(beam) branch master updated: Fix unsafe container cleanup that could delete images from other runs (#36547)

Mon, 20 Oct 2025 07:28:35 -0700 

This is an automated email from the ASF dual-hosted git repository.

damccorm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/beam.git


The following commit(s) were added to refs/heads/master by this push:
     new 07b321e5811 Fix unsafe container cleanup that could delete images from 
other runs (#36547)
07b321e5811 is described below

commit 07b321e5811af593eb37493b181c523c4e02c5a5
Author: Abdelrahman Ibrahim <[email protected]>
AuthorDate: Mon Oct 20 17:28:12 2025 +0300

    Fix unsafe container cleanup that could delete images from other runs 
(#36547)
---
 sdks/python/container/run_validatescontainer.sh | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/sdks/python/container/run_validatescontainer.sh 
b/sdks/python/container/run_validatescontainer.sh
index 95130f7559b..1377b66a6ab 100755
--- a/sdks/python/container/run_validatescontainer.sh
+++ b/sdks/python/container/run_validatescontainer.sh
@@ -99,15 +99,25 @@ fi
 function cleanup_container {
   # Delete the container locally and remotely
   docker rmi $CONTAINER:$TAG || echo "Built container image was not removed. 
Possibly, it was not not saved locally."
-  for image in $(docker images --format '{{.Repository}}:{{.Tag}}' | grep 
$PREBUILD_SDK_CONTAINER_REGISTRY_PATH)
+
+  for image in $(docker images --format '{{.Repository}}:{{.Tag}}' | grep 
$PREBUILD_SDK_CONTAINER_REGISTRY_PATH | grep -E 
"(beam_python_prebuilt_sdk|$TAG)")
   do
     echo "Deleting Docker image: $image"
     docker rmi $image || echo "Failed to remove prebuilt sdk container image"
     image_tag="${image##*:}"
+
     digest=$(gcloud container images list-tags 
$PREBUILD_SDK_CONTAINER_REGISTRY_PATH/beam_python_prebuilt_sdk 
--filter="tags=$image_tag" --format="get(digest)")
-    echo "Deleting from GCloud an image with digest: $digest"
-    gcloud container images delete 
$PREBUILD_SDK_CONTAINER_REGISTRY_PATH/beam_python_prebuilt_sdk@$digest 
--force-delete-tags --quiet || echo "Failed to remove prebuilt sdk container 
image"
+
+    echo "Looking for digest for tag '$image_tag', found: '$digest'"
+
+    if [[ -n "$digest" && "$digest" =~ ^sha256:[a-f0-9]{64}$ ]]; then
+      echo "Deleting from GCloud an image with digest: $digest"
+      gcloud container images delete 
$PREBUILD_SDK_CONTAINER_REGISTRY_PATH/beam_python_prebuilt_sdk@$digest 
--force-delete-tags --quiet || echo "Failed to remove prebuilt sdk container 
image"
+    else
+      echo "Skipping deletion of image with invalid or empty digest: '$digest'"
+    fi
   done
+
   # Note: we don't delete the multi-arch containers here because this command 
only deletes the manifest list with the tag,
   # the associated container images can't be deleted because they are not 
tagged. However, multi-arch containers that are
   # older than 6 weeks old are deleted by 
stale_dataflow_prebuilt_image_cleaner.sh that runs daily.

Reply via email to