chore: use regctl to delete container tags

quay.io would need an oauth application otherwise, which would have access to the whole organization. This defeats the point of blast radius reduction.

Author: mweibel

.github/workflows/cleanup-e2e-images.yml

@@ -19,7 +19,13 @@ jobs:
         with:
           persist-credentials: false
 
+      - name: Install regctl
+        run: |
+          curl -sL https://github.com/regclient/regclient/releases/download/v0.11.2/regctl-linux-amd64 -o /usr/local/bin/regctl
+          chmod +x /usr/local/bin/regctl
+
       - name: Clean up e2e-* tags from capcs-staging
         env:
-          QUAY_E2E_TOKEN: ${{ secrets.QUAY_E2E_TOKEN }}
+          QUAY_E2E_USERNAME: ${{ secrets.QUAY_E2E_USERNAME }}
+          QUAY_E2E_PASSWORD: ${{ secrets.QUAY_E2E_PASSWORD }}
         run: make clean-e2e-images

.github/workflows/e2e-weekly.yml

@@ -43,15 +43,17 @@ jobs:
             GINKGO_LABEL_FILTER="ha || upgrade || self-hosted || kcp-remediation || conformance" \
             KUBETEST_CONFIGURATION=./data/kubetest/conformance-fast.yaml
 
+      - name: Install regctl
+        if: always()
+        run: |
+          curl -sL https://github.com/regclient/regclient/releases/download/v0.11.2/regctl-linux-amd64 -o /usr/local/bin/regctl
+          chmod +x /usr/local/bin/regctl
+
       - name: Clean up e2e image
         if: always()
-        env:
-          QUAY_E2E_TOKEN: ${{ secrets.QUAY_E2E_TOKEN }}
-          TAG: e2e-weekly-${{ github.sha }}
         run: |
-          curl -s -X DELETE \
-            -H "Authorization: Bearer ${QUAY_E2E_TOKEN}" \
-            "https://quay.io/api/v1/repository/cloudscalech/capcs-staging/tag/${TAG}"
+          TAG="e2e-$(git rev-parse --short HEAD)"
+          regctl tag delete "quay.io/cloudscalech/capcs-staging:${TAG}" || true
 
       - name: Redact secrets from artifacts
         if: always()

.github/workflows/test-e2e.yml

@@ -57,17 +57,21 @@ jobs:
           TEST_TARGET: ${{ github.event.inputs.test_target }}
         run: make $TEST_TARGET
 
+      - name: Install regctl
+        if: >-
+          github.event.inputs.test_target == 'test-e2e-self-hosted' ||
+          github.event.inputs.test_target == 'test-e2e'
+        run: |
+          curl -sL https://github.com/regclient/regclient/releases/download/v0.11.2/regctl-linux-amd64 -o /usr/local/bin/regctl
+          chmod +x /usr/local/bin/regctl
+
       - name: Clean up e2e image
         if: >-
           github.event.inputs.test_target == 'test-e2e-self-hosted' ||
           github.event.inputs.test_target == 'test-e2e'
-        env:
-          QUAY_E2E_TOKEN: ${{ secrets.QUAY_E2E_TOKEN }}
-          TAG: e2e-manual-${{ github.sha }}
         run: |
-          curl -s -X DELETE \
-            -H "Authorization: Bearer ${QUAY_E2E_TOKEN}" \
-            "https://quay.io/api/v1/repository/cloudscalech/capcs-staging/tag/${TAG}"
+          TAG="e2e-$(git rev-parse --short HEAD)"
+          regctl tag delete "quay.io/cloudscalech/capcs-staging:${TAG}" || true
 
       - name: Redact secrets from artifacts
         if: always()

Makefile

@@ -271,7 +271,7 @@ docker-push: ## Push docker image with the manager.
 	$(CONTAINER_TOOL) push ${IMG}
 
 .PHONY: clean-e2e-images
-clean-e2e-images: ## Delete e2e-* tags older than 7 days from capcs-staging (requires QUAY_E2E_TOKEN)
+clean-e2e-images: ## Delete e2e-* tags older than 7 days from capcs-staging (requires regctl + quay.io auth)
 	@./hack/clean-e2e-images.sh
 
 # PLATFORMS defines the target platforms for the manager image be built to provide support to multiple

hack/clean-e2e-images.sh

@@ -1,58 +1,73 @@
 #!/usr/bin/env bash
 # Delete e2e-* image tags older than 7 days from capcs-staging on quay.io.
-# Requires QUAY_E2E_TOKEN environment variable (OAuth token with repo:admin scope).
+# Requires regctl to be installed and authenticated (via docker login or regctl registry login).
+# If QUAY_E2E_USERNAME and QUAY_E2E_PASSWORD are set, the script logs in automatically.
 # Set DRY_RUN=true to list tags without deleting them.
 
