Skip to content

fix: clean up untagged ECR images after overwrite_only_existing mirror #245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
lolgab merged 5 commits into from
Jun 3, 2026
+29 −21
Merged

fix: clean up untagged ECR images after overwrite_only_existing mirror #245

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
c72a500
Delete previous ECR digest after overwrite_only_existing push
lolgab Jun 3, 2026
3ac8c47
refactor: simplify mirror_to_ecr bash decision logic
lolgab Jun 3, 2026
4205c06
fix: skip ECR digest deletion when mirror content is unchanged
lolgab Jun 3, 2026
7fd0783
fix: delete all untagged ECR images after overwrite
lolgab Jun 3, 2026
eb736fa
fix: quote ECR describe-images variables in mirror_to_ecr
lolgab Jun 3, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 29 additions & 21 deletions src/jobs/mirror_to_ecr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ parameters:
type: boolean
default: false
overwrite_only_existing:
description: If true then overwrite the image only when the target tag already exists in ECR. The job fails if the tag is missing.
description: If true then overwrite the image only when the target tag already exists in ECR. The job fails if the tag is missing. After overwrite, untagged images in the repository are deleted from ECR.
type: boolean
default: false
aws_profile:
Expand All @@ -45,47 +45,55 @@ steps:
cmd_name: Mirroring image to ECR repository
deploy: true
cmd: |
echo "Loging in to Dockerhub..."
echo "Logging in to Dockerhub..."
echo $DOCKER_PASS | docker login -u "$DOCKER_USER" --password-stdin

export ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
export ECR_URL=${ACCOUNT_ID}.dkr.ecr.<< parameters.region >>.amazonaws.com
export ECR_PASSWORD=$(aws ecr get-login-password --region << parameters.region >>)
echo "Loging in to ECR: ${ECR_URL}"
echo "Logging in to ECR: ${ECR_URL}"
echo ${ECR_PASSWORD} | docker login -u AWS --password-stdin ${ECR_URL}

SRC_NAME="<< parameters.source_name >>"
SRC_TAG="<< parameters.source_tag >>"
SRC="${SRC_NAME}:${SRC_TAG}"

MIRROR_NAME="<< parameters.mirror_name >>"
if [[ -z ${MIRROR_NAME} ]] ; then
MIRROR_NAME="${SRC_NAME}"
fi

MIRROR_NAME="${MIRROR_NAME:-${SRC_NAME}}"
Copy link
Copy Markdown

@codacy-production codacy-production Bot Jun 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚪ LOW RISK

Suggestion: Verify that '<< parameters.mirror_name >>' evaluates to an empty string when not provided so that '${MIRROR_NAME:-${SRC_NAME}}' correctly defaults to the source name.

MIRROR_TAG="<< parameters.mirror_tag >>"
if [[ -z ${MIRROR_TAG} ]] ; then
MIRROR_TAG="${SRC_TAG}"
fi
MIRROR_TAG="${MIRROR_TAG:-${SRC_TAG}}"
MIRROR="${MIRROR_NAME}:${MIRROR_TAG}"

echo "Mirroring ${SRC} to ${ECR_URL}/${MIRROR}..."
REPO_DATA=$(aws ecr describe-images --repository-name=${MIRROR_NAME} --image-ids=imageTag=${MIRROR_TAG} ||: )
SHOULD_MIRROR=false
if [[ -z $REPO_DATA ]] ; then
if << parameters.overwrite_only_existing >> ; then
echo "Mirror target ${MIRROR} does not exist in ECR and overwrite_only_existing is enabled."
exit 1
fi
SHOULD_MIRROR=true
elif << parameters.force >> || << parameters.overwrite_only_existing >> ; then
SHOULD_MIRROR=true
OLD_IMAGE_DIGEST=$(aws ecr describe-images --repository-name="${MIRROR_NAME}" --image-ids=imageTag="${MIRROR_TAG}" --query 'imageDetails[0].imageDigest' --output text 2>/dev/null || true)
[[ -z "${OLD_IMAGE_DIGEST}" || "${OLD_IMAGE_DIGEST}" == "None" ]] && OLD_IMAGE_DIGEST=""

if << parameters.overwrite_only_existing >> && [[ -z "${OLD_IMAGE_DIGEST}" ]]; then
echo "Mirror target ${MIRROR} does not exist in ECR and overwrite_only_existing is enabled."
exit 1
fi

if [[ "${SHOULD_MIRROR}" == "true" ]] ; then
if [[ -z "${OLD_IMAGE_DIGEST}" ]] || << parameters.force >> || << parameters.overwrite_only_existing >>; then
docker pull ${SRC}
docker tag ${SRC} ${ECR_URL}/${MIRROR}
docker push ${ECR_URL}/${MIRROR}
if << parameters.overwrite_only_existing >>; then
UNTAGGED_DIGESTS=$(aws ecr list-images \
--repository-name="${MIRROR_NAME}" \
--filter tagStatus=UNTAGGED \
--query 'imageIds[*].imageDigest' \
--output text 2>/dev/null || true)
if [[ -n "${UNTAGGED_DIGESTS}" && "${UNTAGGED_DIGESTS}" != "None" ]]; then
echo "Deleting untagged images from ${MIRROR_NAME}..."
IMAGE_IDS=()
for digest in ${UNTAGGED_DIGESTS}; do
IMAGE_IDS+=("imageDigest=${digest}")
done
aws ecr batch-delete-image --repository-name="${MIRROR_NAME}" --image-ids "${IMAGE_IDS[@]}"
else
echo "No untagged images to delete."
fi
fi
else
echo "${MIRROR} image is already in ECR"
fi