From e5ef2487fb8c7d387a1666c3d3c95138dbf097ae Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Wed, 14 Feb 2024 18:59:07 +1100
Subject: [PATCH 1/4] build: Generate centos7 archive when building linux-amd64

When building a linux-amd64 archive, make a copy of it with the
`centos7` tag as the linux-amd64 build works on centos7. We stopped
doing a centos7-specific build a while ago, but we still have the
archive on our releases page.

This helps unify the `release-amd64` and `release-amd64-centos7`
targets, which currently do the same thing except for the GitHub Actions
workflow that creates the centos7 archive only for the latter target.
This will allow us to get rid of that target as that latter target will
no longer be called when Drone is removed.

Also add a `-p` when making RELEASE_DIR as sometimes the parent
directory has not yet been created.
---
 Makefile | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/Makefile b/Makefile
index ea430797c9702..3fb5572132f12 100644
--- a/Makefile
+++ b/Makefile
@@ -421,7 +421,7 @@ clean-ui:
 
 # RELEASE_DIR is where release artifact files are put, such as tarballs, packages, etc.
 $(RELEASE_DIR):
-	mkdir $@
+	mkdir -p $@
 
 .PHONY:
 export
@@ -468,6 +468,11 @@ build-archive: | $(RELEASE_DIR)
 	echo $(GITTAG) > teleport/VERSION
 	tar $(TAR_FLAGS) -c teleport | gzip -n > $(RELEASE).tar.gz
 	cp $(RELEASE).tar.gz $(RELEASE_DIR)
+	# linux-amd64 generates a centos7-compatible archive. Make a copy with the -centos7 label,
+	# for the releases page. We should probably drop that at some point.
+	$(if $(filter linux-amd64,$(OS)-$(ARCH)), \
+		cp $(RELEASE).tar.gz $(RELEASE_DIR)/$(subst amd64,amd64-centos7,$(RELEASE)).tar.gz \
+	)
 	rm -rf teleport
 	@echo "---> Created $(RELEASE).tar.gz."
 

From c14427768de90ddbf370d0914b1f9af5da4b4eae Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Wed, 21 Feb 2024 06:17:57 +1100
Subject: [PATCH 2/4] build: Add `tag-publish` recipe to Makefile

Add a `tag-publish` recipe to the Makefile to start a workflow run of
the tag-publish workflow. The tag published is the current version tag
as defined by `$(VERSION)` in the Makefile. The version of the
`tag-publish` workflow used is that one tagged with `v$(VERSION)`.
---
 Makefile | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/Makefile b/Makefile
index 3fb5572132f12..df2563586ceed 100644
--- a/Makefile
+++ b/Makefile
@@ -1159,6 +1159,19 @@ update-tag:
 	(cd e && git tag $(GITTAG) && git push origin $(GITTAG))
 	git push $(TAG_REMOTE) $(GITTAG) && git push $(TAG_REMOTE) api/$(GITTAG)
 
+# Publishes a tag build.
+# Starts a tag publish run using e/.github/workflows/tag-publish.yaml
+# for the tag v$(VERSION).
+.PHONY: tag-publish
+tag-publish:
+	@which gh >/dev/null 2>&1 || { echo 'gh command needed. https://github.com/cli/cli'; exit 1; }
+	gh workflow run tag-publish.yaml \
+		--repo gravitational/teleport.e \
+		--ref "v$(VERSION)" \
+		-f "oss-teleport-repo=$(shell gh repo view --json nameWithOwner --jq .nameWithOwner)" \
+		-f "oss-teleport-ref=v$(VERSION)"
+	@echo See runs at: https://github.com/gravitational/teleport.e/actions/workflows/tag-publish.yaml
+
 .PHONY: test-package
 test-package: remove-temp-files
 	go test -v ./$(p)

From e988a306548bd2900a855982492b952e25f2d75e Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Wed, 21 Feb 2024 17:35:04 +1100
Subject: [PATCH 3/4] build: Add `tag-build` recipe to Makefile

Add a `tag-build` recipe to the Makefile to kick off a tag build on
GitHub Actions. Currently we cannot trigger the tag build in GitHub
Actions as the teleport repository is public so we are very careful with
credentials in it, and credentials are needed to run the `tag-build`
workflow in the `teleport.e` repository.

