From d7953d98e390cd0b916af959440c70f28657413b Mon Sep 17 00:00:00 2001
From: Walt Della <walt@goteleport.com>
Date: Sun, 19 Dec 2021 21:18:48 -0700
Subject: [PATCH] Tweak conditional publishing for RPMs & DEBs

This patch makes a couple changes:

  1. deb archives are not published to apt if they're not the latest
     release ever
  2. both rpm and deb archives are no longer published to yum / apt if
     they contain any pre-release indicator or build metadata
  3. nothing is published if the commit isn't tagged.

Contributes to https://github.com/gravitational/teleport/issues/8166
---
 .drone.yml | 42 +++++++++++++++++++++++-------------------
 1 file changed, 23 insertions(+), 19 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 576586c58feba..62d91d4777b74 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4086,6 +4086,11 @@ clone:
   disable: true
 
 steps:
+  - name: Check if commit is tagged
+    image: alpine
+    commands:
+      - "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)"
+
   - name: Download artifacts from S3
     image: amazon/aws-cli
     environment:
@@ -4239,25 +4244,14 @@ steps:
   # NOTE: all mandatory steps for a release promotion need to go BEFORE this
   # step, as there is a chance that everything afterwards will be skipped.
   #
-  # this step exits early and skips all remanining steps in the pipeline if the
-  # tag looks like a pre-release, to avoid publishing RPMs for pre-release builds.
-  - name: Determine whether RPM/DEB packages should be published to repos
-    image: docker
+  # this step exits early and skips all remaining steps in the pipeline if the
+  # tag looks like a pre-release, to avoid pushing pre-release RPMs and DEBs to
+  # our yum / apt repos.
+  - name: Check if tag is prerelease
+    image: golang:1.17-alpine
     commands:
-      - |
-        if [ "${DRONE_REPO}" != "gravitational/teleport" ]; then
-          echo "---> Not publishing ${DRONE_REPO} packages to repos"
-          exit 78
-        fi
-        # length will be 0 after filtering if this is a pre-release, >0 otherwise
-        FILTERED_TAG_LENGTH=$(echo ${DRONE_TAG} | egrep -v '(alpha|beta|dev|rc)' | wc -c)
-        if [ $$FILTERED_TAG_LENGTH -eq 0 ]; then
-          echo "---> ${DRONE_TAG} looks like a pre-release, not publishing packages to repos"
-          # exit pipeline early with success status
-          exit 78
-        else
-          echo "---> Publishing packages to repos for ${DRONE_TAG}"
-        fi
+      - cd build.assets/version-check-prerelease
+      - go run . -tag ${DRONE_TAG} || (echo '---> Not publishing ${DRONE_REPO} packages to RPM and DEB repos' && exit 78)
 
   - name: Download RPM repo contents
     image: amazon/aws-cli
@@ -4305,6 +4299,16 @@ steps:
     commands:
     - aws s3 sync /rpmrepo/teleport/ s3://$AWS_S3_BUCKET/teleport/
 
+  # This step skips all remaining steps in the pipeline if the tag
+  # is not the highest semver *ever* released, to avoid publishing DEBs
+  # that would cause apt users to downgrade. For more info see:
+  #   https://github.com/gravitational/teleport/issues/8166
+  - name: Check if tag is latest
+    image: golang:1.17-alpine
+    commands:
+      - cd build.assets/version-check-latest
+      - go run . -tag ${DRONE_TAG} || (echo '---> Not publishing ${DRONE_REPO} packages to DEB repo' && exit 78)
+
   - name: Download DEB repo contents
     image: amazon/aws-cli
     environment:
@@ -4455,6 +4459,6 @@ steps:
 
 ---
 kind: signature
-hmac: e8f56ab8915f54bfd514b826b501f7368e30f841f5e79075def8df955cc455cc
+hmac: 2b41652e9939b070ee228b8c1491d1441bf9d56cef2fcf66dfa9f8a45a0e7b4a
 
 ...