fix: clean up untagged ECR images after overwrite_only_existing mirror

[lolgab]

Summary

• After a successful push with overwrite_only_existing, list all untagged images in the ECR repository via list-images --filter tagStatus=UNTAGGED and delete them with batch-delete-image
• Avoids deleting digests that still have other tags (e.g. latest sharing the same digest as the overwritten tag)
• Also cleans up any previously accumulated untagged images in the repository

Test plan

• CI pack_and_validate passes
• Run mirror job with overwrite_only_existing: true on a repo/tag that already exists and confirm no untagged digests remain
• Verify a digest shared by multiple tags is not deleted when only one tag is overwritten

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[gemini-code-assist]

Code Review

This pull request updates the ECR mirroring job to delete the previous untagged image digest from ECR after overwriting an existing image tag. A critical issue was identified in the review: if the newly pushed image has the same digest as the old image, the deletion step will mistakenly delete the newly pushed image, leaving the repository empty. A code suggestion was provided to verify that the image digest has actually changed before performing the deletion.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[codacy-production]

Pull Request Overview

While this PR successfully implements the logic to capture and delete old image digests after an overwrite, the current implementation carries a risk of unintended data loss. Deleting an ECR image by digest removes all tags associated with that digest, which may include versioned or stable tags that should be preserved.

Additionally, the PR lacks automated verification (e.g., bats tests) for the YAML job logic, and the script relies on brittle string matching for AWS CLI outputs. Although the code is technically 'up to standards' according to Codacy, addressing the destructive deletion logic is critical before merging.

About this PR

• The PR lacks automated test files (e.g., bats or shell script tests) to verify the logic changes within the YAML job definition. Adding unit tests for these shell blocks would prevent future regressions in mirroring logic.
• The script explicitly checks for 'None' strings from AWS CLI output. This is brittle; if the output format is changed or if the CLI version behaves differently in certain environments, the logic may fail. Consider using JSON output and parsing with a tool like jq for more robust results.

Test suggestions

• Missing: Successful overwrite of existing tag results in deletion of the previous digest.
• Missing: Job fails as expected when overwrite_only_existing is true but the tag is missing.
• Missing: Pushing an identical image (same digest) does not trigger a deletion attempt.
• Missing: Standard mirroring (not an overwrite) functions without attempting to delete digests.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Missing: Successful overwrite of existing tag results in deletion of the previous digest.
2. Missing: Job fails as expected when overwrite_only_existing is true but the tag is missing.
3. Missing: Pushing an identical image (same digest) does not trigger a deletion attempt.
4. Missing: Standard mirroring (not an overwrite) functions without attempting to delete digests.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codacy-production]

_{🔴 HIGH RISK}

Deleting the image by digest removes all tags associated with that image, not just the one being overwritten. This can lead to unintended data loss if the same image is referenced by multiple tags (e.g., 'v1.0.1' and 'latest'). To ensure only truly 'untagged' images are removed, verify that no other tags remain for that digest before deletion.

Try updating the deletion logic to check if OLD_IMAGE_DIGEST still has associated tags by querying imageDetails[0].imageTags via aws ecr describe-images. Only execute batch-delete-image if the tag list is empty or returns 'None'.

[codacy-production]

_{⚪ LOW RISK}

Suggestion: Verify that '<< parameters.mirror_name >>' evaluates to an empty string when not provided so that '${MIRROR_NAME:-${SRC_NAME}}' correctly defaults to the source name.

[codacy-production]

_{⚪ LOW RISK}

Suggestion: Quote the variables to prevent potential shell expansion issues.

Suggested change

	OLD_IMAGE_DIGEST=$(aws ecr describe-images --repository-name=${MIRROR_NAME} --image-ids=imageTag=${MIRROR_TAG} --query 'imageDetails[0].imageDigest' --output text 2>/dev/null || true)
	OLD_IMAGE_DIGEST=$(aws ecr describe-images --repository-name="${MIRROR_NAME}" --image-ids=imageTag="${MIRROR_TAG}" --query 'imageDetails[0].imageDigest' --output text 2>/dev/null || true)