The new process for building a tag is to run `make update-tag` as usual,
but to then follow that with `make tag-build` to start the build.
---
 Makefile | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/Makefile b/Makefile
index df2563586ceed..1978848a2e43f 100644
--- a/Makefile
+++ b/Makefile
@@ -301,8 +301,8 @@ TELEPORT_ARGS ?= start
 teleport-hot-reload:
 	CompileDaemon --graceful-kill=true --exclude-dir=".git" --exclude-dir="node_modules" --build="make $(BUILDDIR)/teleport" --command="$(BUILDDIR)/teleport $(TELEPORT_ARGS)"
 
-# NOTE: Any changes to the `tsh` build here must be copied to `windows.go` in Dronegen until
-# 		we can use this Makefile for native Windows builds.
+# NOTE: Any changes to the `tsh` build here must be copied to `build.assets/windows/build.ps1`
+# until we can use this Makefile for native Windows builds.
 .PHONY: $(BUILDDIR)/tsh
 $(BUILDDIR)/tsh: KUBECTL_VERSION ?= $(shell go run ./build.assets/kubectl-version/main.go)
 $(BUILDDIR)/tsh: KUBECTL_SETVERSION ?= -X k8s.io/component-base/version.gitVersion=$(KUBECTL_VERSION)
@@ -1147,8 +1147,13 @@ $(VERSRC): Makefile
 # 3. Run `make update-version`
 # 4. Commit version changes to git
 # 5. Make sure it all builds (`make release` or equivalent)
+# 6. Run `make update-tag` to tag repos with $(VERSION)
+# 7. Run `make tag-build` to build the tag on GitHub Actions
+# 8. Run `make tag-publish` after `make-build` tag has completed to
+#    publish the built artifacts.
 #
-# After the above is done, run `make update-tag` and follow your build on Drone.
+# GHA tag builds: https://github.com/gravitational/teleport.e/actions/workflows/tag-build.yaml
+# GHA tag publish: https://github.com/gravitational/teleport.e/actions/workflows/tag-publish.yaml
 .PHONY: update-tag
 update-tag: TAG_REMOTE ?= origin
 update-tag:
@@ -1159,6 +1164,19 @@ update-tag:
 	(cd e && git tag $(GITTAG) && git push origin $(GITTAG))
 	git push $(TAG_REMOTE) $(GITTAG) && git push $(TAG_REMOTE) api/$(GITTAG)
 
+# Builds a tag build on GitHub Actions.
+# Starts a tag publish run using e/.github/workflows/tag-build.yaml
+# for the tag v$(VERSION).
+.PHONY: tag-build
+tag-build:
+	@which gh >/dev/null 2>&1 || { echo 'gh command needed. https://github.com/cli/cli'; exit 1; }
+	gh workflow run tag-build.yaml \
+		--repo gravitational/teleport.e \
+		--ref "v$(VERSION)" \
+		-f "oss-teleport-repo=$(shell gh repo view --json nameWithOwner --jq .nameWithOwner)" \
+		-f "oss-teleport-ref=v$(VERSION)"
+	@echo See runs at: https://github.com/gravitational/teleport.e/actions/workflows/tag-build.yaml
+
 # Publishes a tag build.
 # Starts a tag publish run using e/.github/workflows/tag-publish.yaml
 # for the tag v$(VERSION).

From 884f943f55e5b5d9304b301d6169e842877b00ca Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Tue, 27 Feb 2024 21:03:02 -0800
Subject: [PATCH 4/4] Update `e` ref

Updates include:
* Make the access list gRPC service use the cache. (gravitational/teleport.e#3544)
* Prevent overflow in sort functions provided to slices.SortFunc (#gravitational/teleport.e3549)
* Remove all quiet/silent flags from role checks. (#gravitational/teleport.e3540)
* [v15] fix: Lower bcrypt cost when testing (#gravitational/teleport.e3553)
* [v15] Add top-level workflow for building a tagged release (#gravitational/teleport.e3547)
---
 e | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/e b/e
index f7e770deb10a3..71bdd537ebc14 160000
--- a/e
+++ b/e
@@ -1 +1 @@
-Subproject commit f7e770deb10a38f5516221743659c2efd19188d1
+Subproject commit 71bdd537ebc149c691d82a1fa18a8cacb87e7d9c