gitlab ci: add a helper script for container deletion

Rather than raw curl requests to the API, use a python script using the gitlab python package to access everything. This makes things a bit more readable. Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
2025-12-25 18:40:06 +01:00 · 2020-02-28 14:06:10 +10:00 · 2020-02-28 14:06:10 +10:00 · da5bfe22d2
commit da5bfe22d2
parent 6441b639aa
3 changed files with 95 additions and 128 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -44,8 +44,6 @@ stages:
 variables:
  # The upstrem repository we will check for images
  FDO_UPSTREAM_REPO: libevdev/libevdev
-  # The image that has buildah installed
-  BUILDAH_IMAGE: $CI_REGISTRY/wayland/ci-templates/buildah:latest
  LIBEVDEV_SKIP_ROOT_TESTS: 1
  GIT_DEPTH: 1
  MESON_BUILDDIR: 'build dir'
@ -389,75 +387,26 @@ alpine:latest@container-prep:
 # This stage will look for the container images we currently have in
 # the registry and will remove any that are not tagged with the provided
 # $container_image:$tag
-#
 .container-clean:
  stage: container_clean
-  image: $BUILDAH_IMAGE
+  image: golang:alpine
+  before_script:
+    - apk add python3
+    - pip3 install --user python-gitlab
  script:
-    - CONTAINER_IMAGE=$DISTRO_CONTAINER_IMAGE
-    - GITLAB=$(echo $CI_PROJECT_URL | cut -f3 -d/)
-    - REPOSITORY=$(echo $CONTAINER_IMAGE | cut -f2- -d/ | cut -f1 -d:)
-    - IMAGE_PATH=$(echo $CONTAINER_IMAGE | cut -f1 -d:)
-    - LATEST_TAG=$(echo $CONTAINER_IMAGE | cut -f2 -d:)
-
-    # log in to the registry (read only)
-    - podman login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-
-    # get the r/w token from the settings to access the registry
-    #
-    # each developer needs to register a secret variable that contains
-    # a personal token with api access. The token
-    # - must be named PERSONAL_TOKEN_$USER (for example PERSONAL_TOKEN_bentiss)
-    # - must be registered in the CI/CD Variables section as type file
-    # - value must be a netrc file as a single-line string:
-    #   default login <user> password <token value>
-    #   e.g. "default login bentiss password 1235abcde"
-    - tokenname="PERSONAL_TOKEN_$GITLAB_USER_LOGIN"
-    - netrcfile=$(eval echo "\$$tokenname")
-    - if [[ ! -f "$netrcfile" ]]; then
-         echo "No netrc file found or token is missing, skipping job" && false;
-      fi
-
-    # request a token for the registry API
-    - REGISTRY_TOKEN=$(curl https://$GITLAB/jwt/auth --get
-                             --silent --show-error
-                             -d client_id=docker
-                             -d offline_token=true
-                             -d service=container_registry
-                             -d "scope=repository:$REPOSITORY:pull,*"
-                             --fail
-                             --netrc-file "$netrcfile"
-                             | sed -r 's/(\{"token":"|"\})//g')
-
-    # get the digest of the latest image
-    - LATEST_MANIFEST=$(skopeo inspect docker://$IMAGE_PATH:$LATEST_TAG | jq -r '.Digest')
-
-    # get the list of tags
-    - TAGS=$(skopeo inspect docker://$IMAGE_PATH:$LATEST_TAG | jq -r '.RepoTags[]')
-    # FIXME: is the above command working properly? If not, use below:
-    # - TAGS=$(curl -X GET -H "accept:application/vnd.docker.distribution.manifest.v2+json"
-    #                      -H "authorization:Bearer $REGISTRY_TOKEN"
-    #                      https://$CI_REGISTRY/v2/$REPOSITORY/tags/list | jq -r '.tags[]')
-
-    # iterate over the tags
-    - for tag in $TAGS;
-      do
-        MANIFEST=$(skopeo inspect docker://$IMAGE_PATH:$tag | jq -r '.Digest');
-        if test x"$MANIFEST" != x"$LATEST_MANIFEST";
-          then
-            echo removing $tag as $MANIFEST;
-            curl https://$CI_REGISTRY/v2/$REPOSITORY/manifests/$MANIFEST --silent
-                 -H "accept:application/vnd.docker.distribution.manifest.v2+json"
-                 -H "authorization:Bearer $REGISTRY_TOKEN"
-                 --fail --show-error -X DELETE || true
-          ;fi
-      ;done
+    - LATEST_TAG=$(echo $DISTRO_CONTAINER_IMAGE | cut -f2 -d:)
+    # Go to your Profile, Settings, Access Tokens
+    # Create a personal token with 'api' scope, copy the value.
