From c27131d1a2522eae52684d48a10ebb7f146129e0 Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Wed, 2 Aug 2023 13:48:41 +1000
Subject: [PATCH 1/7] dronegen: enumerate linux tag build pipelines

Unroll the loops over architectures, fips and package type and just list
all the pipelines explicitly. This makes it a bit easier to understand
the combinations and to replace them with GitHub actions workflows.

Running `make dronegen` results in no changes to `.drone.yml`.
---
 dronegen/tag.go | 37 ++++++++++++++++++-------------------
 1 file changed, 18 insertions(+), 19 deletions(-)

diff --git a/dronegen/tag.go b/dronegen/tag.go
index dd40d6e67fa33..ca644d5fd7e16 100644
--- a/dronegen/tag.go
+++ b/dronegen/tag.go
@@ -139,25 +139,24 @@ done && ls -l`)
 // tagPipelines builds all applicable tag pipeline combinations
 func tagPipelines() []pipeline {
 	var ps []pipeline
-	// regular tarball builds
-	for _, arch := range []string{"amd64", "386", "arm"} {
-		for _, fips := range []bool{false, true} {
-			if arch != "amd64" && fips {
-				// FIPS mode only supported on linux/amd64
-				continue
-			}
-			ps = append(ps, tagPipeline(buildType{os: "linux", arch: arch, fips: fips}))
-
-			// RPM/DEB package builds
-			for _, packageType := range []string{rpmPackage, debPackage} {
-				bt := buildType{os: "linux", arch: arch, fips: fips}
-				if packageType == "rpm" && arch == "amd64" {
-					bt.centos7 = true
-				}
-				ps = append(ps, tagPackagePipeline(packageType, bt))
-			}
-		}
-	}
+
+	// amd64 builds
+	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", fips: false}))
+	ps = append(ps, tagPackagePipeline(rpmPackage, buildType{os: "linux", arch: "amd64", fips: false, centos7: true}))
+	ps = append(ps, tagPackagePipeline(debPackage, buildType{os: "linux", arch: "amd64", fips: false}))
+	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", fips: true}))
+	ps = append(ps, tagPackagePipeline(rpmPackage, buildType{os: "linux", arch: "amd64", fips: true, centos7: true}))
+	ps = append(ps, tagPackagePipeline(debPackage, buildType{os: "linux", arch: "amd64", fips: true}))
+
+	// 386 builds
+	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "386", fips: false}))
+	ps = append(ps, tagPackagePipeline(rpmPackage, buildType{os: "linux", arch: "386", fips: false}))
+	ps = append(ps, tagPackagePipeline(debPackage, buildType{os: "linux", arch: "386", fips: false}))
+
+	// arm builds
+	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "arm", fips: false}))
+	ps = append(ps, tagPackagePipeline(rpmPackage, buildType{os: "linux", arch: "arm", fips: false}))
+	ps = append(ps, tagPackagePipeline(debPackage, buildType{os: "linux", arch: "arm", fips: false}))
 
 	ps = append(ps, ghaBuildPipeline(ghaBuildType{
 		buildType:    buildType{os: "linux", arch: "arm64", fips: false},

From ebe667092699da041773d124f12ab0af8d001c2c Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Wed, 2 Aug 2023 15:10:29 +1000
Subject: [PATCH 2/7] dronegen: Convert some linux tag pipelines to GitHub
 Actions

Convert some of the linux-based tag build pipelines to run on GitHub
Actions. The following pipelines have been converted:

    build-linux-amd64
    build-linux-amd64-centos7
    build-linux-amd64-centos7-fips
    build-linux-386
    build-linux-arm
    build-linux-amd64-deb
    build-linux-amd64-deb-fips
    build-linux-amd64-centos7-rpm
    build-linux-amd64-centos7-fips-rpm
    build-linux-386-deb
    build-linux-386-rpm
    build-linux-arm-deb
    build-linux-arm-rpm

The GHA workflows builds tarballs as well as deb/rpm packages in the one
workflow, so the `-deb` and `-rpm` pipelines will need to be manually
removed from `.drone.yml`. The amd64 centos7 and non-centos7 pipelines
have been combined as they were calling the same `make` target
duplicating work. The amd64 build is always done on centos7. As a
result, we do not name the pipeline with -centos7 any more, but we do
still specify it as the build.assets `Makefile` still has a centos7
target which is called, and we do still release an asset named with
"centos7".

Still remaining of the linux-based tag build pipelines are the arm64
pipelines which are already converted using a different workflow and the
non-native windows build.
---
 dronegen/common.go |  1 +
 dronegen/tag.go    | 78 ++++++++++++++++++++++++++++++----------------
 2 files changed, 52 insertions(+), 27 deletions(-)

diff --git a/dronegen/common.go b/dronegen/common.go
index acbaf2573cce2..56b2a430070c7 100644
--- a/dronegen/common.go
+++ b/dronegen/common.go
@@ -153,6 +153,7 @@ type buildType struct {
 	fips         bool
 	centos7      bool
 	buildConnect bool
+	buildOSPkg   bool
 }
 
 // Description provides a human-facing description of the artifact, e.g.:
diff --git a/dronegen/tag.go b/dronegen/tag.go
index ca644d5fd7e16..b26c6d7bba5d2 100644
--- a/dronegen/tag.go
+++ b/dronegen/tag.go
@@ -16,6 +16,7 @@ package main
 
 import (
 	"fmt"
+	"strconv"
 	"strings"
 	"time"
 )
@@ -140,23 +141,10 @@ done && ls -l`)
 func tagPipelines() []pipeline {
 	var ps []pipeline
 
-	// amd64 builds
-	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", fips: false}))
-	ps = append(ps, tagPackagePipeline(rpmPackage, buildType{os: "linux", arch: "amd64", fips: false, centos7: true}))
-	ps = append(ps, tagPackagePipeline(debPackage, buildType{os: "linux", arch: "amd64", fips: false}))
-	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", fips: true}))
-	ps = append(ps, tagPackagePipeline(rpmPackage, buildType{os: "linux", arch: "amd64", fips: true, centos7: true}))
-	ps = append(ps, tagPackagePipeline(debPackage, buildType{os: "linux", arch: "amd64", fips: true}))
-
-	// 386 builds
-	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "386", fips: false}))
-	ps = append(ps, tagPackagePipeline(rpmPackage, buildType{os: "linux", arch: "386", fips: false}))
-	ps = append(ps, tagPackagePipeline(debPackage, buildType{os: "linux", arch: "386", fips: false}))
-
-	// arm builds
-	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "arm", fips: false}))
-	ps = append(ps, tagPackagePipeline(rpmPackage, buildType{os: "linux", arch: "arm", fips: false}))
-	ps = append(ps, tagPackagePipeline(debPackage, buildType{os: "linux", arch: "arm", fips: false}))
+	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "amd64", fips: false, centos7: true, buildConnect: true, buildOSPkg: true}))
+	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "amd64", fips: true, centos7: true, buildConnect: false, buildOSPkg: true}))
+	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "386", buildOSPkg: true}))
+	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "arm", buildOSPkg: true}))
 
 	ps = append(ps, ghaBuildPipeline(ghaBuildType{
 		buildType:    buildType{os: "linux", arch: "arm64", fips: false},
@@ -181,10 +169,10 @@ func tagPipelines() []pipeline {
 		pipelineName: "build-teleport-oci-distroless-images",
 		dependsOn: []string{
 			tagCleanupPipelineName,
-			"build-linux-amd64-deb",
-			"build-linux-amd64-fips-deb",
+			"build-linux-amd64",
+			"build-linux-amd64-fips",
 			"build-linux-arm64-deb",
-			"build-linux-arm-deb",
+			"build-linux-arm",
 		},
 		workflows: []ghaWorkflow{
 			{
@@ -203,8 +191,8 @@ func tagPipelines() []pipeline {
 		pipelineName: "build-teleport-hardened-amis",
 		dependsOn: []string{
 			tagCleanupPipelineName,
-			"build-linux-amd64-deb",
-			"build-linux-amd64-fips-deb",
+			"build-linux-amd64",
+			"build-linux-amd64-fips",
 		},
 		workflows: []ghaWorkflow{
 			{
@@ -232,11 +220,6 @@ func tagPipelines() []pipeline {
 		},
 	}))
 
-	// Also add CentOS artifacts
-	// CentOS 6 FIPS builds have been removed in Teleport 7.0. See https://github.com/gravitational/teleport/issues/7207
-	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", centos7: true}))
-	ps = append(ps, tagPipeline(buildType{os: "linux", arch: "amd64", centos7: true, fips: true}))
-
 	ps = append(ps, darwinTagPipelineGHA())
 	ps = append(ps, windowsTagPipelineGHA())
 
@@ -244,6 +227,47 @@ func tagPipelines() []pipeline {
 	return ps
 }
 
+// ghaLinuxTagPipeline generates a tag pipeline for a given combination of
+// os/arch/FIPS that calls a GitHub Actions workflow to perform the build on a
+// Linux box. This dispatches to the release-linux.yaml workflow in the
+// teleport.e repo, which is a little more generic than the
+// release-linux-arm64.yml workflow used for the arm64 build. The two will be
+// unified shortly.
+func ghaLinuxTagPipeline(b buildType) pipeline {
+	if b.os == "" {
+		panic("b.os must be set")
+	}
+	if b.arch == "" {
+		panic("b.arch must be set")
+	}
+
+	pipelineName := fmt.Sprintf("build-%s-%s", b.os, b.arch)
+	if b.fips {
+		pipelineName += "-fips"
+	}
+	wf := ghaWorkflow{
+		name:              "release-linux.yaml",
+		timeout:           150 * time.Minute,
+		slackOnError:      true,
+		srcRefVar:         "DRONE_TAG",
+		ref:               "${DRONE_TAG}",
+		shouldTagWorkflow: true,
+		inputs: map[string]string{
+			"release-artifacts": "true",
+			"release-target":    releaseMakefileTarget(b),
+			"build-connect":     strconv.FormatBool(b.buildConnect),
+			"build-os-packages": strconv.FormatBool(b.buildOSPkg),
+		},
+	}
+	bt := ghaBuildType{
+		buildType:    buildType{os: b.os, arch: b.arch},
+		trigger:      triggerTag,
+		pipelineName: pipelineName,
+		workflows:    []ghaWorkflow{wf},
+	}
+	return ghaBuildPipeline(bt)
+}
+
 // tagPipeline generates a tag pipeline for a given combination of os/arch/FIPS
 func tagPipeline(b buildType) pipeline {
 	if b.os == "" {

From 60e800192f01f5d2fdd9471bef1456457428fdc4 Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Thu, 30 Nov 2023 14:21:46 +1100
Subject: [PATCH 3/7] dronegen: Convert linux-arm64 pipeline to common pipeline

Convert the build-linux-arm64 and push-build-linux-arm64 pipelines to
use the common `release-linux` workflow instead of the arm64-specific
`release-linux-arm64` workflow. This aligns it with the other linux
build pipelines and allows us to get rid of the specific workflow.

The pipelines for building the arm64 rpm and deb packages have not been
generated by dronegen for some time now - since the arm64 build was
converted to GitHub Actions. The OS packages were still built as
dronegen does not remove pipelines, so the existing pipelines from
before the GHA migration remained in `.drone.yml` and continued to run.

