Fix tag cleanup to prevent cascade deletion of shared-digest images

dpark01 · claude · dpark01 · commit 948dbe85faaa · 2026-03-24T11:06:50.000-04:00
Replace skopeo delete with crane delete in cleanup-images.yml. skopeo deletes the underlying manifest by digest, which caused all tags sharing the same digest to expire simultaneously. This is what killed 3.0.10-baseimage when the agent-skills-playbooks branch was deleted (PR #1054 merge on 2026-03-21) -- the baseimage manifest digest was shared across branches because baseimage has no per-branch build args. crane delete removes only the tag reference, leaving other tags pointing to the same manifest intact (verified locally on quay.io). Also adds: - Safety guard refusing to delete tags for version-like branch names - Weekly audit workflow to verify version tags still exist on Quay Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
diff --git a/.github/workflows/audit-quay-tags.yml b/.github/workflows/audit-quay-tags.yml
@@ -0,0 +1,66 @@
+name: Audit Quay.io Tags
+
+on:
+  schedule:
+    - cron: '0 8 * * 1'  # Monday 8:00 UTC
+  workflow_dispatch:
+
+permissions: {}
+
+jobs:
+  audit-tags:
+    runs-on: ubuntu-latest
+    permissions: {}
+
+    steps:
+      - name: Install crane
+        uses: imjasonh/setup-crane@v0.4
+
+      - name: Log in to Quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
+
+      - name: Audit version tags
+        run: |
+          set -euo pipefail
+          REPO="quay.io/broadinstitute/viral-ngs"
+          FLAVORS="baseimage core assemble classify phylo"
+          FAILED=0
+
+          # Check the 5 most recent version tags
+          VERSIONS=$(crane ls "$REPO" | grep -E '^[0-9]+\.[0-9]+\.[0-9]+$' | sort -V | tail -5)
+
+          if [[ -z "$VERSIONS" ]]; then
+            echo "::error::No version tags found on ${REPO}"
+            exit 1
+          fi
+
+          for VERSION in $VERSIONS; do
+            # Check mega tag (no suffix)
+            if ! crane manifest "${REPO}:${VERSION}" > /dev/null 2>&1; then
+              echo "::error::MISSING: ${REPO}:${VERSION}"
+              FAILED=1
+            else
+              echo "OK: ${REPO}:${VERSION}"
+            fi
+
+            # Check each flavor
+            for FLAVOR in $FLAVORS; do
+              TAG="${VERSION}-${FLAVOR}"
+              if ! crane manifest "${REPO}:${TAG}" > /dev/null 2>&1; then
+                echo "::error::MISSING: ${REPO}:${TAG}"
+                FAILED=1
+              else
+                echo "OK: ${REPO}:${TAG}"
+              fi
+            done
+          done
+
+          if [[ $FAILED -ne 0 ]]; then
+            echo "::error::Some version tags are missing from Quay.io!"
+            exit 1
+          fi
+          echo "All version tags verified."
diff --git a/.github/workflows/cleanup-images.yml b/.github/workflows/cleanup-images.yml
@@ -11,28 +11,40 @@ jobs:
     permissions: {}
 
     steps:
-      - name: Delete feature branch images from Quay
+      - name: Safety check - refuse version-like branch names
         run: |
-          # Install skopeo
-          sudo apt-get update && sudo apt-get install -y skopeo
+          BRANCH_TAG="${{ github.event.ref }}"
+          if [[ "$BRANCH_TAG" =~ ^v?[0-9]+\.[0-9]+ ]]; then
+            echo "::error::Refusing to delete tags for version-like branch: $BRANCH_TAG"
+            exit 1
+          fi
+
+      - name: Install crane
+        uses: imjasonh/setup-crane@v0.4
+
+      - name: Log in to Quay.io
+        uses: docker/login-action@v3
+        with:
+          registry: quay.io
+          username: ${{ secrets.QUAY_USERNAME }}
+          password: ${{ secrets.QUAY_TOKEN }}
 
+      - name: Delete feature branch tags from Quay
+        run: |
           BRANCH_TAG="${{ github.event.ref }}"
           QUAY_REPO="quay.io/broadinstitute/viral-ngs"
 
-          # Image tags to delete - must be kept in sync with deploy-to-quay in docker.yml
+          # Image tag suffixes - must be kept in sync with deploy-to-quay in docker.yml
           # See: .github/workflows/docker.yml deploy-to-quay job matrix
-          IMAGES=(
-            "${BRANCH_TAG}-baseimage"
-            "${BRANCH_TAG}-core"
-            "${BRANCH_TAG}-assemble"
-            "${BRANCH_TAG}-classify"
-            "${BRANCH_TAG}-phylo"
-            "${BRANCH_TAG}"  # mega image (no suffix)
-          )
-
-          for TAG in "${IMAGES[@]}"; do
+          SUFFIXES=("-baseimage" "-core" "-assemble" "-classify" "-phylo" "")
+
+          for SUFFIX in "${SUFFIXES[@]}"; do
+            TAG="${BRANCH_TAG}${SUFFIX}"
             echo "Deleting ${QUAY_REPO}:${TAG}..."
-            skopeo delete \
-              --creds "${{ secrets.QUAY_USERNAME }}:${{ secrets.QUAY_TOKEN }}" \
-              "docker://${QUAY_REPO}:${TAG}" || echo "Tag ${TAG} not found or already deleted"
+            # Use crane delete instead of skopeo delete. crane removes only the tag
+            # reference, not the underlying manifest. This prevents cascade deletion
+            # of other tags sharing the same digest (which caused the 3.0.10-baseimage
+            # incident: skopeo deleted the manifest by digest, expiring all tags
+            # pointing to it).
+            crane delete "${QUAY_REPO}:${TAG}" 2>&1 || echo "  Tag ${TAG} not found or already deleted"
           done