 set -euo pipefail
 
-REPO="cloudscalech/capcs-staging"
-API="https://quay.io/api/v1/repository/${REPO}/tag/"
+REPO="quay.io/cloudscalech/capcs-staging"
 MAX_AGE_DAYS="${MAX_AGE_DAYS:-7}"
 DRY_RUN="${DRY_RUN:-false}"
 
-if [[ -z "${QUAY_E2E_TOKEN:-}" ]]; then
-  echo "Error: QUAY_E2E_TOKEN environment variable is required" >&2
+if ! command -v regctl &>/dev/null; then
+  echo "Error: regctl is not installed" >&2
   exit 1
 fi
 
+# Login if credentials are provided
+if [[ -n "${QUAY_E2E_USERNAME:-}" && -n "${QUAY_E2E_PASSWORD:-}" ]]; then
+  echo "${QUAY_E2E_PASSWORD}" | regctl registry login quay.io --user "${QUAY_E2E_USERNAME}" --pass-stdin
+fi
+
+# Calculate cutoff timestamp
 cutoff=$(date -u -v-${MAX_AGE_DAYS}d +%s 2>/dev/null || date -u -d "${MAX_AGE_DAYS} days ago" +%s)
 
 if [[ "${DRY_RUN}" == "true" ]]; then
   echo "DRY RUN: will list tags without deleting them"
 fi
 echo "Listing e2e-* tags older than ${MAX_AGE_DAYS} days..."
 
-page=1
+# List all tags and filter for e2e-* prefix
+tags=$(regctl tag ls "${REPO}" | grep '^e2e-' || true)
+
+if [[ -z "${tags}" ]]; then
+  echo "No e2e-* tags found."
+  exit 0
+fi
+
 deleted=0
-while true; do
-  response=$(curl -s -H "Authorization: Bearer ${QUAY_E2E_TOKEN}" \
-    "${API}?filter_tag_name=like:e2e-%25&limit=100&page=${page}")
+while IFS= read -r name; do
+  # Get the image creation timestamp (RFC3339 format)
+  created=$(regctl image config "${REPO}:${name}" --format '{{.Created}}' 2>/dev/null || true)
+
+  if [[ -z "${created}" ]]; then
+    echo "Warning: could not get creation time for tag ${name}, skipping"
+    continue
+  fi
 
-  tags=$(echo "${response}" | jq -r '.tags // [] | .[] | select(.end_ts == null) | "\(.name) \(.start_ts)"')
+  # Convert RFC3339 to epoch (strip fractional seconds and Z suffix for macOS compatibility)
+  stripped=$(echo "${created}" | sed 's/\.[0-9]*Z$//' | sed 's/Z$//')
+  created_ts=$(date -u -jf "%Y-%m-%dT%H:%M:%S" "${stripped}" +%s 2>/dev/null \
+    || date -u -d "${created}" +%s 2>/dev/null \
+    || true)
 
-  if [[ -z "${tags}" ]]; then
-    break
+  if [[ -z "${created_ts}" ]]; then
+    echo "Warning: could not parse creation time '${created}' for tag ${name}, skipping"
+    continue
   fi
 
-  while IFS=' ' read -r name start_ts; do
-    if [[ "${start_ts}" -lt "${cutoff}" ]]; then
-      created=$(date -u -r "${start_ts}" 2>/dev/null || date -u -d "@${start_ts}")
-      if [[ "${DRY_RUN}" == "true" ]]; then
-        echo "Would delete tag: ${name} (created ${created})"
-      else
-        echo "Deleting tag: ${name} (created ${created})"
-        curl -s -X DELETE -H "Authorization: Bearer ${QUAY_E2E_TOKEN}" "${API}${name}" > /dev/null
-      fi
-      deleted=$((deleted + 1))
+  if [[ "${created_ts}" -lt "${cutoff}" ]]; then
+    created_human=$(date -u -r "${created_ts}" 2>/dev/null || date -u -d "@${created_ts}")
+    if [[ "${DRY_RUN}" == "true" ]]; then
+      echo "Would delete tag: ${name} (created ${created_human})"
+    else
+      echo "Deleting tag: ${name} (created ${created_human})"
+      regctl tag delete "${REPO}:${name}"
     fi
-  done <<< "${tags}"
-
-  has_more=$(echo "${response}" | jq -r '.has_additional')
-  if [[ "${has_more}" != "true" ]]; then
-    break
+    deleted=$((deleted + 1))
   fi
-  page=$((page + 1))
-done
+done <<< "${tags}"
 
 if [[ "${DRY_RUN}" == "true" ]]; then
   echo "Would delete ${deleted} e2e tag(s)."