These os packaging pipelines will be manually removed in a subsequent
commit.
---
 dronegen/push.go | 19 +------------------
 dronegen/tag.go  | 20 ++------------------
 2 files changed, 3 insertions(+), 36 deletions(-)

diff --git a/dronegen/push.go b/dronegen/push.go
index d15658446c270..c40d38eda44b8 100644
--- a/dronegen/push.go
+++ b/dronegen/push.go
@@ -44,25 +44,8 @@ func pushPipelines() []pipeline {
 	ps = append(ps, ghaLinuxPushPipeline(buildType{os: "linux", arch: "amd64", fips: false, buildConnect: true}))
 	ps = append(ps, ghaLinuxPushPipeline(buildType{os: "linux", arch: "amd64", fips: true}))
 	ps = append(ps, ghaLinuxPushPipeline(buildType{os: "linux", arch: "386", fips: false}))
+	ps = append(ps, ghaLinuxPushPipeline(buildType{os: "linux", arch: "arm64", fips: false}))
 	ps = append(ps, ghaLinuxPushPipeline(buildType{os: "linux", arch: "arm", fips: false}))
-
-	ps = append(ps, ghaBuildPipeline(ghaBuildType{
-		buildType:    buildType{os: "linux", arch: "arm64"},
-		trigger:      triggerPush,
-		pipelineName: "push-build-linux-arm64",
-		workflows: []ghaWorkflow{
-			{
-				name:              "release-linux-arm64.yml",
-				timeout:           150 * time.Minute,
-				slackOnError:      true,
-				srcRefVar:         "DRONE_COMMIT",
-				ref:               "${DRONE_BRANCH}",
-				shouldTagWorkflow: true,
-				inputs:            map[string]string{"upload-artifacts": "false"},
-			},
-		},
-	}))
-
 	ps = append(ps, ghaWindowsPushPipeline())
 
 	return ps
diff --git a/dronegen/tag.go b/dronegen/tag.go
index b26c6d7bba5d2..1d5616675de24 100644
--- a/dronegen/tag.go
+++ b/dronegen/tag.go
@@ -144,25 +144,9 @@ func tagPipelines() []pipeline {
 	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "amd64", fips: false, centos7: true, buildConnect: true, buildOSPkg: true}))
 	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "amd64", fips: true, centos7: true, buildConnect: false, buildOSPkg: true}))
 	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "386", buildOSPkg: true}))
+	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "arm64", buildOSPkg: true}))
 	ps = append(ps, ghaLinuxTagPipeline(buildType{os: "linux", arch: "arm", buildOSPkg: true}))
 
-	ps = append(ps, ghaBuildPipeline(ghaBuildType{
-		buildType:    buildType{os: "linux", arch: "arm64", fips: false},
-		trigger:      triggerTag,
-		pipelineName: "build-linux-arm64",
-		dependsOn:    []string{tagCleanupPipelineName},
-		workflows: []ghaWorkflow{
-			{
-				name:              "release-linux-arm64.yml",
-				srcRefVar:         "DRONE_TAG",
-				ref:               "${DRONE_TAG}",
-				timeout:           150 * time.Minute,
-				shouldTagWorkflow: true,
-				inputs:            map[string]string{"upload-artifacts": "true"},
-			},
-		},
-	}))
-
 	ps = append(ps, ghaBuildPipeline(ghaBuildType{
 		buildType:    buildType{os: "linux", fips: false},
 		trigger:      triggerTag,
@@ -171,7 +155,7 @@ func tagPipelines() []pipeline {
 			tagCleanupPipelineName,
 			"build-linux-amd64",
 			"build-linux-amd64-fips",
-			"build-linux-arm64-deb",
+			"build-linux-arm64",
 			"build-linux-arm",
 		},
 		workflows: []ghaWorkflow{

From c75cdd76e18081cb6a30965639e1e85368fc6ae8 Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Thu, 30 Nov 2023 15:59:16 +1100
Subject: [PATCH 4/7] dronegen: Add pipeline for building legacy AMIs

Generate a pipeline for calling a GitHub Actions workflow to generate
the legacy AMIs. There were two existing manually added pipelines -
`build-oss-amis` and `build-ent-amis` - that are replaced by this.

The new pipeline needs to be manually added and the old ones manually
removed.
---
 dronegen/tag.go | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/dronegen/tag.go b/dronegen/tag.go
index 1d5616675de24..7b6a8bcceb404 100644
--- a/dronegen/tag.go
+++ b/dronegen/tag.go
@@ -207,6 +207,26 @@ func tagPipelines() []pipeline {
 	ps = append(ps, darwinTagPipelineGHA())
 	ps = append(ps, windowsTagPipelineGHA())
 
+	ps = append(ps, ghaBuildPipeline(ghaBuildType{
+		pipelineName: "build-legacy-amis",
+		trigger:      triggerTag,
+		buildType:    buildType{fips: false},
+		dependsOn: []string{
+			"build-linux-amd64",
+			"build-linux-amd64-fips",
+		},
+		workflows: []ghaWorkflow{
+			{
+				name:              "release-teleport-legacy-amis.yaml",
+				srcRefVar:         "DRONE_TAG",
+				ref:               "${DRONE_TAG}",
+				timeout:           150 * time.Minute,
+				shouldTagWorkflow: true,
+				slackOnError:      true,
+			},
+		},
+	}))
+
 	ps = append(ps, tagCleanupPipeline())
 	return ps
 }

From 02816b73eaee7d72d0860f1aa43706f6b2e710da Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Thu, 30 Nov 2023 19:42:14 +1100
Subject: [PATCH 5/7] dronegen: Replace oci build with GitHub Actions workflow

Replace the `teleport-container-images-branch-tag` workflow that builds
the legacy and operator OCI images with a call to the GitHub Actions
workflow that does the same on GitHub Actions.

This requires the manual addition of the `build-oci` pipeline and manual
removal of the `teleport-container-images-branch-tag` pipeline, followed
by running `make dronegen` to flesh out `build-oci` and sign .drone.yml.
---
 dronegen/container_images.go |  1 -
 dronegen/tag.go              | 22 ++++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/dronegen/container_images.go b/dronegen/container_images.go
index 1ac2d26cb280e..ab1fcb780e062 100644
--- a/dronegen/container_images.go
+++ b/dronegen/container_images.go
@@ -44,7 +44,6 @@ func buildContainerImagePipelines() []pipeline {
 	branchMajorSemver, imageUpdateSemvers := buildPipelineVersions()
 
 	triggers := []*TriggerInfo{
-		NewTagTrigger(branchMajorSemver),
 		NewPromoteTrigger(branchMajorSemver),
 		NewCronTrigger(imageUpdateSemvers),
 	}
diff --git a/dronegen/tag.go b/dronegen/tag.go
index 7b6a8bcceb404..32338e067d971 100644
--- a/dronegen/tag.go
+++ b/dronegen/tag.go
@@ -227,6 +227,28 @@ func tagPipelines() []pipeline {
 		},
 	}))
 
+	ps = append(ps, ghaBuildPipeline(ghaBuildType{
+		pipelineName: "build-oci",
+		trigger:      triggerTag,
+		buildType:    buildType{fips: false},
+		dependsOn: []string{
+			"build-linux-amd64",
+			"build-linux-amd64-fips",
+			"build-linux-arm64",
+			"build-linux-arm",
+		},
+		workflows: []ghaWorkflow{
+			{
+				name:              "release-teleport-oci.yaml",
+				srcRefVar:         "DRONE_TAG",
+				ref:               "${DRONE_TAG}",
+				timeout:           150 * time.Minute,
+				shouldTagWorkflow: true,
+				slackOnError:      true,
+			},
+		},
+	}))
+
 	ps = append(ps, tagCleanupPipeline())
 	return ps
 }

From b7bd00abff3177ffb32aa08f5c6735219b73fe64 Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Thu, 30 Nov 2023 14:34:09 +1100
Subject: [PATCH 6/7] dronegen: Remove now-unused functions and vars

Remove the now-unused functions and vars after converting pipelines to
calling GitHub Actions instead of running stuff on Drone.
---
 dronegen/aws.go    |  26 ---
 dronegen/common.go |  15 +-
 dronegen/tag.go    | 461 ---------------------------------------------
 3 files changed, 1 insertion(+), 501 deletions(-)

diff --git a/dronegen/aws.go b/dronegen/aws.go
index d2d141deea29d..97401c217db4b 100644
--- a/dronegen/aws.go
+++ b/dronegen/aws.go
@@ -38,14 +38,6 @@ type kubernetesRoleSettings struct {
 	append       bool
 }
 
-// kuberentesS3Settings contains all info needed to download from S3 in a kubernetes pipeline
-type kubernetesS3Settings struct {
-	region       string
-	source       string
-	target       string
-	configVolume volumeRef
-}
-
 // assumeRoleCommands is a helper to build the role assumption commands on a *nix platform
 func assumeRoleCommands(profile, configPath string, appendFile bool) []string {
 	if profile == "" { // set a default profile if none is specified
@@ -94,21 +86,3 @@ func kubernetesAssumeAwsRoleStep(s kubernetesRoleSettings) step {
 		Commands: assumeRoleCommands(s.profile, configPath, s.append),
 	}
 }
-
-// kubernetesUploadToS3Step generates an S3 upload step
-func kubernetesUploadToS3Step(s kubernetesS3Settings) step {
-	return step{
-		Name:  "Upload to S3",
-		Image: "amazon/aws-cli",
-		Pull:  "if-not-exists",
-		Environment: map[string]value{
-			"AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"},
-			"AWS_REGION":    {raw: s.region},
-		},
-		Volumes: []volumeRef{s.configVolume},
-		Commands: []string{
-			`cd ` + s.source,
-			`aws s3 sync . s3://$AWS_S3_BUCKET/` + s.target,
-		},
-	}
-}
diff --git a/dronegen/common.go b/dronegen/common.go
index 56b2a430070c7..080e44d1212f9 100644
--- a/dronegen/common.go
+++ b/dronegen/common.go
@@ -104,16 +104,8 @@ var (
 
 var buildboxVersion value
 
-var goRuntime value
-
 func init() {
-	v, err := exec.Command("make", "-s", "-C", "build.assets", "print-go-version").Output()
-	if err != nil {
-		log.Fatalf("could not get Go version: %v", err)
-	}
-	goRuntime = value{raw: string(bytes.TrimSpace(v))}
-
-	v, err = exec.Command("make", "-s", "-C", "build.assets", "print-buildbox-version").Output()
+	v, err := exec.Command("make", "-s", "-C", "build.assets", "print-buildbox-version").Output()
 	if err != nil {
 		log.Fatalf("could not get buildbox version: %v", err)
 	}
@@ -227,11 +219,6 @@ func (b *buildType) Description(packageType string) string {
 	return result
 }
 
