $1" >&2
-			echo "Usage: $0 [--dry-run]" >&2
+			echo "Usage: $0 [--dry-run] [--delete-pr] [--delete-ci]" >&2
 			exit 1
 			;;
 	esac
 done
 
+if [[ "${DELETE_PR}" == "false" && "${DELETE_CI}" == "false" ]]; then
+	DELETE_PR=true
+fi
+
 get_container_package_name() {
 	local container_name=$1
 
@@ -66,12 +80,12 @@ delete_pr_images() {
 
 	while IFS= read -r tag; do
 		local pull_request
-		if [[ "${tag}" =~ ^pr-([0-9]+)- ]]; then
+		if [[ "${tag}" =~ ^pr-([0-9]+)(-.+)?$ ]]; then
 			pull_request=${BASH_REMATCH[1]}
-		elif [[ "${tag}" =~ ^githubactions-pr-([0-9]+)- ]]; then
+		elif [[ "${tag}" =~ ^githubactions-pr-([0-9]+)(-.+)?$ ]]; then
 			pull_request=${BASH_REMATCH[1]}
 		else
-			echo "Tag ${tag} does not match expected PR tag format, skipping."
+			echo "Tag ${tag} does not match expected PR tag format for container ${container_name}, skipping."
 			continue
 		fi
 
@@ -108,16 +122,75 @@ delete_pr_images() {
 	done <<<"${tags}"
 }
 
+delete_ci_images() {
+	local container_name=$1
+	local package_name
+	local versions_json
+	local tags
+
+	if [[ -z "${container_name}" ]]; then
+		echo "Container name is required" >&2
+		return 1
+	fi
+
+	package_name=$(get_container_package_name "${container_name}")
+	versions_json=$(get_container_versions_json "${container_name}")
+	tags=$(jq -r '[.[].metadata.container.tags[]?] | unique | .[]' <<<"${versions_json}")
+
+	if [[ -z "${tags}" ]]; then
+		echo "No tags found for container ${container_name}, skipping."
+		return 0
+	fi
+
+	while IFS= read -r tag; do
+		if [[ ! "${tag}" =~ ^ci-[0-9a-fA-F]{8}.*$ ]] && [[ ! "${tag}" =~ ^githubactions-ci-[0-9a-fA-F]{8}.*$ ]]; then
+			echo "Tag ${tag} does not match expected CI tag format for container ${container_name}, skipping."
+			continue
+		fi
+
+		jq -r --arg tag "${tag}" '.[] | select(.metadata.container.tags[]? == $tag) | .id' \
+			<<<"${versions_json}" \
+			| while IFS= read -r version_id; do
+				if [[ -n "${version_id}" ]]; then
+					if [[ "${DRY_RUN}" == "true" ]]; then
+						echo "[DRY RUN] Would delete CI image with tag ${tag} (version ID: ${version_id}) from container ${container_name}."
+					else
+						echo "Deleting CI image with tag ${tag} (version ID: ${version_id}) from container ${container_name}..."
+						gh api \
+					 		-H "Accept: application/vnd.github+json" \
+					 		-X DELETE \
+					 		"/orgs/nhsdigital/packages/container/${package_name}/versions/${version_id}"
+					fi
+				fi
+			done
+	done <<<"${tags}"
+}
+
 
 language_folders=$(find src/languages -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
 project_folders=$(find src/projects -mindepth 1 -maxdepth 1 -type d -printf '%f\n' | jq -R -s -c 'split("\n")[:-1]')
 
 for container_name in $(jq -r '.[]' <<<"${project_folders}"); do
-	delete_pr_images "${container_name}"
+	if [[ "${DELETE_PR}" == "true" ]]; then
+		delete_pr_images "${container_name}"
+	fi
+	if [[ "${DELETE_CI}" == "true" ]]; then
+		delete_ci_images "${container_name}"
+	fi
 done
 
 for container_name in $(jq -r '.[]' <<<"${language_folders}"); do
-	delete_pr_images "${container_name}"
+	if [[ "${DELETE_PR}" == "true" ]]; then
+		delete_pr_images "${container_name}"
+	fi
+	if [[ "${DELETE_CI}" == "true" ]]; then
+		delete_ci_images "${container_name}"
+	fi
 done
 
-delete_pr_images "base"
+if [[ "${DELETE_PR}" == "true" ]]; then
+	delete_pr_images "base"
+fi
+if [[ "${DELETE_CI}" == "true" ]]; then
+	delete_ci_images "base"
+fi

.github/workflows/delete_old_images.yml

@@ -26,6 +26,13 @@ jobs:
 
       - name: delete unused images
         shell: bash
-        run: .github/scripts/delete_unused_images.sh
+        run: |
+          if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then
+            .github/scripts/delete_unused_images.sh --delete-pr
+          elif [[ "${{ github.event_name }}" == "schedule" ]]; then
+            .github/scripts/delete_unused_images.sh --delete-ci
+          else
+            .github/scripts/delete_unused_images.sh
+          fi
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

README.md

@@ -274,6 +274,25 @@ poetry run python \
   --output src/projects/fhir_facade_api/.trivyignore.new.yaml 
 ```
 
+## Cleaning up unused container images
+
+There is a script to delete unused container images. This runs on every merge to main, and deletes pull request images, and on a weekly schedule which deletes images created by ci.   
+You can run it manually using the following. Using the `dry-run` flag just shows what would be deleted
+
+```
+make github-login
+bash .github/scripts/delete_unused_images.sh --delete-pr --dry-run
+bash .github/scripts/delete_unused_images.sh --delete-ci --dry-run
+bash .github/scripts/delete_unused_images.sh --delete-pr --delete-ci
+```
+
+Flags:
+- `--dry-run` (`-n`) shows what would be deleted without deleting anything.
+- `--delete-pr` deletes images tagged with `pr-...` or `githubactions-pr-...` only when the PR is closed.
+- `--delete-ci` deletes images tagged with `ci-<8 hex sha>...` or `githubactions-ci-<8 hex sha>...`.
+
+If neither `--delete-pr` nor `--delete-ci` is set, the script defaults to `--delete-pr`.
+
 ## Common makefile targets
 There are a set of common Makefiles that are defined in `src/base/.devcontainer/Mk` and are included from `common.mk`. These are installed to /usr/local/share/eps/Mk on the base image so are available for all containers.