From cc1cd7b7d326397c73f294c13447333b8089098f Mon Sep 17 00:00:00 2001
From: "Juan M. Tirado" <juanmanuel-tirado@users.noreply.github.com>
Date: Mon, 1 Jul 2024 16:52:35 +0200
Subject: [PATCH] [PAN-2071] remove all cache entries from branch (#46)

* feature: remove all cache entries from branch
---
 .github/workflows/clean.yaml                  | 55 ++++++++-----------
 .github/workflows/docker-vulnerabilities.yaml |  4 +-
 2 files changed, 27 insertions(+), 32 deletions(-)

diff --git a/.github/workflows/clean.yaml b/.github/workflows/clean.yaml
index 259a69c..ae88a23 100644
--- a/.github/workflows/clean.yaml
+++ b/.github/workflows/clean.yaml
@@ -1,37 +1,30 @@
-name: Clean
-
-# Collection of functions to clean any generated and no-longer-needed item
+name: Clean caches by a branch
 
 on:
-    pull_request_target: 
-      types:
-        - closed
-    
-
-permissions: 
-    contents: read
-    actions: write
+  pull_request:
+    types:
+      - closed
 
 jobs:
-        
-    clean:
-        name: "Clean"
-        runs-on: ubuntu-latest
-        steps:
-        - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
-          with:
-            disable-sudo: true
-            egress-policy: audit
+  cleanup:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Cleanup
+        run: |
+          gh extension install actions/gh-actions-cache
 
-        - name: Clean Docker cache
-          env: 
-            TARGET: ${{ runner.os }}-buildx-v1.0-service-node-${{ github.ref_name }} 
-          run: |
-            curl -L \
-            -X DELETE \
-            -H "Accept: application/vnd.github+json" \
-            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
-            -H "X-GitHub-Api-Version: 2022-11-28" \
-            "https://api.github.com/repos/pantos-io/servicenode/actions/caches?key=${{ env.TARGET }}"
+          echo "Fetching list of cache key"
+          cacheKeysForPR=$(gh actions-cache list -R $REPO -B $BRANCH -L 100 | cut -f 1 )
 
-      
+          ## Setting this to not fail the workflow while deleting cache keys.
+          set +e
+          echo "Deleting caches..."
+          for cacheKey in $cacheKeysForPR
+          do
+              gh actions-cache delete $cacheKey -R $REPO -B $BRANCH --confirm
+          done
+          echo "Done"
+        env:
+          GH_TOKEN: ${{ secrets.GH_TOKEN }}
+          REPO: ${{ github.repository }}
+          BRANCH: refs/pull/${{ github.event.pull_request.number }}/merge
diff --git a/.github/workflows/docker-vulnerabilities.yaml b/.github/workflows/docker-vulnerabilities.yaml
index f57bea7..5e9062e 100644
--- a/.github/workflows/docker-vulnerabilities.yaml
+++ b/.github/workflows/docker-vulnerabilities.yaml
@@ -10,6 +10,8 @@ jobs:
         runs-on: ubuntu-latest
         permissions: 
           contents: read
+          # for sarif
+          security-events: write
         steps:
             - name: Harden Runner
               uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
@@ -46,7 +48,7 @@ jobs:
               uses: actions/cache@v3
               with:
                 path: /tmp/.buildx-cache
-                key: ${{ runner.os }}-buildx-v1.0-service-node-${{ github.sha }}
+                key: ${{ runner.os }}-buildx-v1.0-service-node-${{ github.ref_name }}
                 restore-keys: |
                     ${{ runner.os }}-buildx-v1.0-service-node-