1616permissions :
1717 id-token: write
1818 contents: read
19+ packages : write # Required for Azure Container Registry operations
1920
2021jobs :
2122 cleanup-images:
6465 echo "acr_name=$acr_name" >> $GITHUB_OUTPUT
6566 fi
6667
68+ - name: Check ACR Permissions
69+ id: check-permissions
70+ run: |
71+ acr_name="${{ steps.get-acr.outputs.acr_name }}"
72+
73+ if [ -z "$acr_name" ]; then
74+ echo "No Azure Container Registry found. Skipping permission check."
75+ exit 0
76+ fi
77+
78+ echo "Checking permissions for ACR: $acr_name"
79+
80+ # Check if current identity has AcrDelete role
81+ permissions=$(az role assignment list --assignee ${{ env.AZURE_CLIENT_ID }} --scope "/subscriptions/${{ env.AZURE_SUBSCRIPTION_ID }}/providers/Microsoft.ContainerRegistry/registries/$acr_name" --query "[?roleDefinitionName=='AcrDelete'].roleDefinitionName" -o tsv)
82+
83+ if [ -z "$permissions" ]; then
84+ echo "❌ Warning: Current identity does not have AcrDelete role on the registry"
85+ echo "has_delete_permission=false" >> $GITHUB_OUTPUT
86+ else
87+ echo "✅ Current identity has AcrDelete role"
88+ echo "has_delete_permission=true" >> $GITHUB_OUTPUT
89+ fi
90+
91+ # Check if current identity has AcrPush role (which includes delete capabilities)
92+ push_permissions=$(az role assignment list --assignee ${{ env.AZURE_CLIENT_ID }} --scope "/subscriptions/${{ env.AZURE_SUBSCRIPTION_ID }}/providers/Microsoft.ContainerRegistry/registries/$acr_name" --query "[?roleDefinitionName=='AcrPush'].roleDefinitionName" -o tsv)
93+
94+ if [ -n "$push_permissions" ]; then
95+ echo "✅ Current identity has AcrPush role (includes delete capabilities)"
96+ echo "has_delete_permission=true" >> $GITHUB_OUTPUT
97+ fi
98+
6799 - name: Cleanup Old Container Images
100+ if: steps.check-permissions.outputs.has_delete_permission == 'true'
68101 run: |
69102 acr_name="${{ steps.get-acr.outputs.acr_name }}"
70103 dry_run="${{ github.event.inputs.dry_run || 'false' }}"
@@ -182,15 +215,30 @@ jobs:
182215 echo "Total images failed to delete: $total_failed"
183216 echo "Container image cleanup completed!"
184217 fi
185-
186- # Exit with error only if all deletions failed
187- if [ "$total_failed" -gt 0 ] && [ "$total_deleted" -eq 0 ]; then
218+ # Always exit successfully if we're in dry run mode
219+ if [ "$dry_run" = "true" ]; then
220+ echo "✅ Cleanup process completed successfully (DRY RUN)!"
221+ exit 0
222+ fi
223+
224+ # If we deleted at least one image, consider it a success
225+ if [ "$total_deleted" -gt 0 ]; then
226+ if [ "$total_failed" -gt 0 ]; then
227+ echo "⚠️ Cleanup completed with partial success"
228+ echo " - Successfully deleted: $total_deleted images"
229+ echo " - Failed to delete: $total_failed images"
230+ else
231+ echo "✅ Cleanup process completed successfully!"
232+ fi
233+ exit 0
234+ fi
235+
236+ # If we didn't delete anything but there were things to delete
237+ if [ "$total_failed" -gt 0 ]; then
188238 echo "❌ All deletion attempts failed. Please check ACR permissions and image locks."
189239 exit 1
190240 fi
191-
192- # Exit successfully if we deleted at least some images
193- if [ "$total_deleted" -gt 0 ] || [ "$dry_run" = "true" ]; then
194- echo "✅ Cleanup process completed successfully!"
195- exit 0
196- fi
241+
242+ # If we get here, there was nothing to delete
243+ echo "✅ Cleanup process completed (no images needed deletion)"
244+ exit 0
0 commit comments