From 25f3b1a5543691882efdd3f9e8f1f7fd190b71cd Mon Sep 17 00:00:00 2001
From: Antoine Cotten <hello@acotten.com>
Date: Wed, 8 Jan 2025 13:49:46 +0100
Subject: [PATCH] ci: Prevent automated version downgrades

Use a caret semver range to ensure that we don't return a release
version that is lower than the current one.

Closes #1043
---
 .github/workflows/update.yml | 41 ++++++++++++++++++++++++------------
 1 file changed, 28 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/update.yml b/.github/workflows/update.yml
index 09752da..7fb85d4 100644
--- a/.github/workflows/update.yml
+++ b/.github/workflows/update.yml
@@ -11,15 +11,24 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        include:
-          - release: 8.x
-            branch: main
-          - release: 8.x
-            branch: tls
-          - release: 7.x
-            branch: release-7.x
+        branch:
+          - main
+          - tls
+          - release-7.x
 
     steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ matrix.branch }}
+          sparse-checkout-cone-mode: false
+          sparse-checkout: /.env
+      - name: Read current stack version
+        id: current-release
+        run: |
+          source .env
+          : ${ELASTIC_VERSION:?unset}
+          echo "version=${ELASTIC_VERSION}" >>"$GITHUB_OUTPUT"
+
       - uses: actions/setup-node@v4
       - run: npm install semver
 
@@ -42,7 +51,7 @@ jobs:
 
                   const version=semver.clean(release.tag_name)
 
-                  if (semver.satisfies(version, '${{ matrix.release }}')) {
+                  if (semver.satisfies(version, '^${{ steps.current-release.outputs.version }}')) {
                     return version
                   }
                 }
@@ -54,17 +63,23 @@ jobs:
               return { version: latestVersion }
             }
 
-      - uses: actions/checkout@v4
-        if: steps.get-latest-release.outputs.result
+      # Subsequent executions of actions/checkout omit to revert this setting to 'false',
+      # even if sparse-checkout is later disabled (see actions/checkout#2034).
+      - name: Disable sparse checkout
+        run: git config core.sparseCheckout false
+      # Removes untracked files created by npm (node_modules/, package.json, ...).
+      # Disables previous sparse checkout.
+      - name: Clean checkout
+        uses: actions/checkout@v4
+        if: steps.get-latest-release.outputs.result && fromJson(steps.get-latest-release.outputs.result).version != steps.current-release.outputs.version
         with:
           ref: ${{ matrix.branch }}
 
       - name: Update stack version
         id: update-files
-        if: steps.get-latest-release.outputs.result
+        if: steps.get-latest-release.outputs.result && fromJson(steps.get-latest-release.outputs.result).version != steps.current-release.outputs.version
         run: |
-          source .env
-          cur_ver="$ELASTIC_VERSION"
+          cur_ver=${{ steps.current-release.outputs.version }}
           new_ver=${{ fromJson(steps.get-latest-release.outputs.result).version }}
 
           # Escape period characters so sed interprets them literally