feat: INF-3140 keep preview images for the preview PR lifetime (#63)

kpplis · web-flow · commit 06018d5869c4 · 2025-11-21T03:59:47.000+01:00
* feat: preserve preview images for the preview PR lifetime

* fix the release workflow

* fix policy

* use list

* add tagPrefixList

* fix policy

* remove duplicate =

* set preview image expiration to 365 days

* use latest policies
diff --git a/.github/workflows/preview.build-image.yaml b/.github/workflows/preview.build-image.yaml
@@ -52,9 +52,20 @@ jobs:
           role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
       - name: Create ECR repository if it doesn't exist
         run: |
-          aws ecr describe-repositories --repository-names ${{ inputs.APPLICATION_NAME }} || \
-          aws ecr create-repository --repository-name ${{ inputs.APPLICATION_NAME }}
-          LIFECYCLE_POLICY='{"rules":[{"rulePriority":1,"description":"Keep last 500 images","selection":{"tagStatus":"any","countType":"imageCountMoreThan","countNumber":500},"action":{"type":"expire"}}]}'
+          if ! aws ecr describe-repositories --repository-names ${{ inputs.APPLICATION_NAME }} 2>/dev/null; then
+            echo "Repository ${{ inputs.APPLICATION_NAME }} does not exist, creating it..."
+            aws ecr create-repository --repository-name ${{ inputs.APPLICATION_NAME }}
+            echo "Setting lifecycle policy..."
+          else
+            echo "Repository ${{ inputs.APPLICATION_NAME }} already exists, skipping creation"
+          fi
+
+          echo "Applying lifecycle policies"
+          LIFECYCLE_POLICY='{"rules":[
+              {"rulePriority":1,"description":"Preserve preview images","selection":{"tagStatus":"tagged","tagPatternList":["preview-*"],"countType":"sinceImagePushed","countNumber":365},"action":{"type":"expire"}},
+              {"rulePriority":2,"description":"Preserve production images","selection":{"tagStatus":"tagged","tagPatternList":["v*"],"countType":"imageCountMoreThan","countNumber":50},"action":{"type":"expire"}}
+              {"rulePriority":3,"description":"Remove untagged images","selection":{"tagStatus":"untagged","countType":"sinceImagePushed","countNumber":7},"action":{"type":"expire"}}
+            ]}'
           aws ecr put-lifecycle-policy --repository-name ${{ inputs.APPLICATION_NAME }} --lifecycle-policy-text "$LIFECYCLE_POLICY"
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
@@ -70,7 +81,7 @@ jobs:
           provenance: false
           push: true
           tags: |
-            ${{ steps.login-ecr.outputs.registry }}/${{ inputs.APPLICATION_NAME }}:preview
+            ${{ steps.login-ecr.outputs.registry }}/${{ inputs.APPLICATION_NAME }}:preview-${{ github.event.pull_request.number }}
             ${{ steps.login-ecr.outputs.registry }}/${{ inputs.APPLICATION_NAME }}:${{ github.event.pull_request.head.sha }}
   comment-pr:
     if: ${{ inputs.GHA_TRIGGER_EVENT != 'synchronize' }}
diff --git a/.github/workflows/preview.remove-tag.yaml b/.github/workflows/preview.remove-tag.yaml
@@ -0,0 +1,40 @@
+name: Remove preview tag from ECR
+
+on:
+  workflow_call:
+    inputs:
+      APPLICATION_NAME:
+        description: The name of the application
+        required: true
+        type: string
+    secrets:
+      AWS_ROLE_TO_ASSUME:
+        required: true
+        description: AWS OIDC role for GitHub to assume
+
+jobs:
+  remove-preview-tag:
+    permissions:
+      id-token: write
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v2
+        with:
+          aws-region: eu-central-1
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+      - name: Remove preview tag from ECR
+        run: |
+          # Check if repository exists
+          if aws ecr describe-repositories --repository-names ${{ inputs.APPLICATION_NAME }} 2>/dev/null; then
+            echo "Repository ${{ inputs.APPLICATION_NAME }} exists, attempting to remove preview-${{ github.event.pull_request.number }} tag..."
+            
+            # Remove the preview tag
+            aws ecr batch-delete-image \
+              --repository-name ${{ inputs.APPLICATION_NAME }} \
+              --image-ids imageTag=preview-${{ github.event.pull_request.number }} || \
+              echo "Tag preview-${{ github.event.pull_request.number }} not found or already removed"
+          else
+            echo "Repository ${{ inputs.APPLICATION_NAME }} does not exist, nothing to remove"
+          fi