-func (b *buildType) hasTeleportConnect() bool {
-	return (b.os == "darwin" && b.arch == "amd64") ||
-		(b.os == "linux" && b.arch == "amd64" && !b.centos7 && !b.fips)
-}
-
 // dockerService generates a docker:dind service
 // It includes the Docker socket volume by default, plus any extra volumes passed in
 func dockerService(v ...volumeRef) service {
diff --git a/dronegen/tag.go b/dronegen/tag.go
index 32338e067d971..e501cc5f6d8f5 100644
--- a/dronegen/tag.go
+++ b/dronegen/tag.go
@@ -17,16 +17,10 @@ package main
 import (
 	"fmt"
 	"strconv"
-	"strings"
 	"time"
 )
 
 const (
-	// rpmPackage is the RPM package type
-	rpmPackage = "rpm"
-	// debPackage is the DEB package type
-	debPackage = "deb"
-
 	// tagCleanupPipelineName is the name of the pipeline that cleans up
 	// artifacts from a previous partially-failed build
 	tagCleanupPipelineName = "clean-up-previous-build"
@@ -34,109 +28,6 @@ const (
 
 const releasesHost = "https://releases-prod.platform.teleport.sh"
 
-// tagCheckoutCommands builds a list of commands for Drone to check out a git commit on a tag build
-func tagCheckoutCommands(b buildType) []string {
-	return []string{
-		`mkdir -p /go/src/github.com/gravitational/teleport`,
-		`cd /go/src/github.com/gravitational/teleport`,
-		`git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .`,
-		`git checkout ${DRONE_TAG:-$DRONE_COMMIT}`,
-		// fetch enterprise submodules
-		`mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa && chmod 600 /root/.ssh/id_rsa`,
-		`ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts`,
-		`git submodule update --init e`,
-		`rm -f /root/.ssh/id_rsa`,
-		// create necessary directories
-		`mkdir -p /go/cache /go/artifacts`,
-		// set version
-		`VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-  echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-  exit 1
-fi
-echo "$$VERSION" > /go/.version.txt`,
-	}
-}
-
-// tagBuildCommands generates a list of commands for Drone to build an artifact as part of a tag build
-func tagBuildCommands(b buildType) []string {
-	commands := []string{
-		`apk add --no-cache make`,
-		`chown -R $UID:$GID /go`,
-		`cd /go/src/github.com/gravitational/teleport`,
-	}
-
-	if b.fips || b.hasTeleportConnect() {
-		commands = append(commands,
-			"export VERSION=$(cat /go/.version.txt)",
-		)
-	}
-
-	commands = append(commands,
-		fmt.Sprintf(
-			`make -C build.assets %s`, releaseMakefileTarget(b),
-		),
-	)
-
-	// Build Teleport Connect on suported OS/arch
-	if b.hasTeleportConnect() {
-		switch b.os {
-		case "linux":
-			commands = append(commands, `make -C build.assets teleterm`)
-		}
-	}
-
-	return commands
-}
-
-// tagCopyArtifactCommands generates a set of commands to find and copy built tarball artifacts as part of a tag build
-func tagCopyArtifactCommands(b buildType) []string {
-	commands := []string{
-		`cd /go/src/github.com/gravitational/teleport`,
-	}
-
-	// don't copy OSS artifacts for any FIPS build
-	if !b.fips {
-		commands = append(commands, `find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts \;`)
-	}
-
-	commands = append(commands, `find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts \;`)
-
-	// we need to specifically rename artifacts which are created for CentOS
-	// these is the only special case where renaming is not handled inside the Makefile
-	if b.centos7 {
-		// for CentOS 7, we support OSS, Enterprise, and FIPS (Enterprise only)
-		commands = append(commands, `export VERSION=$(cat /go/.version.txt)`)
-		if !b.fips {
-			commands = append(commands,
-				`mv /go/artifacts/teleport-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-v$${VERSION}-linux-amd64-centos7-bin.tar.gz`,
-				`mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz`,
-			)
-		} else {
-			commands = append(commands,
-				`mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz`,
-			)
-		}
-	}
-
-	if b.hasTeleportConnect() {
-		commands = append(commands,
-			`find /go/src/github.com/gravitational/teleport/web/packages/teleterm/build/release -maxdepth 1 \( -iname "teleport-connect*.tar.gz" -o -iname "teleport-connect*.rpm" -o -iname "teleport-connect*.deb" \) -print -exec cp {} /go/artifacts/ \;`,
-		)
-	}
-
-	// generate checksums
-	commands = append(commands, `cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256; done && ls -l`)
-
-	if b.os == "linux" && b.hasTeleportConnect() {
-		commands = append(commands,
-			`cd /go/artifacts && for FILE in teleport-connect*.deb teleport-connect*.rpm; do
-  sha256sum $FILE > $FILE.sha256;
-done && ls -l`)
-	}
-	return commands
-}
-
 // tagPipelines builds all applicable tag pipeline combinations
 func tagPipelines() []pipeline {
 	var ps []pipeline
@@ -294,358 +185,6 @@ func ghaLinuxTagPipeline(b buildType) pipeline {
 	return ghaBuildPipeline(bt)
 }
 
-// tagPipeline generates a tag pipeline for a given combination of os/arch/FIPS
-func tagPipeline(b buildType) pipeline {
-	if b.os == "" {
-		panic("b.os must be set")
-	}
-	if b.arch == "" {
-		panic("b.arch must be set")
-	}
-
-	pipelineName := fmt.Sprintf("build-%s-%s", b.os, b.arch)
-	if b.centos7 {
-		pipelineName += "-centos7"
-	}
-	tagEnvironment := map[string]value{
-		"UID":     {raw: "1000"},
-		"GID":     {raw: "1000"},
-		"GOCACHE": {raw: "/go/cache"},
-		"GOPATH":  {raw: "/go"},
-		"OS":      {raw: b.os},
-		"ARCH":    {raw: b.arch},
-	}
-	if b.fips {
-		pipelineName += "-fips"
-		tagEnvironment["FIPS"] = value{raw: "yes"}
-	}
-
-	p := newKubePipeline(pipelineName)
-	p.Environment = map[string]value{
-		"BUILDBOX_VERSION": buildboxVersion,
-		"RUNTIME":          goRuntime,
-	}
-	p.Trigger = triggerTag
-	p.DependsOn = []string{tagCleanupPipelineName}
-	p.Workspace = workspace{Path: "/go"}
-	p.Volumes = []volume{volumeAwsConfig, volumeDocker, volumeDockerConfig}
-	p.Services = []service{
-		dockerService(),
-	}
-	p.Steps = []step{
-		{
-			Name:  "Check out code",
-			Image: "docker:git",
-			Pull:  "if-not-exists",
-			Environment: map[string]value{
-				"GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"},
-			},
-			Commands: tagCheckoutCommands(b),
-		},
-		waitForDockerStep(),
-		{
-			Name:        "Build artifacts",
-			Image:       "docker",
-			Pull:        "if-not-exists",
-			Environment: tagEnvironment,
-			Volumes:     []volumeRef{volumeRefDocker, volumeRefDockerConfig},
-			Commands:    tagBuildCommands(b),
-		},
-		{
-			Name:     "Copy artifacts",
-			Image:    "docker",
-			Pull:     "if-not-exists",
-			Commands: tagCopyArtifactCommands(b),
-		},
-		kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{
-			awsRoleSettings: awsRoleSettings{
-				awsAccessKeyID:     value{fromSecret: "AWS_ACCESS_KEY_ID"},
-				awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"},
-				role:               value{fromSecret: "AWS_ROLE"},
-			},
-			configVolume: volumeRefAwsConfig,
-		}),
-		kubernetesUploadToS3Step(kubernetesS3Settings{
-			region:       "us-west-2",
-			source:       "/go/artifacts/",
-			target:       "teleport/tag/${DRONE_TAG##v}",
-			configVolume: volumeRefAwsConfig,
-		}),
-		{
-			Name:     "Register artifacts",
-			Image:    "docker",
-			Pull:     "if-not-exists",
-			Commands: tagCreateReleaseAssetCommands(b, ""),
-			Environment: map[string]value{
-				"RELEASES_CERT": {fromSecret: "RELEASES_CERT"},
-				"RELEASES_KEY":  {fromSecret: "RELEASES_KEY"},
-			},
-		},
-	}
-	return p
-}
-
-// tagDownloadArtifactCommands generates a set of commands to download appropriate artifacts for creating a package as part of a tag build
-func tagDownloadArtifactCommands(b buildType) []string {
-	commands := []string{
-		`export VERSION=$(cat /go/.version.txt)`,
-		`if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi`,
-	}
-	artifactOSS := true
-	artifactType := fmt.Sprintf("%s-%s", b.os, b.arch)
-
-	if b.centos7 {
-		artifactType += "-centos7"
-	}
-
-	if b.fips {
-		artifactType += "-fips"
-		artifactOSS = false
-	}
-
-	if artifactOSS {
-		commands = append(commands,
-			fmt.Sprintf(`aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-%s-bin.tar.gz /go/artifacts/`, artifactType),
-		)
-	}
-	commands = append(commands,
-		fmt.Sprintf(`aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-%s-bin.tar.gz /go/artifacts/`, artifactType),
-	)
-	return commands
-}
-
-// tagCopyPackageArtifactCommands generates a set of commands to find and copy built package artifacts as part of a tag build
-func tagCopyPackageArtifactCommands(b buildType, packageType string) []string {
-	commands := []string{
-		`cd /go/src/github.com/gravitational/teleport`,
-	}
-	if !b.fips {
-		commands = append(commands, fmt.Sprintf(`find build -maxdepth 1 -iname "teleport*.%s*" -print -exec cp {} /go/artifacts \;`, packageType))
-	}
-	commands = append(commands, fmt.Sprintf(`find e/build -maxdepth 1 -iname "teleport*.%s*" -print -exec cp {} /go/artifacts \;`, packageType))
-	return commands
-}
-
-// createReleaseAssetCommands generates a set of commands to create release & asset in release management service
-func tagCreateReleaseAssetCommands(b buildType, packageType string) []string {
-	commands := []string{
-		`WORKSPACE_DIR=$${WORKSPACE_DIR:-/}`,
-		`VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")`,
-		fmt.Sprintf(`RELEASES_HOST='%v'`, releasesHost),
-		`echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"`,
-		`echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"`,
-		`trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT`,
-		`CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"`,
-		`which curl || apk add --no-cache curl`,
-		fmt.Sprintf(`cd "$WORKSPACE_DIR/go/artifacts"
-find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-  # Skip files that are not results of this build
-  # (e.g. tarballs from which OS packages are made)
-  [ -f "$file.sha256" ] || continue
-
-  name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-  description="%[1]s"
-  products="$name"
-  if [ "$name" = "tsh" ]; then
-    products="teleport teleport-ent"
-  elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-    description="Teleport Connect"
-    products="teleport teleport-ent"
-  fi
-  shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-  release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-  for product in $products; do
-    status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-    if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-      echo "curl HTTP status: $status_code"
-      cat $WORKSPACE_DIR/curl_out.txt
-      exit 1
-    fi
-
-    release_params="$release_params -F releaseId=$product@$VERSION"
-  done
-
-  curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="%[2]s" -F arch="%[3]s" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-done`,
-			b.Description(packageType), b.os, b.arch),
-	}
-	return commands
-}
-
-// tagPackagePipeline generates a tag package pipeline for a given combination of os/arch/FIPS
-func tagPackagePipeline(packageType string, b buildType) pipeline {
-	if packageType == "" {
-		panic("packageType must be set")
-	}
-	if b.os == "" {
-		panic("b.os must be set")
-	}
-	if b.arch == "" {
-		panic("b.arch must be set")
-	}
-
-	environment := map[string]value{
-		"ARCH":             {raw: b.arch},
-		"TMPDIR":           {raw: "/go"},
-		"ENT_TARBALL_PATH": {raw: "/go/artifacts"},
-	}
-
-	dependentPipeline := fmt.Sprintf("build-%s-%s", b.os, b.arch)
-
-	if b.centos7 {
-		dependentPipeline += "-centos7"
-	}
-
-	apkPackages := []string{"bash", "curl", "gzip", "make", "tar"}
-	if packageType == rpmPackage {
-		// Required by `make rpm`
-		apkPackages = append(apkPackages, "go")
-	}
-
-	packageBuildCommands := []string{
-		fmt.Sprintf("apk add --no-cache %s", strings.Join(apkPackages, " ")),
-		`apk add --no-cache aws-cli`,
-		`cd /go/src/github.com/gravitational/teleport`,
-		`export VERSION=$(cat /go/.version.txt)`,
-		// Login to Amazon ECR Public
-		`aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin public.ecr.aws`,
-	}
-
-	makeCommand := fmt.Sprintf("make %s", packageType)
-	if b.fips {
-		dependentPipeline += "-fips"
-		environment["FIPS"] = value{raw: "yes"}
-		environment["RUNTIME"] = value{raw: "fips"}
-		makeCommand = fmt.Sprintf("make -C e %s", packageType)
-	} else {
-		environment["OSS_TARBALL_PATH"] = value{raw: "/go/artifacts"}
-	}
-
-	packageDockerVolumes := []volume{volumeAwsConfig, volumeDocker, volumeDockerConfig}
-	packageDockerVolumeRefs := []volumeRef{
-		volumeRefDocker,
-		volumeRefDockerConfig,
-		volumeRefAwsConfig,
-	}
-	packageDockerService := dockerService()
-
-	switch packageType {
-	case rpmPackage:
-		environment["GNUPG_DIR"] = value{raw: "/tmpfs/gnupg"}
-		environment["GPG_RPM_SIGNING_ARCHIVE"] = value{fromSecret: "GPG_RPM_SIGNING_ARCHIVE"}
-		packageBuildCommands = append(packageBuildCommands,
-			`mkdir -m0700 $GNUPG_DIR`,
-			`echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR`,
-			`chown -R root:root $GNUPG_DIR`,
-			makeCommand,
-			`rm -rf $GNUPG_DIR`,
-		)
-		// RPM builds require tmpfs to hold the key material in memory.
-		packageDockerVolumes = append(packageDockerVolumes, volumeTmpfs)
-		packageDockerVolumeRefs = append(packageDockerVolumeRefs, volumeRefTmpfs)
-		packageDockerService = dockerService(volumeRefTmpfs)
-	case debPackage:
-		packageBuildCommands = append(packageBuildCommands,
-			makeCommand,
-		)
-	default:
-		panic("packageType is not set")
-	}
-
-	assumeDownloadRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{
-		awsRoleSettings: awsRoleSettings{
-			awsAccessKeyID:     value{fromSecret: "AWS_ACCESS_KEY_ID"},
-			awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"},
-			role:               value{fromSecret: "AWS_ROLE"},
-		},
-		configVolume: volumeRefAwsConfig,
-		name:         "Assume Download AWS Role",
-	})
-	assumeBuildRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{
-		awsRoleSettings: awsRoleSettings{
-			awsAccessKeyID:     value{fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_KEY"},
-			awsSecretAccessKey: value{fromSecret: "TELEPORT_BUILD_USER_READ_ONLY_SECRET"},
-			role:               value{fromSecret: "TELEPORT_BUILD_READ_ONLY_AWS_ROLE"},
-		},
-		configVolume: volumeRefAwsConfig,
-		name:         "Assume Build AWS Role",
-	})
-	assumeUploadRoleStep := kubernetesAssumeAwsRoleStep(kubernetesRoleSettings{
-		awsRoleSettings: awsRoleSettings{
-			awsAccessKeyID:     value{fromSecret: "AWS_ACCESS_KEY_ID"},
-			awsSecretAccessKey: value{fromSecret: "AWS_SECRET_ACCESS_KEY"},
-			role:               value{fromSecret: "AWS_ROLE"},
-		},
-		configVolume: volumeRefAwsConfig,
-		name:         "Assume Upload AWS Role",
-	})
-
-	pipelineName := fmt.Sprintf("%s-%s", dependentPipeline, packageType)
-
-	p := newKubePipeline(pipelineName)
-	p.Trigger = triggerTag
-	p.DependsOn = []string{dependentPipeline, tagCleanupPipelineName}
-	p.Workspace = workspace{Path: "/go"}
-	p.Volumes = packageDockerVolumes
-	p.Services = []service{
-		packageDockerService,
-	}
-	p.Steps = []step{
-		{
-			Name:  "Check out code",
-			Image: "docker:git",
-			Environment: map[string]value{
-				"GITHUB_PRIVATE_KEY": {fromSecret: "GITHUB_PRIVATE_KEY"},
-			},
-			Commands: tagCheckoutCommands(b),
-		},
-		waitForDockerStep(),
-		assumeDownloadRoleStep,
-		{
-			Name:  "Download artifacts from S3",
-			Image: "amazon/aws-cli",
-			Environment: map[string]value{
-				"AWS_REGION":    {raw: "us-west-2"},
-				"AWS_S3_BUCKET": {fromSecret: "AWS_S3_BUCKET"},
-			},
-			Commands: tagDownloadArtifactCommands(b),
-			Volumes:  []volumeRef{volumeRefAwsConfig},
-		},
-		assumeBuildRoleStep,
-		{
-			Name:        "Build artifacts",
-			Image:       "docker",
-			Environment: environment,
-			Volumes:     packageDockerVolumeRefs,
-			Commands:    packageBuildCommands,
-		},
-		{
-			Name:     "Copy artifacts",
-			Image:    "docker",
-			Commands: tagCopyPackageArtifactCommands(b, packageType),
-		},
-		assumeUploadRoleStep,
-		kubernetesUploadToS3Step(kubernetesS3Settings{
-			region:       "us-west-2",
-			source:       "/go/artifacts/",
-			target:       "teleport/tag/${DRONE_TAG##v}",
-			configVolume: volumeRefAwsConfig,
-		}),
-		{
-			Name:     "Register artifacts",
-			Image:    "docker",
-			Commands: tagCreateReleaseAssetCommands(b, strings.ToUpper(packageType)),
-			Environment: map[string]value{
-				"RELEASES_CERT": {fromSecret: "RELEASES_CERT"},
-				"RELEASES_KEY":  {fromSecret: "RELEASES_KEY"},
-			},
-		},
-	}
-	return p
-}
-
 func tagCleanupPipeline() pipeline {
 	return relcliPipeline(triggerTag, tagCleanupPipelineName, "Clean up previously built artifacts", "auto_destroy -f -v 6")
 }

