Merge pull request #251 from puzzle/250-bug-cleanup-job-does-not-remove-associated-docker-image-signatures

Enhance PR cleanup workflow and add signatures cleanup script

Author: chrira

.github/workflows/pr-cleanup.yaml

@@ -1,15 +1,29 @@
-name: PRCleanup
+name: Pull Request Cleanup
 
 on:
   pull_request:
     types: [closed]
   workflow_dispatch:
+    inputs:
+      pr_number:
+        description: 'Optional PR number to use for cleanup'
+        required: false
+        type: string
+
+env:
+  ORG: '${{ github.repository_owner }}'
+  PACKAGE_NAME: '${{ github.event.repository.name }}'
+  PACKAGE_TYPE: 'container'
+  TAG: >-
+    pr-${{ github.event.pull_request.number || inputs.pr_number }}
+  LOGIN_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
   cleanup_helm:
     runs-on: ubuntu-latest
     env:
-      TRAINING_HELM_RELEASE: 'pr-${{ github.event.pull_request.number }}'
+      TRAINING_HELM_RELEASE: >-
+        pr-${{ github.event.pull_request.number || inputs.pr_number }}
       TRAINING_NAMESPACE: 'pitc-cicd-gitlab-ci-cd-training-test'
       KUBE_CONFIG_PATH: '$HOME/.kube'
       KUBE_CONFIG_FILENAME: 'config'
@@ -41,12 +55,6 @@ jobs:
   cleanup_registry:
     runs-on: ubuntu-latest
     needs: cleanup_helm
-    env:
-      ORG: '${{ github.repository_owner }}'
-      PACKAGE_NAME: '${{ github.event.repository.name }}'
-      PACKAGE_TYPE: 'container'
-      TAG: "pr-${{ github.event.pull_request.number }}"
-      LOGIN_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v5
@@ -56,4 +64,18 @@ jobs:
           sparse-checkout-cone-mode: false
           fetch-depth: 0
       - name: Run registry cleanup script
-        run: bash ./scripts/cleanup_registry.sh
+        run: bash ./scripts/cleanup_registry.sh
+
+  cleanup_signatures:
+    runs-on: ubuntu-latest
+    needs: cleanup_registry
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
+        with:
+          sparse-checkout: |
+            scripts
+          sparse-checkout-cone-mode: false
+          fetch-depth: 0
+      - name: Run signatures cleanup script
+        run: bash ./scripts/cleanup_signatures.sh

scripts/cleanup_signatures.sh

@@ -0,0 +1,104 @@
+#!/bin/bash
+set -euo pipefail
+
+export VERSIONS_FILE=versions.json
+export SIGNATURES_FILE=versions-with-sigs.json
+
+
+# Verifies all required environment variables are set.
+check_env_vars() {
+  : "${ORG:?Missing ORG}"
+  : "${PACKAGE_NAME:?Missing PACKAGE_NAME}"
+  : "${PACKAGE_TYPE:?Missing PACKAGE_TYPE}"
+  : "${LOGIN_TOKEN:?Missing LOGIN_TOKEN}"
+  : "${VERSIONS_FILE:?Missing VERSIONS FILE NAME}"
+  : "${SIGNATURES_FILE:?Missing SIGNATURES FILE NAME}"
+}
+
+# Uses curl to fetch all package versions from GitHub and save to ${VERSIONS_FILE}.
+fetch_versions() {
+  curl -sSfL \
+    -H "Accept: application/vnd.github+json" \
+    -H "Authorization: Bearer ${LOGIN_TOKEN}" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "https://api.github.com/orgs/${ORG}/packages/${PACKAGE_TYPE}/${PACKAGE_NAME}/versions" > "${VERSIONS_FILE}"
+}
+
+# Builds a newline-separated string of all version names in ${VERSIONS_FILE}.
+get_all_names() {
+  jq -r '.[].name' "${VERSIONS_FILE}"
+}
+
+# Helper function to print the signature SHA for a given full_tag
+print_sig_sha() {
+  local full_tag="$1"
+  sig_sha=$(jq -r --arg t "$full_tag" '.[] | select(.metadata.container.tags[]? == $t) | .name' "${VERSIONS_FILE}")
+  echo -e "\033[1m$ sig_sha\033[0m"
+}
+
+# Loops over entries and prints dangling signatures.
+scan_for_dangling_signatures() {
+  local all_names
+  all_names=$(get_all_names)
+  local show_no_sig_tags="${SHOW_NO_SIG_TAGS:-false}"
+  local show_assigned_sig_tags="${SHOW_ASSIGNED_SIG_TAGS:-true}"
+  while read -r entry; do
+    full_tag=$(jq -r '.tags[]? | select(test("^sha256-.*\\.sig$"))' <<<"$entry")
+    if [[ -z "$full_tag" ]]; then
+      if [[ "$show_no_sig_tags" == "true" ]]; then
+        echo "-----------------"
+        echo -e "\033[33mNo signature tag found\033[0m"
+        echo "-----------------"
+        echo ""
+      fi
+      continue
+    fi
+
+    tag=${full_tag/sha256-/sha256:}
+    tag=${tag%.sig}
+    tag_name=$(jq -r '.name' <<<"$entry")
+
+    if [[ -n "$tag" ]] && ! grep -Fqx "$tag" <<<"$all_names"; then
+      echo "-----------------"
+      echo "Signature: $full_tag"
+      echo "Related Tag: $tag"
+      echo "Tag Name: $tag_name"
+      echo -e "Status: \033[31mORPHANED SIGNATURE ✗\033[0m"
+      echo -e "\033[1mDangling Sig to delete:\033[0m $full_tag"
+      print_sig_sha "$full_tag"
+      # Find version ID for the signature to delete
+      version_id=$(jq -r --arg t "$full_tag" '.[] | select(.metadata.container.tags[]? == $t) | .id' "${VERSIONS_FILE}")
+      if [[ -n "$version_id" && "$version_id" != "null" ]]; then
+        curl -sSfL \
+          -X DELETE \
+          -H "Accept: application/vnd.github+json" \
+          -H "Authorization: Bearer ${LOGIN_TOKEN}" \
+          -H "X-GitHub-Api-Version: 2022-11-28" \
+          "https://api.github.com/orgs/${ORG}/packages/${PACKAGE_TYPE}/${PACKAGE_NAME}/versions/${version_id}"
+        echo "Deleted signature: $full_tag (version_id: $version_id)"
+      else
+        echo "Could not find version ID for signature $full_tag. Skipping deletion."
+      fi
+      echo "-----------------"
+      echo ""
+    else
+      if [[ "$show_assigned_sig_tags" == "true" ]]; then
+        echo "-----------------"
+        echo "Signature: $full_tag"
+        echo "Related Tag: $tag"
+        echo "Tag Name: $tag_name"
+        echo -e "Status: \033[32mSIGNATURE ASSIGNED TO IMAGE ✅\033[0m"
+        jq -r '.name' <<<"$entry"
+        echo "-----------------"
+        echo ""
+      fi
+    fi
+  done < <(jq -cr '.[] | {name, tags: (.metadata.container.tags // [])}' "${VERSIONS_FILE}")
+}
+
+# Main execution sequence
+check_env_vars
+fetch_versions
+scan_for_dangling_signatures
+
+echo "🏁 Registry cleanup completed."