diff --git a/roles/build-container-image/common.rst b/roles/build-container-image/common.rst
index 737887001..4ae76cd3e 100644
--- a/roles/build-container-image/common.rst
+++ b/roles/build-container-image/common.rst
@@ -100,7 +100,10 @@ Once this role completes, the temporary upload tags are no longer
 required.  The role removes the change-id tags from the repository in
 the registry, and removes any similar change-ids tags.  This keeps the
 repository tidy in the case that gated changes fail to merge after
-uploading their staged images.
+uploading their staged images.  Remvoing these tags is a registry
+specific operation.  You should double check the ``api_token``
+requirements for your registry described below.  For more details see
+:zuul:role:`remove-registry-tag`.
 
 In ``intermediate-registry`` mode, this role queries Zuul to find the
 build performed by the build role in the ``gate``.  It then copies
@@ -179,6 +182,22 @@ using the roles described here.
 
            repository: "^myorgname/{{ zuul.project.short_name }}.*"
 
+      .. zuul:rolevar:: api_token
+
+         Optional; When using the promote roles, the registry API is
+         used to remove temporary tags.  if your registry requires a
+         token to talk to the registry API, add it here.  This is
+         registry dependent; some allow API access via the
+         username/password, but others require issuing a separate
+         token.  For more details see
+         :zuul:role:`remove-registry-tag`.  Some examples:
+
+         * **docker** : API is access via username/password, does not
+           require token.
+         * **quay.io** : A token must be generated from an
+           "application" that a user has allowed to operate on its
+           behalf.  See `<https://docs.quay.io/api/>`__.
+
 .. zuul:rolevar:: container_images
    :type: list
 
diff --git a/roles/promote-container-image/tasks/promote-from-tag.yaml b/roles/promote-container-image/tasks/promote-from-tag.yaml
index 2a14f2e15..fb4a96d6c 100644
--- a/roles/promote-container-image/tasks/promote-from-tag.yaml
+++ b/roles/promote-container-image/tasks/promote-from-tag.yaml
@@ -23,10 +23,3 @@
   loop_control:
     loop_var: zj_image
   include_tasks: promote-retag.yaml
-
-# The docker roles prune obsolete tags here, but that relies on a
-# timestamp to make sure we're not deleting in-progress tags (that the
-# gate pipeline may be uploading at the same time we're promoting).
-# That timestamp is not available with skopeo list-tags, so some other
-# mechanism will need to be devised to clean them up.  In the
-# meantime, we hope that the cleanup in promote-retag succeeds.
diff --git a/roles/promote-container-image/tasks/promote-retag-inner.yaml b/roles/promote-container-image/tasks/promote-retag-inner.yaml
index 96b5f9b19..5a4dfee8c 100644
--- a/roles/promote-container-image/tasks/promote-retag-inner.yaml
+++ b/roles/promote-container-image/tasks/promote-retag-inner.yaml
@@ -10,29 +10,10 @@
   retries: 3
   delay: 30
 
-# NOTE(ianw) 2023-03-27 : It is actually quite difficult to delete a
-# tag in a generic way...
-#
-# The OCI distribution spec does has specified for a while that you
-# should be able to delete a tag with the registry API using DELETE
-# /v2/<name>/manifests/tag [1] but this is basically not implemented
-# on any registry.  So that's out.
-#
-# "skopeo delete" dereferences the tag to a digest and deletes that.
-# This is not what we want, as it deletes *all* tags pointing to it.
-# This is probably not what people want (see many github issues!) but
-# now it's like that, it's difficult to change.  The man page now
-# gives all sorts of caveats [2].
-#
-# So that leaves deleting tags via individual API's specified by each
-# provider.  This is what promote-docker-image currently does (via the
-# hub API at hub.docker.com).  quay.io also allows this via API, but
-# implements getting an API token differently to hub.docker.com.
-# artifactory also allows it via it's API.
-#
-# [1] https://github.com/opencontainers/distribution-spec/blob/v1.0/spec.md#deleting-tags
-# [2] https://github.com/containers/skopeo/blob/main/docs/skopeo-delete.1.md
-
-- name: Delete the current change tag
-  debug:
-    msg: 'We currently do not delete old tags'
+- name: Delete the temporary change tag we just renamed
+  include_role:
+    name: remove-registry-tag
+  vars:
+    remove_registry_tag_repository: '{{ zj_image.repository }}'
+    remove_registry_tag_tag: '{{ promote_tag_prefix }}_{{ zj_image_tag }}'
+  no_log: true
diff --git a/roles/promote-container-image/tasks/promote-retag.yaml b/roles/promote-container-image/tasks/promote-retag.yaml
index 270a71658..dbe453872 100644
--- a/roles/promote-container-image/tasks/promote-retag.yaml
+++ b/roles/promote-container-image/tasks/promote-retag.yaml
@@ -17,3 +17,12 @@
   always:
     - name: Log out of registry
       command: "skopeo logout {{ zj_image.registry }}"
+
+# If a gate job failed, we might have uploaded and leaked tags.  This
+# cleans up anything around for more than 24 hours
+- name: Cleanup leaked images
+  include_role:
+    name: remove-registry-tag
+  vars:
+    remove_registry_tag_repository: '{{ zj_image.repository }}'
+  no_log: true