|
| 1 | +#!/usr/bin/env bash |
| 2 | + |
| 3 | +set -o errexit |
| 4 | +set -o pipefail |
| 5 | +set -o nounset |
| 6 | + |
| 7 | +cd "$(git rev-parse --show-toplevel)" |
| 8 | + |
| 9 | +# Pull down a list of all repos in a quay org |
| 10 | +list_quay_repos() { |
| 11 | + local quay_org="$1" |
| 12 | + local next_page="" |
| 13 | + while true; do |
| 14 | + local url="https://quay.io/api/v1/repository?namespace=${quay_org}&public=true&limit=100" |
| 15 | + if [[ -n "${next_page}" ]]; then |
| 16 | + url="${url}&next_page=${next_page}" |
| 17 | + fi |
| 18 | + local response |
| 19 | + response="$(curl -s "${url}")" |
| 20 | + echo "${response}" | jq -r '.repositories[].name' |
| 21 | + next_page="$(echo "${response}" | jq -r '.next_page // empty')" |
| 22 | + if [[ -z "${next_page}" ]]; then |
| 23 | + break |
| 24 | + fi |
| 25 | + done |
| 26 | +} |
| 27 | + |
| 28 | +# List tags for a quay repo, newest first |
| 29 | +list_repo_tags() { |
| 30 | + local quay_org="$1" |
| 31 | + local repo="$2" |
| 32 | + local page=1 |
| 33 | + while true; do |
| 34 | + local response |
| 35 | + response="$(curl -s "https://quay.io/api/v1/repository/${quay_org}/${repo}/tag/?limit=100&page=${page}")" |
| 36 | + echo "${response}" | jq -r '.tags[] | select(.end_ts == null) | select(.name | test("^[0-9]+\\.[0-9]+$")) | .name' |
| 37 | + if [[ "$(echo "${response}" | jq -r '.has_additional')" != "true" ]]; then |
| 38 | + break |
| 39 | + fi |
| 40 | + page=$((page + 1)) |
| 41 | + done |
| 42 | +} |
| 43 | + |
| 44 | +deny_rule() { |
| 45 | + local task_name="$1" |
| 46 | + local repo_ref="$2" |
| 47 | + local version="$3" |
| 48 | + cat <<EOF |
| 49 | + - name: Expire old versions of ${task_name} |
| 50 | + pattern: oci://${repo_ref} |
| 51 | + versions: |
| 52 | + - '<${version}' |
| 53 | +EOF |
| 54 | +} |
| 55 | + |
| 56 | +KNOWN_TASK_CATALOGS=( |
| 57 | + quay.io/konflux-ci/tekton-catalog |
| 58 | + quay.io/konflux-ci/integration-service-catalog |
| 59 | + quay.io/konflux-ci/konflux-test-tasks |
| 60 | + quay.io/konflux-ci/konflux-vanguard |
| 61 | + # Todo: Are there more? |
| 62 | +) |
| 63 | + |
| 64 | +for c in "${KNOWN_TASK_CATALOGS[@]}"; do |
| 65 | + IFS='/' read -r _ quay_org repo_prefix <<< "${c}" |
| 66 | + |
| 67 | + # Assume task repos begin with "task-" |
| 68 | + task_repos=$(list_quay_repos "${quay_org}" | grep "^${repo_prefix}/task-" | sort || true) |
| 69 | + |
| 70 | + # Generate deny rules for versions below the current version |
| 71 | + for task_repo in ${task_repos}; do |
| 72 | + repo_ref="quay.io/${quay_org}/${task_repo}" |
| 73 | + list_repo_tags "${quay_org}" "${task_repo}" | while read -r tag; do |
| 74 | + bundle_ref="${repo_ref}:${tag}" |
| 75 | + version=$(tkn bundle list "${bundle_ref}" -o yaml 2>/dev/null | yq '.metadata.labels["app.kubernetes.io/version"]' || true) |
| 76 | + if [[ -n "${version}" && "${version}" != "null" ]]; then |
| 77 | + deny_rule "${task_repo##*/}" "${repo_ref}" "${version}" |
| 78 | + fi |
| 79 | + done |
| 80 | + done |
| 81 | +done |
| 82 | + |
0 commit comments