From 22646abc1d860dbb59bc3d87d602a81c61001446 Mon Sep 17 00:00:00 2001
From: Cam Hutchison <camh@goteleport.com>
Date: Wed, 2 Aug 2023 15:17:34 +1000
Subject: [PATCH 7/7] drone: Update .drone.yml for GHA workflows

Update .drone.yml by running `make dronegen` to update the following
pipelines to call GitHub Actions to build instead of building on Drone:

build-linux-amd64
build-linux-amd64-fips
build-linux-386
build-linux-arm64
build-linux-arm

Add two new pipelines for building AMIs and OCIs on GHA:

build-legacy-amis
build-oci

Remove the following pipelines as the build of deb/rpm packages are done
within the above pipelines on GitHub Actions now and the ami/oci
pipelines have been replaced:

build-linux-amd64-deb
build-linux-amd64-fips-deb
build-linux-amd64-centos7-rpm
build-linux-amd64-centos7-fips-rpm
build-linux-386-deb
build-linux-386-rpm
build-linux-arm64-deb
build-linux-arm64-rpm
build-linux-arm-deb
build-linux-arm-rpm
build-oss-amis
build-ent-amis
teleport-container-images-branch-tag

Remove the following pipelines as AMD64 builds are always centos7 builds, but
we were just doing it twice. No need for these any more, as the GHA workflow
will build the release artifacts for these with the centos7 targets:

build-linux-amd64-centos7
build-linux-amd64-centos7-fips

The pipelines were added/removed using the following script, followed by
`make dronegen`:

AWK_SCRIPT='
/^---$/ { printf "%s", accumulator; accumulator = "" }
/^---$/ || accumulator { accumulator = accumulator $0 "\n" }
/^name: / {
	drop = $2 == to_remove
	if ($2 == before && to_add) {
		printf "---\nname: %s\n", to_add
	}
	if (!drop) { printf "%s", accumulator }
	accumulator = ""
	next
}
!drop && !accumulator { print }
ENDFILE { printf "%s", accumulator }'

toremove=(
	build-linux-amd64-{centos7,centos7-fips}
	build-linux-amd64-{deb,fips-deb,centos7-rpm,centos7-fips-rpm}
	build-linux-386-{deb,rpm}
	build-linux-arm64-{deb,rpm}
	build-linux-arm-{deb,rpm}
	build-{oss,ent}-amis
	teleport-container-images-branch-tag
)
add_before=build-buildboxes
toadd=(
	build-legacy-amis
	build-oci
)

for pipeline in "${toremove[@]}"; do
	gawk -i inplace -v to_remove=$pipeline "$AWK_SCRIPT" .drone.yml
done
for pipeline in "${toadd[@]}"; do
	gawk -i inplace -v to_add=$pipeline -v before=$add_before "$AWK_SCRIPT" .drone.yml
done
---
 .drone.yml | 7353 ++++++++--------------------------------------------
 1 file changed, 1095 insertions(+), 6258 deletions(-)

