From 8394c2302f2d31ab1c46a35b9d2a522a78291a3f Mon Sep 17 00:00:00 2001
From: Ram Lavi <ralavi@redhat.com>
Date: Mon, 16 Dec 2024 08:48:27 +0200
Subject: [PATCH] Makefile, push: Prevent overwriting existing version tags

The IMAGE_GIT_TAG is generated using `git describe` to create a virtual
tag for the image, and used in order to tag every push to the repository
for later use.
However, when an actual git tag exists (e.g., v0.45.0), git describe
returns that tag. This behavior makes it possible to accidentally
overwrite push an existing version tag in the registry.

Flow Leading to the Issue:
1. A new kmp release is created, pushing a new tag (e.g., v0.45.0).
2. A stable branch is created from that commit, pushing a new stable
branch tag (e.g., release-0.45_latest).
2.1 . During this push, IMAGE_GIT_TAG resolves to this Git tag (e.g.,
v0.45.0) due to git describe.
2.2 Makefile attempts to push the image with this tag (e.g., v0.45.0) to
the registry, overwriting the original tag sha256 digest.

To address this, introducing a check to ensure such tags are not
overwritten, preserving the integrity of published versions.

Signed-off-by: Ram Lavi <ralavi@redhat.com>
---
 Makefile | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index 11bd848db..7efbdc137 100644
--- a/Makefile
+++ b/Makefile
@@ -93,8 +93,17 @@ container: manager
 # Push the docker image
 docker-push:
 	$(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_TAG}
-	$(OCI_BIN) tag ${REGISTRY}/${IMG}:${IMAGE_TAG} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}
-	$(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}
+	@if skopeo inspect docker://${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} >/dev/null 2>&1; then \
+	    echo "Tag '${IMAGE_GIT_TAG}' already exists. Skipping tagging and push."; \
+	else \
+	    if skopeo inspect docker://${REGISTRY}/${IMG}:${IMAGE_GIT_TAG} 2>&1 | grep -q "manifest unknown"; then \
+	        $(OCI_BIN) tag ${REGISTRY}/${IMG}:${IMAGE_TAG} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}; \
+	        $(OCI_BIN) push ${TLS_SETTING} ${REGISTRY}/${IMG}:${IMAGE_GIT_TAG}; \
+	    else \
+	        echo "Error checking for tag '${IMAGE_GIT_TAG}'. Aborting to avoid potential overwrite."; \
+	        exit 1; \
+	    fi; \
+	fi
 
 cluster-up:
 	./cluster/up.sh