+    # Go to Settings, CI/CD, Variables
+    # Define a variable of type File named AUTHFILE. Content is that token
+    # value.
+    - python3 .gitlab-ci/gitlab-container-delete $CI_SERVER_URL $CI_PROJECT_PATH
+            --repository $DISTRIB_NAME/$FDO_DISTRIBUTION_VERSION
+            --authfile $AUTHFILE --exclude-tag "$LATEST_TAG"
  dependencies: []
  allow_failure: true
  only:
    - schedules
-  variables:
-    GIT_STRATEGY: none

 ### fedora 30
 fedora:30@container-clean:
--- a/.gitlab-ci/gitlab-ci.tmpl
+++ b/.gitlab-ci/gitlab-ci.tmpl
@ -28,8 +28,6 @@ stages:
 variables:
  # The upstrem repository we will check for images
  FDO_UPSTREAM_REPO: libevdev/libevdev
-  # The image that has buildah installed
-  BUILDAH_IMAGE: $CI_REGISTRY/wayland/ci-templates/buildah:latest
  LIBEVDEV_SKIP_ROOT_TESTS: 1
  GIT_DEPTH: 1
  MESON_BUILDDIR: 'build dir'
@ -205,75 +203,26 @@ fedora:31@qemu-prep:
 # This stage will look for the container images we currently have in
 # the registry and will remove any that are not tagged with the provided
 # $container_image:$tag
-#
 .container-clean:
  stage: container_clean
-  image: $BUILDAH_IMAGE
+  image: golang:alpine
+  before_script:
+    - apk add python3
+    - pip3 install --user python-gitlab
  script:
-    - CONTAINER_IMAGE=$DISTRO_CONTAINER_IMAGE
-    - GITLAB=$(echo $CI_PROJECT_URL | cut -f3 -d/)
-    - REPOSITORY=$(echo $CONTAINER_IMAGE | cut -f2- -d/ | cut -f1 -d:)
-    - IMAGE_PATH=$(echo $CONTAINER_IMAGE | cut -f1 -d:)
-    - LATEST_TAG=$(echo $CONTAINER_IMAGE | cut -f2 -d:)
-
-    # log in to the registry (read only)
-    - podman login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
-
-    # get the r/w token from the settings to access the registry
-    #
-    # each developer needs to register a secret variable that contains
-    # a personal token with api access. The token
-    # - must be named PERSONAL_TOKEN_$USER (for example PERSONAL_TOKEN_bentiss)
-    # - must be registered in the CI/CD Variables section as type file
-    # - value must be a netrc file as a single-line string:
-    #   default login <user> password <token value>
-    #   e.g. "default login bentiss password 1235abcde"
-    - tokenname="PERSONAL_TOKEN_$GITLAB_USER_LOGIN"
-    - netrcfile=$(eval echo "\$$tokenname")
-    - if [[ ! -f "$netrcfile" ]]; then
-         echo "No netrc file found or token is missing, skipping job" && false;
-      fi
-
-    # request a token for the registry API
-    - REGISTRY_TOKEN=$(curl https://$GITLAB/jwt/auth --get
-                             --silent --show-error
-                             -d client_id=docker
-                             -d offline_token=true
-                             -d service=container_registry
-                             -d "scope=repository:$REPOSITORY:pull,*"
-                             --fail
-                             --netrc-file "$netrcfile"
-                             | sed -r 's/(\{"token":"|"\})//g')
-
-    # get the digest of the latest image
-    - LATEST_MANIFEST=$(skopeo inspect docker://$IMAGE_PATH:$LATEST_TAG | jq -r '.Digest')
-
-    # get the list of tags
-    - TAGS=$(skopeo inspect docker://$IMAGE_PATH:$LATEST_TAG | jq -r '.RepoTags[]')
-    # FIXME: is the above command working properly? If not, use below:
-    # - TAGS=$(curl -X GET -H "accept:application/vnd.docker.distribution.manifest.v2+json"
-    #                      -H "authorization:Bearer $REGISTRY_TOKEN"
-    #                      https://$CI_REGISTRY/v2/$REPOSITORY/tags/list | jq -r '.tags[]')
-
-    # iterate over the tags
-    - for tag in $TAGS;
-      do
-        MANIFEST=$(skopeo inspect docker://$IMAGE_PATH:$tag | jq -r '.Digest');
-        if test x"$MANIFEST" != x"$LATEST_MANIFEST";
-          then
-            echo removing $tag as $MANIFEST;
-            curl https://$CI_REGISTRY/v2/$REPOSITORY/manifests/$MANIFEST --silent
-                 -H "accept:application/vnd.docker.distribution.manifest.v2+json"
-                 -H "authorization:Bearer $REGISTRY_TOKEN"
-                 --fail --show-error -X DELETE || true
-          ;fi
-      ;done
+    - LATEST_TAG=$(echo $DISTRO_CONTAINER_IMAGE | cut -f2 -d:)
+    # Go to your Profile, Settings, Access Tokens
+    # Create a personal token with 'api' scope, copy the value.
