Makefile, push: Prevent overwriting existing version tags

The IMAGE_GIT_TAG is generated using `git describe` to create a virtual tag for the image, and used in order to tag every push to the repository for later use. However, when an actual git tag exists (e.g., v0.45.0), git describe returns that tag. This behavior makes it possible to accidentally overwrite push an existing version tag in the registry. Flow Leading to the Issue: 1. A new kmp release is created, pushing a new tag (e.g., v0.45.0). 2. A stable branch is created from that commit, pushing a new stable branch tag (e.g., release-0.45_latest). 2.1 . During this push, IMAGE_GIT_TAG resolves to this Git tag (e.g., v0.45.0) due to git describe. 2.2 Makefile attempts to push the image with this tag (e.g., v0.45.0) to the registry, overwriting the original tag sha256 digest. To address this, introducing a check to ensure such tags are not overwritten, preserving the integrity of published versions. Signed-off-by: Ram Lavi <ralavi@redhat.com>
k8snetworkplumbingwg · Dec 16, 2024 · 0c5cb46 · 0c5cb46
1 parent e47689f
commit 0c5cb46
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -93,8 +93,12 @@ container: manager
 # Push the docker image
 docker-push:
 	$(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_TAG}
-	$(OCI_BIN) tag ${REGISTRY}/${IMG}:${IMAGE_TAG} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}
-	$(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}
+	@if ! skopeo inspect docker://${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} >/dev/null 2>&1; then \
+	    $(OCI_BIN) tag ${REGISTRY}/${IMG}:${IMAGE_TAG} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}; \
+	    $(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}; \
+	else \
+	    echo "Tag '${IMAGE_GIT_TAG}' already exists. Skipping tagging and push."; \
+	fi
 
 cluster-up:
 	./cluster/up.sh