ci: ensure 'push-image' tasks don't overwrite pre-existing tags

ahal · ahal · commit 1d5be19a5d97 · 2024-02-22T14:00:18.000-05:00
diff --git a/taskcluster/docker/skopeo/push_image.sh b/taskcluster/docker/skopeo/push_image.sh
@@ -1,4 +1,4 @@
-#!/bin/sh
+#!/bin/env bash
 set -e -x
 
 test $NAME
@@ -10,6 +10,12 @@ test $TASK_ID
 test $VCS_HEAD_REPOSITORY
 test $VCS_HEAD_REV
 
+function cleanup() {
+    echo "=== Clean up ==="
+    rm -rf $HOME/.docker
+}
+trap cleanup EXIT
+
 echo "=== Generating dockercfg ==="
 PASSWORD_URL="http://taskcluster/secrets/v1/secret/project/taskgraph/level-3/dockerhub"
 install -m 600 /dev/null $HOME/.dockercfg
@@ -39,30 +45,33 @@ umoci insert --image ${NAME}:final version.json /version.json
 echo "=== Pushing to docker hub ==="
 DOCKER_TAG="${NAME}-v${VERSION}"
 
-# Get all remote tags | jq filter only starting with ${NAME}-v | Sort by version | Get the last one
-LATEST_REMOTE_VERSION=$(skopeo list-tags docker://$DOCKER_REPO | jq ".Tags[] | select(. | test(\"^${NAME}-v\\\\d\"))" -r | sort -V | tail -1)
+# Get all remote tags | jq filter only starting with ${NAME}-v
+REMOTE_TAGS=$(skopeo list-tags docker://$DOCKER_REPO | jq ".Tags[] | select(. | test(\"^${NAME}-v\\\\d\"))" -r)
+
+# If remote tag already exists, bail out.
+if [[ $REMOTE_TAGS =~ (^|[[:space:]])$DOCKER_TAG($|[[:space:]]) ]]; then
+    echo "Docker tag '$DOCKER_REPO:$DOCKER_TAG' already exists, aborting!"
+    exit 1
+fi
 
 skopeo copy oci:${NAME}:final docker://$DOCKER_REPO:$DOCKER_TAG
 skopeo inspect docker://$DOCKER_REPO:$DOCKER_TAG
 
+# Get latest remote tag | Sort by version | Get the last one
+LATEST_REMOTE_VERSION=$(printf "$REMOTE_TAGS" | sort -V | tail -1)
+
 # This bit is intentionally verbose so it's easier to track when we override the latest tag
 if [ "${LATEST_REMOTE_VERSION}" = "" ]; then
     echo "Couldn't find a remote version. Tagging as latest."
     skopeo copy oci:${NAME}:final docker://$DOCKER_REPO:$NAME-latest
-elif [ "${LATEST_REMOTE_VERSION}" = "${DOCKER_TAG}" ]; then
-    echo "Updating latest tag, the latest version on remote matches the provided version."
-    skopeo copy oci:${NAME}:final docker://$DOCKER_REPO:$NAME-latest
 else
     # Printf the latest remote version and the current tag | Sort by version | Get the last one
-    LATEST_VERSION=$(printf "$REMOTE_VERSION\n$DOCKER_TAG" | sort -V | tail -1)
+    LATEST_VERSION=$(printf "$LATEST_REMOTE_VERSION\n$DOCKER_TAG" | sort -V | tail -1)
     # If current tag > latest remote, then we should tag as latest
-    if [ "${LATEST_VERSION}" != "${REMOTE_VERSION}" ]; then
+    if [ "${LATEST_VERSION}" != "${LATEST_REMOTE_VERSION}" ]; then
         echo "Updating latest tag, the current version is higher than the remote."
         skopeo copy oci:${NAME}:final docker://$DOCKER_REPO:$NAME-latest
     else
         echo "Skipped tagging as current tag is not higher than the remote's latest."
     fi
 fi
-
-echo "=== Clean up ==="
-rm -rf $HOME/.docker
diff --git a/taskcluster/kinds/push-image/kind.yml b/taskcluster/kinds/push-image/kind.yml
@@ -18,7 +18,7 @@ task-defaults:
         using: run-task
         checkout: false
         use-caches: false
-        command: "sh /usr/local/bin/push_image.sh"
+        command: "bash /usr/local/bin/push_image.sh"
     fetches:
         image:
             - artifact: image.tar.zst