+    # Go to Settings, CI/CD, Variables
+    # Define a variable of type File named AUTHFILE. Content is that token
+    # value.
+    - python3 .gitlab-ci/gitlab-container-delete $CI_SERVER_URL $CI_PROJECT_PATH
+            --repository $DISTRIB_NAME/$FDO_DISTRIBUTION_VERSION
+            --authfile $AUTHFILE --exclude-tag "$LATEST_TAG"
  dependencies: []
  allow_failure: true
  only:
    - schedules
-  variables:
-    GIT_STRATEGY: none

 {% for distro in distributions %}
 {% for version in distro.versions %}
--- a/.gitlab-ci/gitlab-container-delete
+++ b/.gitlab-ci/gitlab-container-delete
@ -0,0 +1,69 @@
+#!/usr/bin/env python3
+#
+# Usage:
+# $ gitlab-container-delete <instance> <project>
+#     Deletes all containers within that instance project.
+#     Filter with --repository and --exclude.
+# $ echo $MY_GITLAB_TOKEN > auth.file
+# $ gitlab-container-delete https://gitlab.freedesktop.org \
+#                           libevdev/libevdev \
+#                           --exclude 2020-02-28.latest-tag \
+#                           --authfile auth.file
+
+import argparse
+import gitlab
+import logging
+
+from pathlib import Path
+
+logging.basicConfig(level=logging.INFO)
+logger = logging.getLogger(Path(__file__).stem)
+
+
+def delete_images(instance, project_name, repository=None, exclude=None, authfile=None):
+    if authfile is not None:
+        token = open(authfile).read().strip()
+    else:
+        token = None
+
+    gl = gitlab.Gitlab(instance, private_token=token)
+    p = gl.projects.list(search=project_name)[0]
+
+    repos = [r for r in p.repositories.list() if repository is None or repository == r.name]
+    for repo in repos:
+        logger.info('Repository {}'.format(repo.name))
+        for tag in repo.tags.list():
+            if tag.name != exclude:
+                logger.info('Deleting tag {}:{}'.format(repo.name, tag.name))
+                tag.delete()
+
+
+if __name__ == '__main__':
+    description = '''
+    This tool deletes all container images in the registry of the given
+    gitlab project.
+
+    Use with --repository and --exclude-tag to limit to one repository and
+    delete all but the given tag.
+
+    Where authentication is needed, use a --authfile containing the string
+    that is your gitlab private token value with 'api' access. Usually this
+    token looks like 12345678-abcdefgh. This tool will strip any whitespaces
+    from that file and use the rest of the file as token value.
+
+    '''
+    parser = argparse.ArgumentParser(description='Tool to delete all but one image from a gitlab registry')
+    parser.add_argument('instance', type=str, help='registry URL with transport, e.g. http://gitlab.freedesktop.org.')
+    parser.add_argument('project', type=str, help='project name in gitlab terminus, e.g. wayland/ci-templates')
+    parser.add_argument('--repository', type=str,
+                        help='registry repository to work on, e.g. fedora/latest',
+                        default=None)
+    parser.add_argument('--exclude-tag', type=str,
+                        help='tag to exclude, i.e. to not delete',
+                        default=None)
+    parser.add_argument('--authfile', type=str,
+                        help='path to a file containing the gitlab auth token string',
+                        default=None)
+
+    args = parser.parse_args()
+    delete_images(args.instance, args.project, args.repository, args.exclude_tag, args.authfile)