diff --git a/.drone.yml b/.drone.yml
index 66af7871e2d7b..fd773e4dde316 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -573,9 +573,9 @@ steps:
   commands:
   - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
   - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -timeout 2h30m0s -workflow release-linux-arm64.yml -workflow-ref=${DRONE_BRANCH}
+    -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_BRANCH}
     -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_COMMIT}
-    -input "upload-artifacts=false" '
+    -input "build-connect=false" -input "release-target=release-arm64" '
   environment:
     GHA_APP_KEY:
       from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
@@ -848,15 +848,12 @@ volumes:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPipeline)
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: build-linux-amd64-centos7
-environment:
-  BUILDBOX_VERSION: teleport15
-  RUNTIME: go1.21.4
+name: build-linux-amd64
 trigger:
   event:
     include:
@@ -871,185 +868,50 @@ workspace:
   path: /go
 clone:
   disable: true
-depends_on:
-- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
   pull: if-not-exists
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
   - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
   - git submodule update --init e
+  - mkdir -pv /go/cache
   - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
   environment:
     GITHUB_PRIVATE_KEY:
       from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make
-  - chown -R $UID:$GID /go
-  - cd /go/src/github.com/gravitational/teleport
-  - make -C build.assets release-amd64-centos7
-  environment:
-    ARCH: amd64
-    GID: "1000"
-    GOCACHE: /go/cache
-    GOPATH: /go
-    OS: linux
-    UID: "1000"
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Copy artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - export VERSION=$(cat /go/.version.txt)
-  - mv /go/artifacts/teleport-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-v$${VERSION}-linux-amd64-centos7-bin.tar.gz
-  - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz
-  - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256;
-    done && ls -l
-- name: Assume AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 64-bit (RHEL/CentOS 7.x compatible)"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "build-connect=true" -input "build-os-packages=true" -input "release-artifacts=true"
+    -input "release-target=release-amd64-centos7" '
   environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
 image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 
@@ -1057,15 +919,12 @@ image_pull_secrets:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPipeline)
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: build-linux-amd64-centos7-fips
-environment:
-  BUILDBOX_VERSION: teleport15
-  RUNTIME: go1.21.4
+name: build-linux-amd64-fips
 trigger:
   event:
     include:
@@ -1080,184 +939,50 @@ workspace:
   path: /go
 clone:
   disable: true
-depends_on:
-- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
   pull: if-not-exists
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
   - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
   - git submodule update --init e
+  - mkdir -pv /go/cache
   - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
   environment:
     GITHUB_PRIVATE_KEY:
       from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make
-  - chown -R $UID:$GID /go
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - make -C build.assets release-amd64-centos7-fips
-  environment:
-    ARCH: amd64
-    FIPS: "yes"
-    GID: "1000"
-    GOCACHE: /go/cache
-    GOPATH: /go
-    OS: linux
-    UID: "1000"
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Copy artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - export VERSION=$(cat /go/.version.txt)
-  - mv /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/artifacts/teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz
-  - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256;
-    done && ls -l
-- name: Assume AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 64-bit (RHEL/CentOS 7.x compatible, FedRAMP/FIPS)"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "build-connect=false" -input "build-os-packages=true" -input "release-artifacts=true"
+    -input "release-target=release-amd64-centos7-fips" '
   environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
 image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 
@@ -1265,15 +990,12 @@ image_pull_secrets:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPipeline)
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: build-linux-amd64
-environment:
-  BUILDBOX_VERSION: teleport15
-  RUNTIME: go1.21.4
+name: build-linux-386
 trigger:
   event:
     include:
@@ -1288,191 +1010,50 @@ workspace:
   path: /go
 clone:
   disable: true
-depends_on:
-- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
   pull: if-not-exists
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
   environment:
     GITHUB_PRIVATE_KEY:
       from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make
-  - chown -R $UID:$GID /go
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - make -C build.assets release-amd64-centos7
-  - make -C build.assets teleterm
-  environment:
-    ARCH: amd64
-    GID: "1000"
-    GOCACHE: /go/cache
-    GOPATH: /go
-    OS: linux
-    UID: "1000"
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Copy artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - find /go/src/github.com/gravitational/teleport/web/packages/teleterm/build/release
-    -maxdepth 1 \( -iname "teleport-connect*.tar.gz" -o -iname "teleport-connect*.rpm"
-    -o -iname "teleport-connect*.deb" \) -print -exec cp {} /go/artifacts/ \;
-  - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256;
-    done && ls -l
-  - |-
-    cd /go/artifacts && for FILE in teleport-connect*.deb teleport-connect*.rpm; do
-      sha256sum $FILE > $FILE.sha256;
-    done && ls -l
-- name: Assume AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 64-bit"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "build-connect=false" -input "build-os-packages=true" -input "release-artifacts=true"
+    -input "release-target=release-386" '
   environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
 image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 
@@ -1480,15 +1061,12 @@ image_pull_secrets:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPipeline)
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: build-linux-amd64-fips
-environment:
-  BUILDBOX_VERSION: teleport15
-  RUNTIME: go1.21.4
+name: build-darwin-amd64
 trigger:
   event:
     include:
@@ -1503,182 +1081,49 @@ workspace:
   path: /go
 clone:
   disable: true
-depends_on:
-- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
   pull: if-not-exists
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
   - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
   - git submodule update --init e
+  - mkdir -pv /go/cache
   - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
   environment:
     GITHUB_PRIVATE_KEY:
       from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make
-  - chown -R $UID:$GID /go
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - make -C build.assets release-amd64-centos7-fips
-  environment:
-    ARCH: amd64
-    FIPS: "yes"
-    GID: "1000"
-    GOCACHE: /go/cache
-    GOPATH: /go
-    OS: linux
-    UID: "1000"
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Copy artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256;
-    done && ls -l
-- name: Assume AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 64-bit (FedRAMP/FIPS)"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-mac.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "build-packages=true" -input "release-artifacts=true" '
   environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
 image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 
@@ -1686,12 +1131,12 @@ image_pull_secrets:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: build-linux-amd64-centos7-rpm
+name: build-linux-arm
 trigger:
   event:
     include:
@@ -1706,261 +1151,121 @@ workspace:
   path: /go
 clone:
   disable: true
-depends_on:
-- build-linux-amd64-centos7
-- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
+  pull: if-not-exists
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Assume Download AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Download artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - export VERSION=$(cat /go/.version.txt)
-  - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-    export S3_PATH="tag/"; fi
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-centos7-bin.tar.gz
-    /go/artifacts/
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-centos7-bin.tar.gz
-    /go/artifacts/
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
   environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Assume Build AWS Role
-  image: amazon/aws-cli
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "build-connect=false" -input "build-os-packages=true" -input "release-artifacts=true"
+    -input "release-target=release-arm" '
   environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-    AWS_ROLE:
-      from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Build artifacts
-  image: docker
-  commands:
-  - apk add --no-cache bash curl gzip make tar go
-  - apk add --no-cache aws-cli
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - mkdir -m0700 $GNUPG_DIR
-  - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR
-  - chown -R root:root $GNUPG_DIR
-  - make rpm
-  - rm -rf $GNUPG_DIR
-  environment:
-    ARCH: amd64
-    ENT_TARBALL_PATH: /go/artifacts
-    GNUPG_DIR: /tmpfs/gnupg
-    GPG_RPM_SIGNING_ARCHIVE:
-      from_secret: GPG_RPM_SIGNING_ARCHIVE
-    OSS_TARBALL_PATH: /go/artifacts
-    TMPDIR: /go
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-  - name: awsconfig
-    path: /root/.aws
-  - name: tmpfs
-    path: /tmpfs
-- name: Copy artifacts
-  image: docker
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-    \;
-  - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-    \;
-- name: Assume Upload AWS Role
-  image: amazon/aws-cli
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
+kind: pipeline
+type: kubernetes
+name: build-linux-arm64
+trigger:
+  event:
+    include:
+    - tag
+  ref:
+    include:
+    - refs/tags/v*
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+steps:
+- name: Check out code
+  image: docker:git
   pull: if-not-exists
   commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
   environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
-  commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 64-bit RPM (RHEL/CentOS 7.x compatible)"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-linux.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "build-connect=false" -input "build-os-packages=true" -input "release-artifacts=true"
+    -input "release-target=release-arm64" '
   environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: tmpfs
-    path: /tmpfs
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-- name: tmpfs
-  temp:
-    medium: memory
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
 image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 
@@ -1968,12 +1273,12 @@ image_pull_secrets:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: build-linux-amd64-centos7-fips-rpm
+name: tag-build-windows-amd64
 trigger:
   event:
     include:
@@ -1988,35 +1293,235 @@ workspace:
   path: /go
 clone:
   disable: true
-depends_on:
-- build-linux-amd64-centos7-fips
-- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
+  pull: if-not-exists
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
   - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
   - git submodule update --init e
+  - mkdir -pv /go/cache
   - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
   environment:
     GITHUB_PRIVATE_KEY:
       from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 30m0s -workflow release-windows.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
+kind: pipeline
+type: kubernetes
+name: build-legacy-amis
+trigger:
+  event:
+    include:
+    - tag
+  ref:
+    include:
+    - refs/tags/v*
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+depends_on:
+- build-linux-amd64
+- build-linux-amd64-fips
+steps:
+- name: Check out code
+  image: docker:git
+  pull: if-not-exists
+  commands:
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
+  environment:
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-teleport-legacy-amis.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
+kind: pipeline
+type: kubernetes
+name: build-oci
+trigger:
+  event:
+    include:
+    - tag
+  ref:
+    include:
+    - refs/tags/v*
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+depends_on:
+- build-linux-amd64
+- build-linux-amd64-fips
+- build-linux-arm64
+- build-linux-arm
+steps:
+- name: Check out code
+  image: docker:git
+  pull: if-not-exists
+  commands:
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
+  environment:
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow release-teleport-oci.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+- name: Send Slack notification
+  image: plugins/slack:1.4.1
+  settings:
+    template: |-
+      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
+      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
+    webhook:
+      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
+  when:
+    status:
+    - failure
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/buildbox.go (main.buildboxPipeline)
+################################################
+
+kind: pipeline
+type: kubernetes
+name: build-buildboxes
+environment:
+  BUILDBOX_VERSION: teleport15
+  GID: "1000"
+  UID: "1000"
+trigger:
+  event:
+    include:
+    - push
+  repo:
+    include:
+    - gravitational/teleport
+  branch:
+    include:
+    - master
+    - branch/*
+workspace:
+  path: /go/src/github.com/gravitational/teleport
+clone:
+  disable: true
+steps:
+- name: Check out code
+  image: docker:git
+  commands:
+  - git clone --depth 1 --single-branch --branch ${DRONE_SOURCE_BRANCH:-master} https://github.com/gravitational/${DRONE_REPO_NAME}.git
+    .
+  - git checkout ${DRONE_COMMIT}
+- name: Wait for docker
+  image: docker
   pull: if-not-exists
   commands:
   - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
@@ -2031,13 +1536,13 @@ steps:
     path: /var/run
   - name: dockerconfig
     path: /root/.docker
-- name: Assume Download AWS Role
+- name: Configure Staging AWS Profile
   image: amazon/aws-cli
   pull: if-not-exists
   commands:
   - aws sts get-caller-identity
   - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
+    printf "[staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
       $(aws sts assume-role \
         --role-arn "$AWS_ROLE" \
         --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
@@ -2045,189 +1550,138 @@ steps:
         --output text) \
       > /root/.aws/credentials
   - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
+  - aws sts get-caller-identity --profile staging
   environment:
     AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
+      from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY
     AWS_ROLE:
-      from_secret: AWS_ROLE
+      from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE
     AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Download artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - export VERSION=$(cat /go/.version.txt)
-  - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-    export S3_PATH="tag/"; fi
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-centos7-fips-bin.tar.gz
-    /go/artifacts/
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
+      from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET
   volumes:
   - name: awsconfig
     path: /root/.aws
-- name: Assume Build AWS Role
+- name: Configure Production AWS Profile
   image: amazon/aws-cli
   pull: if-not-exists
   commands:
   - aws sts get-caller-identity
   - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
+    printf "[production]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
       $(aws sts assume-role \
         --role-arn "$AWS_ROLE" \
         --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
         --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
         --output text) \
-      > /root/.aws/credentials
+      >> /root/.aws/credentials
   - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
+  - aws sts get-caller-identity --profile production
   environment:
     AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
+      from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY
     AWS_ROLE:
-      from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
+      from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE
     AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
+      from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET
   volumes:
   - name: awsconfig
     path: /root/.aws
-- name: Build artifacts
+- name: Build and push buildbox
   image: docker
+  pull: if-not-exists
   commands:
-  - apk add --no-cache bash curl gzip make tar go
-  - apk add --no-cache aws-cli
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - mkdir -m0700 $GNUPG_DIR
-  - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR
-  - chown -R root:root $GNUPG_DIR
-  - make -C e rpm
-  - rm -rf $GNUPG_DIR
-  environment:
-    ARCH: amd64
-    ENT_TARBALL_PATH: /go/artifacts
-    FIPS: "yes"
-    GNUPG_DIR: /tmpfs/gnupg
-    GPG_RPM_SIGNING_ARCHIVE:
-      from_secret: GPG_RPM_SIGNING_ARCHIVE
-    RUNTIME: fips
-    TMPDIR: /go
+  - apk add --no-cache make aws-cli
+  - chown -R $UID:$GID /go
+  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
+    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - make -C build.assets buildbox
+  - docker tag public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
+  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
+  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
+    login -u="AWS" --password-stdin public.ecr.aws
+  - docker push public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION
   volumes:
+  - name: awsconfig
+    path: /root/.aws
   - name: dockersock
     path: /var/run
   - name: dockerconfig
     path: /root/.docker
-  - name: awsconfig
-    path: /root/.aws
-  - name: tmpfs
-    path: /tmpfs
-- name: Copy artifacts
+- name: Build and push buildbox-arm
   image: docker
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-    \;
-- name: Assume Upload AWS Role
-  image: amazon/aws-cli
   pull: if-not-exists
   commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
+  - apk add --no-cache make aws-cli
+  - chown -R $UID:$GID /go
+  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
+    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - make -C build.assets buildbox-arm
+  - docker tag public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION
+    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
+  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
+  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
+    login -u="AWS" --password-stdin public.ecr.aws
+  - docker push public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION
   volumes:
   - name: awsconfig
     path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
+  - name: dockersock
+    path: /var/run
+  - name: dockerconfig
+    path: /root/.docker
+- name: Build and push buildbox-centos7
+  image: docker
   pull: if-not-exists
   commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
+  - apk add --no-cache make aws-cli
+  - chown -R $UID:$GID /go
+  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
+    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - make -C build.assets buildbox-centos7
+  - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION
+    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
+  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
+  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
+    login -u="AWS" --password-stdin public.ecr.aws
+  - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION
   volumes:
   - name: awsconfig
     path: /root/.aws
-- name: Register artifacts
+  - name: dockersock
+    path: /var/run
+  - name: dockerconfig
+    path: /root/.docker
+- name: Build and push buildbox-centos7-fips
   image: docker
+  pull: if-not-exists
   commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 64-bit RPM (RHEL/CentOS 7.x compatible, FedRAMP/FIPS)"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
-  environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
+  - apk add --no-cache make aws-cli
+  - chown -R $UID:$GID /go
+  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
+    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - make -C build.assets buildbox-centos7-fips
+  - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION
+    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
+  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
+  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
+  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
+    login -u="AWS" --password-stdin public.ecr.aws
+  - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION
+  volumes:
+  - name: awsconfig
+    path: /root/.aws
+  - name: dockersock
+    path: /var/run
+  - name: dockerconfig
+    path: /root/.docker
 services:
 - name: Start Docker
   image: docker:dind
   privileged: true
   volumes:
-  - name: tmpfs
-    path: /tmpfs
   - name: dockersock
     path: /var/run
 volumes:
@@ -2237,9 +1691,6 @@ volumes:
   temp: {}
 - name: dockerconfig
   temp: {}
-- name: tmpfs
-  temp:
-    medium: memory
 image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 
@@ -2247,19 +1698,19 @@ image_pull_secrets:
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: build-linux-amd64-deb
+name: publish-os-package-repos
 trigger:
   event:
     include:
-    - tag
-  ref:
+    - promote
+  target:
     include:
-    - refs/tags/v*
+    - production
   repo:
     include:
     - gravitational/*
@@ -2267,738 +1718,481 @@ workspace:
   path: /go
 clone:
   disable: true
-depends_on:
-- build-linux-amd64
-- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
+  pull: if-not-exists
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
   - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
   - git submodule update --init e
+  - mkdir -pv /go/cache
   - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
   environment:
     GITHUB_PRIVATE_KEY:
       from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
+- name: Determine if release should go to development or production
+  image: golang:1.18-alpine
   commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Assume Download AWS Role
-  image: amazon/aws-cli
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - mkdir -pv "/go/vars"
+  - (CGO_ENABLED=0 go run ./cmd/check -tag ${DRONE_TAG} -check prerelease && echo
+    "promote" || echo "build") > "/go/vars/release-environment.txt"
+  depends_on:
+  - Check out code
+- name: Publish Teleport to stable/${DRONE_TAG} apt repo
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow
+    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
+    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent"
+    -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=${DRONE_TAG}" '
   environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Download artifacts from S3
-  image: amazon/aws-cli
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+  depends_on:
+  - Determine if release should go to development or production
+- name: Wait - Publish Teleport to stable/${DRONE_TAG} yum repo
+  image: alpine:latest
   commands:
-  - export VERSION=$(cat /go/.version.txt)
-  - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-    export S3_PATH="tag/"; fi
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-bin.tar.gz
-    /go/artifacts/
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz
-    /go/artifacts/
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Assume Build AWS Role
-  image: amazon/aws-cli
+  - sleep 10
+  depends_on:
+  - Determine if release should go to development or production
+- name: Publish Teleport to stable/${DRONE_TAG} yum repo
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-    AWS_ROLE:
-      from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Build artifacts
-  image: docker
-  commands:
-  - apk add --no-cache bash curl gzip make tar
-  - apk add --no-cache aws-cli
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - make deb
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow
+    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
+    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent"
+    -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=${DRONE_TAG}" '
   environment:
-    ARCH: amd64
-    ENT_TARBALL_PATH: /go/artifacts
-    OSS_TARBALL_PATH: /go/artifacts
-    TMPDIR: /go
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-  - name: awsconfig
-    path: /root/.aws
-- name: Copy artifacts
-  image: docker
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+  depends_on:
+  - Wait - Publish Teleport to stable/${DRONE_TAG} yum repo
+- name: Wait - Publish teleport-ent-updater to stable/cloud apt repo
+  image: alpine:latest
   commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-    \;
-  - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-    \;
-- name: Assume Upload AWS Role
-  image: amazon/aws-cli
+  - sleep 20
+  depends_on:
+  - Determine if release should go to development or production
+- name: Publish teleport-ent-updater to stable/cloud apt repo
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow
+    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
+    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-name-filter=teleport-ent-updater*"
+    -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=cloud" '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+  depends_on:
+  - Wait - Publish teleport-ent-updater to stable/cloud apt repo
+- name: Wait - Publish teleport-ent-updater to stable/cloud yum repo
+  image: alpine:latest
+  commands:
+  - sleep 30
+  depends_on:
+  - Determine if release should go to development or production
+- name: Publish teleport-ent-updater to stable/cloud yum repo
+  image: golang:1.18-alpine
   pull: if-not-exists
   commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow
+    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
+    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-name-filter=teleport-ent-updater*"
+    -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=cloud" '
   environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+  depends_on:
+  - Wait - Publish teleport-ent-updater to stable/cloud yum repo
+- name: Wait - Publish Teleport to stable/rolling apt repo
+  image: alpine:latest
   commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 64-bit DEB"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
+  - sleep 40
+  depends_on:
+  - Determine if release should go to development or production
+- name: Publish Teleport to stable/rolling apt repo
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow
+    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
+    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent"
+    -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=rolling" '
   environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+  depends_on:
+  - Wait - Publish Teleport to stable/rolling apt repo
+- name: Wait - Publish Teleport to stable/rolling yum repo
+  image: alpine:latest
+  commands:
+  - sleep 50
+  depends_on:
+  - Determine if release should go to development or production
+- name: Publish Teleport to stable/rolling yum repo
+  image: golang:1.18-alpine
+  pull: if-not-exists
+  commands:
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow
+    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
+    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent"
+    -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=rolling" '
+  environment:
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+  depends_on:
+  - Wait - Publish Teleport to stable/rolling yum repo
 image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 
 ---
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
-################################################
-
 kind: pipeline
 type: kubernetes
-name: build-linux-amd64-fips-deb
+name: promote-build
+
 trigger:
   event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
+    - promote
+  target:
+    - production
   repo:
     include:
-    - gravitational/*
+      - gravitational/*
+
 workspace:
   path: /go
+
 clone:
   disable: true
-depends_on:
-- build-linux-amd64-fips
-- clean-up-previous-build
+
 steps:
-- name: Check out code
-  image: docker:git
-  commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Assume Download AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Download artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - export VERSION=$(cat /go/.version.txt)
-  - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-    export S3_PATH="tag/"; fi
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz
-    /go/artifacts/
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Assume Build AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-    AWS_ROLE:
-      from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Build artifacts
-  image: docker
-  commands:
-  - apk add --no-cache bash curl gzip make tar
-  - apk add --no-cache aws-cli
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - make -C e deb
-  environment:
-    ARCH: amd64
-    ENT_TARBALL_PATH: /go/artifacts
-    FIPS: "yes"
-    RUNTIME: fips
-    TMPDIR: /go
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-  - name: awsconfig
-    path: /root/.aws
-- name: Copy artifacts
-  image: docker
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-    \;
-- name: Assume Upload AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
-  commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 64-bit DEB (FedRAMP/FIPS)"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="amd64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
-  environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
+  - name: Check if commit is tagged
+    image: alpine
+    commands:
+      - "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)"
 
