From 51e437c2f1dc5504ca1865232850bcfb64635f2b Mon Sep 17 00:00:00 2001
From: Ian Wienand <iwienand@redhat.com>
Date: Mon, 27 Mar 2023 15:40:03 +1100
Subject: [PATCH] promote-image-container: do not delete tags

As noted inline, currently promote-image-container uses skopeo to
delete tags which is not the semantics we want.  This results in the
whole image being removed.

For safety we remove this call; we have two solutions in follow-ons
(deleting tags directly from the registry with a generic tag, and
promoting images from the intermediate registry).

Change-Id: I4b257f593275413da9a50a0cc64e13638e7f94cb
---
 .../tasks/promote-retag-inner.yaml            | 31 +++++++++++++++----
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/roles/promote-container-image/tasks/promote-retag-inner.yaml b/roles/promote-container-image/tasks/promote-retag-inner.yaml
index fb221dae8..96b5f9b19 100644
--- a/roles/promote-container-image/tasks/promote-retag-inner.yaml
+++ b/roles/promote-container-image/tasks/promote-retag-inner.yaml
@@ -10,10 +10,29 @@
   retries: 3
   delay: 30
 
+# NOTE(ianw) 2023-03-27 : It is actually quite difficult to delete a
+# tag in a generic way...
+#
+# The OCI distribution spec does has specified for a while that you
+# should be able to delete a tag with the registry API using DELETE
+# /v2/<name>/manifests/tag [1] but this is basically not implemented
+# on any registry.  So that's out.
+#
+# "skopeo delete" dereferences the tag to a digest and deletes that.
+# This is not what we want, as it deletes *all* tags pointing to it.
+# This is probably not what people want (see many github issues!) but
+# now it's like that, it's difficult to change.  The man page now
+# gives all sorts of caveats [2].
+#
+# So that leaves deleting tags via individual API's specified by each
+# provider.  This is what promote-docker-image currently does (via the
+# hub API at hub.docker.com).  quay.io also allows this via API, but
+# implements getting an API token differently to hub.docker.com.
+# artifactory also allows it via it's API.
+#
+# [1] https://github.com/opencontainers/distribution-spec/blob/v1.0/spec.md#deleting-tags
+# [2] https://github.com/containers/skopeo/blob/main/docs/skopeo-delete.1.md
+
 - name: Delete the current change tag
-  command: >-
-    skopeo delete docker://{{ zj_image.repository }}:{{ promote_tag_prefix }}_{{ zj_image_tag }}
-  register: result
-  until: result.rc == 0
-  retries: 3
-  delay: 30
+  debug:
+    msg: 'We currently do not delete old tags'