If I have the following tags and manifest in an ACR repository...

Which returns the following when I run the following command...

az acr repository show-manifests --name "[registry-name]" --repository "[repository-name]"

[
  {
    "digest": "sha256:30be2b07e723b0f36fed370c386b027e52dbcd0ad2ad2fcac1d3b7d1b361292f",
    "tags": [
      "982878",
      "master"
    ],
    "timestamp": "2022-09-07T15:49:04.4187041Z"
  }
]

When I run the following purge command....

az acr run --cmd "acr purge --filter '[repository-name]:.*' --untagged --ago 1m" --registry [registry-name] /dev/null

It is deleting the tags and manifest, and because it deletes everything the repository is deleted as well.

Why is it doing this when I'm using the --untagged flag and you can clearly see it's not untagged based on the starting state?

I have tried to reproduce the same in my environment I have two repositories ,hello-world with 1 tag: latest

I checked with below command which you tried:

PURGE_CMD="acr purge --filter 'hello-world:.*' \
--untagged –ago 1m"

az acr run \
  --cmd "$PURGE_CMD" \
  --registry myregistry807 \
  /dev/null

It is deleting even the tagged repository

This command:

az acr run --cmd "acr purge --filter 'hello-world:.*' --untagged  --ago 1d" --registry myregistry807 /dev/null

It is deleting the tags first, and then it is deleting the untagged manifests and then the registry.

You can check this Purge tags and manifests-run-in-an-on-demand-task - Azure Container Registry | Microsoft Docs:

This purge command deletes all image tags and manifests in the repository (hello-world in my case) repository in myregistry that were modified more than 1 day ago and all the untagged manifests.

• You can try below commands to delete untagged repositories: Commands from Delete all untagged manifests within a repository in one command · GitHub where you can use [?tags[0]==null] to delete only repos with no tag or null tag.

In bash:

az acr repository show-manifests -n myregistry807 –repository targetrepository --query "[?tags[0]==null].digest" -o tsv | xargs -I% az acr repository delete -n myregistry807 -t targetrepository @% --yes

for preview version:

az acr manifest  list-metadata  -r  myregistry807 -n hello-world --query "[?tags[0]==null].digest" -o tsv | xargs -I% az acr repository delete -n myregistry807 -t hello-world@% --yes

and repository is not deleted as it has tags.

then i checked with [?tags[0]!=null] to delete all tags except null, and it successfully worked for me:

Result: deleted tagged manifest which is the only one present:

Specifying .* as the tag filter results in the acr tool untagging all images (and then the --untagged removes all of the freshly untagged images). If you just want to removed untagged images, specify a non-existing tag in the --filter parameter, to keep that from untagging any additional images.

E.g.

acr purge --filter '[repository-name]:fake-tag' --untagged --ago 1m

(The az acr run variant should work as well, I'm not particularly sure why it is used)

Manual

The Azure Container Registry manual states (bold+ italic emphasis mine)

acr purge supports several optional parameters. [..]

--untagged - Specifies that all [...] untagged manifests [...] are deleted. This parameter also deletes untagged manifests in addition to tags that are already being deleted.

So, with --filter and --ago, you can select some manifests, and additionally untagged manifests are removed. The --untagged option does not look at --ago.

Suggested solution

Using an realistically unmatchable value for --ago would then only remove untagged manifests.

As always, test the results with --dry-run first. Correlate the result with what you see listed as number of manifests in the ACR User interface or otherwise.

acr purge --untagged --dry-run --filter '[repository-name]:.*' --ago 365000d

Final Notes:

• I used 365000d, because the year postfix (y in 1000y) is not supported.
• As of writing the whole purge command is expected to be wrapped in az acr run --cmd "<cmd>" /dev/null, see the original question.
• I hope and suggest that the purge command will be improved to allow for separate control of untagged manifests without trickery.
• Note that --filter will be required and applied when --untagged is active, so you can limit the action to certain repository. Source: Experimentation