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPipeline)
-################################################
+  - name: Assume Download AWS Role
+    image: amazon/aws-cli
+    commands:
+      - aws sts get-caller-identity
+      - |-
+        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
+          $(aws sts assume-role \
+            --role-arn "$AWS_ROLE" \
+            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
+            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+            --output text) \
+          > /root/.aws/credentials
+      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+      - aws sts get-caller-identity --profile default
+    environment:
+      AWS_ACCESS_KEY_ID:
+        from_secret: AWS_ACCESS_KEY_ID
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: AWS_SECRET_ACCESS_KEY
+      AWS_ROLE:
+        from_secret: AWS_ROLE
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
 
-kind: pipeline
-type: kubernetes
-name: build-linux-386
-environment:
-  BUILDBOX_VERSION: teleport15
-  RUNTIME: go1.21.4
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-- clean-up-previous-build
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make
-  - chown -R $UID:$GID /go
-  - cd /go/src/github.com/gravitational/teleport
-  - make -C build.assets release-386
-  environment:
-    ARCH: "386"
-    GID: "1000"
-    GOCACHE: /go/cache
-    GOPATH: /go
-    OS: linux
-    UID: "1000"
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Copy artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256;
-    done && ls -l
-- name: Assume AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
+  - name: Download artifacts from S3
+    image: amazon/aws-cli
+    commands:
+      - mkdir -p /go/artifacts
+      - aws s3 sync s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ /go/artifacts/
+    environment:
+      AWS_S3_BUCKET:
+        from_secret: AWS_S3_BUCKET
+      AWS_REGION: us-west-2
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
 
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 32-bit"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
+  - name: Assume Upload AWS Role
+    image: amazon/aws-cli
+    commands:
+      - aws sts get-caller-identity
+      - |-
+        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
+          $(aws sts assume-role \
+            --role-arn "$AWS_ROLE" \
+            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
+            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+            --output text) \
+          > /root/.aws/credentials
+      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+      - aws sts get-caller-identity --profile default
+    environment:
+      AWS_ACCESS_KEY_ID:
+        from_secret: PRODUCTION_AWS_ACCESS_KEY_ID
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY
+      AWS_ROLE:
+        from_secret: PRODUCTION_AWS_ROLE
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
 
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
+  # Uploads to Houston
+  - name: Upload artifacts to production S3
+    image: amazon/aws-cli
+    environment:
+      AWS_REGION: us-east-1
+      AWS_S3_BUCKET:
+        from_secret: PRODUCTION_AWS_S3_BUCKET
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+    commands:
+      - cd /go/artifacts/
+      - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/teleport/${DRONE_TAG##v}
 
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
+  - name: Check out code
+    image: docker:git
+    commands:
+      - |
+        mkdir -p /go/src/github.com/gravitational/teleport
+        cd /go/src/github.com/gravitational/teleport
+        git init && git remote add origin ${DRONE_REMOTE_URL}
+        git fetch origin +refs/tags/${DRONE_TAG}:
+        git checkout -qf FETCH_HEAD
 
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
+  - name: Assume AMI Download AWS Role
+    image: amazon/aws-cli
+    commands:
+      - aws sts get-caller-identity
+      - |-
+        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
+          $(aws sts assume-role \
+            --role-arn "$AWS_ROLE" \
+            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
+            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+            --output text) \
+          > /root/.aws/credentials
+      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+      - aws sts get-caller-identity --profile default
+    environment:
+      AWS_ACCESS_KEY_ID:
+        from_secret: AWS_ACCESS_KEY_ID
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: AWS_SECRET_ACCESS_KEY
+      AWS_ROLE:
+        from_secret: AWS_ROLE
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+
+  - name: Download AMI timestamps
+    image: amazon/aws-cli
+    environment:
+      AWS_S3_BUCKET:
+        from_secret: AWS_S3_BUCKET
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+    commands:
+      - mkdir -p /go/src/github.com/gravitational/teleport/assets/aws/files/build
+      - aws s3 sync s3://$AWS_S3_BUCKET/teleport/ami/${DRONE_TAG##v}/ /go/src/github.com/gravitational/teleport/assets/aws/files/build
+
+  - name: Assume AMI Publish AWS Role
+    image: amazon/aws-cli
+    commands:
+      - aws sts get-caller-identity
+      - |-
+        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
+          $(aws sts assume-role \
+            --role-arn "$AWS_ROLE" \
+            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
+            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+            --output text) \
+          > /root/.aws/credentials
+      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+      - aws sts get-caller-identity --profile default
+    environment:
+      AWS_ACCESS_KEY_ID:
+        from_secret: PRODUCTION_AWS_ACCESS_KEY_ID
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY
+      AWS_ROLE:
+        from_secret: PRODUCTION_AWS_ROLE
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+
+  - name: Make AMIs public
+    image: docker
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+    commands:
+      - apk add --no-cache aws-cli bash jq make
+      - cd /go/src/github.com/gravitational/teleport/assets/aws
+      - |
+        make change-amis-to-public-oss
+        make change-amis-to-public-ent
+        make change-amis-to-public-ent-fips
+
+  - name: "Helm: Assume Download AWS Role"
+    image: amazon/aws-cli
+    commands:
+      - aws sts get-caller-identity
+      - |-
+        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
+          $(aws sts assume-role \
+            --role-arn "$AWS_ROLE" \
+            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
+            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+            --output text) \
+          > /root/.aws/credentials
+      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+      - aws sts get-caller-identity --profile default
+    environment:
+      AWS_ACCESS_KEY_ID:
+        from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY
+      AWS_ROLE:
+        from_secret: PRODUCTION_CHARTS_AWS_ROLE
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+
+  # Download all previously packaged charts. This is needed to rebuild the
+  # index and re-publish the repository.
+  - name: "Helm: Download chart repository"
+    image: amazon/aws-cli
+    environment:
+      AWS_REGION: us-west-2
+      AWS_S3_BUCKET:
+        from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+    commands:
+      - mkdir -p /go/chart
+      - aws s3 sync s3://$AWS_S3_BUCKET/ /go/chart
+
+  - name: "Helm: Package chart repository"
+    image: alpine/helm:latest
+    commands:
+      - cd /go/chart
+      - helm package /go/src/github.com/gravitational/teleport/examples/chart/teleport-cluster
+      - helm package /go/src/github.com/gravitational/teleport/examples/chart/teleport-kube-agent
+      # copy index.html to root of the S3 bucket.
+      - cp /go/src/github.com/gravitational/teleport/examples/chart/index.html /go/chart
+      # this will index all previous versions of the charts downloaded from the S3 bucket,
+      # plus the just-packaged charts listed above
+      - helm repo index /go/chart
+      - ls /go/chart
+
+  - name: "Helm: Assume Upload AWS Role"
+    image: amazon/aws-cli
+    commands:
+      - aws sts get-caller-identity
+      - |-
+        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
+          $(aws sts assume-role \
+            --role-arn "$AWS_ROLE" \
+            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
+            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
+            --output text) \
+          > /root/.aws/credentials
+      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
+      - aws sts get-caller-identity --profile default
+    environment:
+      AWS_ACCESS_KEY_ID:
+        from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID
+      AWS_SECRET_ACCESS_KEY:
+        from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY
+      AWS_ROLE:
+        from_secret: PRODUCTION_CHARTS_AWS_ROLE
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+
+  - name: "Helm: Publish chart repository to S3"
+    image: amazon/aws-cli
+    environment:
+      AWS_REGION: us-west-2
+      AWS_S3_BUCKET:
+        from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET
+    volumes:
+      - name: awsconfig
+        path: /root/.aws
+    commands:
+      - cd /go/chart/
+      - aws s3 sync . s3://$AWS_S3_BUCKET/
 
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="386" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
-  environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
 services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
+  - name: Start Docker
+    image: docker:dind
+    privileged: true
+    volumes:
+      - name: dockersock
+        path: /var/run
+      - name: tmpfs
+        path: /tmpfs
 
+volumes:
+  - name: awsconfig
+    temp: {}
+  - name: dockersock
+    temp: {}
+  - name: tmpfs
+    temp:
+      medium: memory
+  # these persistent volumes cache RPMs/DEBs near Drone so that we don't need to download the
+  # entire repo contents from S3 every time to build the repo, we just sync any differences
+  - name: rpmrepo
+    claim:
+      name: drone-s3-rpmrepo-pvc
+  - name: debrepo
+    claim:
+      name: drone-s3-debrepo-pvc
 ---
 ################################################
 # Generated using dronegen, do not edit by hand!
 # Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
 ################################################
 
 kind: pipeline
 type: kubernetes
-name: build-linux-386-rpm
+name: promote-teleport-oci-distroless-images
 trigger:
   event:
     include:
-    - tag
-  ref:
+    - promote
+  target:
     include:
-    - refs/tags/v*
+    - production
+    - promote-distroless
   repo:
     include:
     - gravitational/*
@@ -3006,4513 +2200,156 @@ workspace:
   path: /go
 clone:
   disable: true
-depends_on:
-- build-linux-386
-- clean-up-previous-build
 steps:
 - name: Check out code
   image: docker:git
+  pull: if-not-exists
   commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
   - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
   - git submodule update --init e
+  - mkdir -pv /go/cache
   - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
   environment:
     GITHUB_PRIVATE_KEY:
       from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Assume Download AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Download artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - export VERSION=$(cat /go/.version.txt)
-  - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-    export S3_PATH="tag/"; fi
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-386-bin.tar.gz
-    /go/artifacts/
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz
-    /go/artifacts/
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Assume Build AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-    AWS_ROLE:
-      from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Build artifacts
-  image: docker
-  commands:
-  - apk add --no-cache bash curl gzip make tar go
-  - apk add --no-cache aws-cli
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - mkdir -m0700 $GNUPG_DIR
-  - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR
-  - chown -R root:root $GNUPG_DIR
-  - make rpm
-  - rm -rf $GNUPG_DIR
-  environment:
-    ARCH: "386"
-    ENT_TARBALL_PATH: /go/artifacts
-    GNUPG_DIR: /tmpfs/gnupg
-    GPG_RPM_SIGNING_ARCHIVE:
-      from_secret: GPG_RPM_SIGNING_ARCHIVE
-    OSS_TARBALL_PATH: /go/artifacts
-    TMPDIR: /go
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-  - name: awsconfig
-    path: /root/.aws
-  - name: tmpfs
-    path: /tmpfs
-- name: Copy artifacts
-  image: docker
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-    \;
-  - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-    \;
-- name: Assume Upload AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
-  commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 32-bit RPM"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="386" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
-  environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: tmpfs
-    path: /tmpfs
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-- name: tmpfs
-  temp:
-    medium: memory
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-linux-386-deb
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-- build-linux-386
-- clean-up-previous-build
-steps:
-- name: Check out code
-  image: docker:git
-  commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Assume Download AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Download artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - export VERSION=$(cat /go/.version.txt)
-  - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-    export S3_PATH="tag/"; fi
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-386-bin.tar.gz
-    /go/artifacts/
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-386-bin.tar.gz
-    /go/artifacts/
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Assume Build AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-    AWS_ROLE:
-      from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Build artifacts
-  image: docker
-  commands:
-  - apk add --no-cache bash curl gzip make tar
-  - apk add --no-cache aws-cli
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - make deb
-  environment:
-    ARCH: "386"
-    ENT_TARBALL_PATH: /go/artifacts
-    OSS_TARBALL_PATH: /go/artifacts
-    TMPDIR: /go
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-  - name: awsconfig
-    path: /root/.aws
-- name: Copy artifacts
-  image: docker
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-    \;
-  - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-    \;
-- name: Assume Upload AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
-  commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux 32-bit DEB"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="386" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
-  environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-darwin-amd64
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "${DRONE_COMMIT_SHA}"
-  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
-    chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - mkdir -pv /go/cache
-  - rm -f /root/.ssh/id_rsa
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Delegate build to GitHub
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -timeout 2h30m0s -workflow release-mac.yaml -workflow-ref=${DRONE_TAG}
-    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
-    "build-packages=true" -input "release-artifacts=true" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-- name: Send Slack notification
-  image: plugins/slack:1.4.1
-  settings:
-    template: |-
-      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
-      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
-    webhook:
-      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
-  when:
-    status:
-    - failure
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-linux-arm
-environment:
-  BUILDBOX_VERSION: teleport15
-  RUNTIME: go1.21.4
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-- clean-up-previous-build
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make
-  - chown -R $UID:$GID /go
-  - cd /go/src/github.com/gravitational/teleport
-  - make -C build.assets release-arm
-  environment:
-    ARCH: arm
-    GID: "1000"
-    GOCACHE: /go/cache
-    GOPATH: /go
-    OS: linux
-    UID: "1000"
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Copy artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find . -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - find e/ -maxdepth 1 -iname "teleport*.tar.gz" -print -exec cp {} /go/artifacts
-    \;
-  - cd /go/artifacts && for FILE in teleport*.tar.gz; do sha256sum $FILE > $FILE.sha256;
-    done && ls -l
-- name: Assume AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
-  pull: if-not-exists
-  commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux ARMv7 (32-bit)"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
-  environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-linux-arm64
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-- clean-up-previous-build
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "${DRONE_COMMIT_SHA}"
-  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
-    chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - mkdir -pv /go/cache
-  - rm -f /root/.ssh/id_rsa
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Delegate build to GitHub
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -timeout 2h30m0s -workflow release-linux-arm64.yml -workflow-ref=${DRONE_TAG}
-    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
-    "upload-artifacts=true" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-linux-arm64-deb
-trigger:
-  event:
-    include:
-      - tag
-  ref:
-    include:
-      - refs/tags/v*
-  repo:
-    include:
-      - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-  - build-linux-arm64
-  - clean-up-previous-build
-steps:
-  - name: Check out code
-    image: docker:git
-    commands:
-      - mkdir -p /go/src/github.com/gravitational/teleport
-      - cd /go/src/github.com/gravitational/teleport
-      - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-      - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-      - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-        && chmod 600 /root/.ssh/id_rsa
-      - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-      - git submodule update --init e
-      - rm -f /root/.ssh/id_rsa
-      - mkdir -p /go/cache /go/artifacts
-      - |-
-        VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-        if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-          echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-          exit 1
-        fi
-        echo "$$VERSION" > /go/.version.txt
-    environment:
-      GITHUB_PRIVATE_KEY:
-        from_secret: GITHUB_PRIVATE_KEY
-  - name: Wait for docker
-    image: docker
-    commands:
-      - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-    volumes:
-      - name: dockersock
-        path: /var/run
-  - name: Assume Download AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Download artifacts from S3
-    image: amazon/aws-cli
-    commands:
-      - export VERSION=$(cat /go/.version.txt)
-      - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-        export S3_PATH="tag/"; fi
-      - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm64-bin.tar.gz
-        /go/artifacts/
-      - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz
-        /go/artifacts/
-    environment:
-      AWS_REGION: us-west-2
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Assume Build AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-      AWS_ROLE:
-        from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Build artifacts
-    image: docker
-    commands:
-      - apk add --no-cache bash curl gzip make tar
-      - apk add --no-cache aws-cli
-      - cd /go/src/github.com/gravitational/teleport
-      - export VERSION=$(cat /go/.version.txt)
-      - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-        public.ecr.aws
-      - make deb
-    environment:
-      ARCH: arm64
-      ENT_TARBALL_PATH: /go/artifacts
-      OSS_TARBALL_PATH: /go/artifacts
-      TMPDIR: /go
-    volumes:
-      - name: dockersock
-        path: /var/run
-      - name: awsconfig
-        path: /root/.aws
-  - name: Copy artifacts
-    image: docker
-    commands:
-      - cd /go/src/github.com/gravitational/teleport
-      - find build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-        \;
-      - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-        \;
-  - name: Assume Upload AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Upload to S3
-    image: amazon/aws-cli
-    commands:
-      - cd /go/artifacts/
-      - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-    environment:
-      AWS_REGION: us-west-2
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Register artifacts
-    image: docker
-    commands:
-      - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-      - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-      - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-      - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-      - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-      - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-      - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-      - which curl || apk add --no-cache curl
-      - |-
-        cd "$WORKSPACE_DIR/go/artifacts"
-        find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-          # Skip files that are not results of this build
-          # (e.g. tarballs from which OS packages are made)
-          [ -f "$file.sha256" ] || continue
-
-          name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-          description="Linux ARM64/ARMv8 (64-bit) DEB"
-          products="$name"
-          if [ "$name" = "tsh" ]; then
-            products="teleport teleport-ent"
-          elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-            description="Teleport Connect"
-            products="teleport teleport-ent"
-          fi
-          shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-          release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-          for product in $products; do
-            status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-            if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-              echo "curl HTTP status: $status_code"
-              cat $WORKSPACE_DIR/curl_out.txt
-              exit 1
-            fi
-
-            release_params="$release_params -F releaseId=$product@$VERSION"
-          done
-
-          curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-        done
-    environment:
-      RELEASES_CERT:
-        from_secret: RELEASES_CERT
-      RELEASES_KEY:
-        from_secret: RELEASES_KEY
-services:
-  - name: Start Docker
-    image: docker:dind
-    privileged: true
-    volumes:
-      - name: dockersock
-        path: /var/run
-volumes:
-  - name: dockersock
-    temp: {}
-  - name: awsconfig
-    temp: {}
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-linux-arm-deb
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-- build-linux-arm
-- clean-up-previous-build
-steps:
-- name: Check out code
-  image: docker:git
-  commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Assume Download AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Download artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - export VERSION=$(cat /go/.version.txt)
-  - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-    export S3_PATH="tag/"; fi
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm-bin.tar.gz
-    /go/artifacts/
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz
-    /go/artifacts/
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Assume Build AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-    AWS_ROLE:
-      from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Build artifacts
-  image: docker
-  commands:
-  - apk add --no-cache bash curl gzip make tar
-  - apk add --no-cache aws-cli
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - make deb
-  environment:
-    ARCH: arm
-    ENT_TARBALL_PATH: /go/artifacts
-    OSS_TARBALL_PATH: /go/artifacts
-    TMPDIR: /go
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-  - name: awsconfig
-    path: /root/.aws
-- name: Copy artifacts
-  image: docker
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-    \;
-  - find e/build -maxdepth 1 -iname "teleport*.deb*" -print -exec cp {} /go/artifacts
-    \;
-- name: Assume Upload AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
-  commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux ARMv7 (32-bit) DEB"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
-  environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-linux-arm64-rpm
-trigger:
-  event:
-    include:
-      - tag
-  ref:
-    include:
-      - refs/tags/v*
-  repo:
-    include:
-      - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-  - build-linux-arm64
-  - clean-up-previous-build
-steps:
-  - name: Check out code
-    image: docker:git
-    commands:
-      - mkdir -p /go/src/github.com/gravitational/teleport
-      - cd /go/src/github.com/gravitational/teleport
-      - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-      - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-      - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-        && chmod 600 /root/.ssh/id_rsa
-      - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-      - git submodule update --init e
-      - rm -f /root/.ssh/id_rsa
-      - mkdir -p /go/cache /go/artifacts
-      - |-
-        VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-        if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-          echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-          exit 1
-        fi
-        echo "$$VERSION" > /go/.version.txt
-    environment:
-      GITHUB_PRIVATE_KEY:
-        from_secret: GITHUB_PRIVATE_KEY
-  - name: Wait for docker
-    image: docker
-    commands:
-      - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-    volumes:
-      - name: dockersock
-        path: /var/run
-  - name: Assume Download AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Download artifacts from S3
-    image: amazon/aws-cli
-    commands:
-      - export VERSION=$(cat /go/.version.txt)
-      - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-        export S3_PATH="tag/"; fi
-      - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm64-bin.tar.gz
-        /go/artifacts/
-      - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm64-bin.tar.gz
-        /go/artifacts/
-    environment:
-      AWS_REGION: us-west-2
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Assume Build AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-      AWS_ROLE:
-        from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Build artifacts
-    image: docker
-    commands:
-      - apk add --no-cache bash curl gzip make tar go
-      - apk add --no-cache aws-cli
-      - cd /go/src/github.com/gravitational/teleport
-      - export VERSION=$(cat /go/.version.txt)
-      - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-        public.ecr.aws
-      - mkdir -m0700 $GNUPG_DIR
-      - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR
-      - chown -R root:root $GNUPG_DIR
-      - make rpm
-      - rm -rf $GNUPG_DIR
-    environment:
-      ARCH: arm64
-      ENT_TARBALL_PATH: /go/artifacts
-      GNUPG_DIR: /tmpfs/gnupg
-      GPG_RPM_SIGNING_ARCHIVE:
-        from_secret: GPG_RPM_SIGNING_ARCHIVE
-      OSS_TARBALL_PATH: /go/artifacts
-      TMPDIR: /go
-    volumes:
-      - name: dockersock
-        path: /var/run
-      - name: awsconfig
-        path: /root/.aws
-      - name: tmpfs
-        path: /tmpfs
-  - name: Copy artifacts
-    image: docker
-    commands:
-      - cd /go/src/github.com/gravitational/teleport
-      - find build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-        \;
-      - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-        \;
-  - name: Assume Upload AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Upload to S3
-    image: amazon/aws-cli
-    commands:
-      - cd /go/artifacts/
-      - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-    environment:
-      AWS_REGION: us-west-2
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-  - name: Register artifacts
-    image: docker
-    commands:
-      - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-      - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-      - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-      - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-      - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-      - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-      - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-      - which curl || apk add --no-cache curl
-      - |-
-        cd "$WORKSPACE_DIR/go/artifacts"
-        find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-          # Skip files that are not results of this build
-          # (e.g. tarballs from which OS packages are made)
-          [ -f "$file.sha256" ] || continue
-
-          name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-          description="Linux ARM64/ARMv8 (64-bit) RPM"
-          products="$name"
-          if [ "$name" = "tsh" ]; then
-            products="teleport teleport-ent"
-          elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-            description="Teleport Connect"
-            products="teleport teleport-ent"
-          fi
-          shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-          release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-          for product in $products; do
-            status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-            if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-              echo "curl HTTP status: $status_code"
-              cat $WORKSPACE_DIR/curl_out.txt
-              exit 1
-            fi
-
-            release_params="$release_params -F releaseId=$product@$VERSION"
-          done
-
-          curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm64" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-        done
-    environment:
-      RELEASES_CERT:
-        from_secret: RELEASES_CERT
-      RELEASES_KEY:
-        from_secret: RELEASES_KEY
-services:
-  - name: Start Docker
-    image: docker:dind
-    privileged: true
-    volumes:
-      - name: tmpfs
-        path: /tmpfs
-      - name: dockersock
-        path: /var/run
-volumes:
-  - name: dockersock
-    temp: {}
-  - name: awsconfig
-    temp: {}
-  - name: tmpfs
-    temp:
-      medium: memory
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/tag.go (main.tagPackagePipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-linux-arm-rpm
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-- build-linux-arm
-- clean-up-previous-build
-steps:
-- name: Check out code
-  image: docker:git
-  commands:
-  - mkdir -p /go/src/github.com/gravitational/teleport
-  - cd /go/src/github.com/gravitational/teleport
-  - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-  - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-  - mkdir -m 0700 /root/.ssh && echo -n "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa
-    && chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - rm -f /root/.ssh/id_rsa
-  - mkdir -p /go/cache /go/artifacts
-  - |-
-    VERSION=$(egrep ^VERSION Makefile | cut -d= -f2)
-    if [ "$$VERSION" != "${DRONE_TAG##v}" ]; then
-      echo "Mismatch between Makefile version: $$VERSION and git tag: $DRONE_TAG"
-      exit 1
-    fi
-    echo "$$VERSION" > /go/.version.txt
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Assume Download AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Download artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - export VERSION=$(cat /go/.version.txt)
-  - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else
-    export S3_PATH="tag/"; fi
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-arm-bin.tar.gz
-    /go/artifacts/
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-arm-bin.tar.gz
-    /go/artifacts/
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Assume Build AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_KEY
-    AWS_ROLE:
-      from_secret: TELEPORT_BUILD_READ_ONLY_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: TELEPORT_BUILD_USER_READ_ONLY_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Build artifacts
-  image: docker
-  commands:
-  - apk add --no-cache bash curl gzip make tar go
-  - apk add --no-cache aws-cli
-  - cd /go/src/github.com/gravitational/teleport
-  - export VERSION=$(cat /go/.version.txt)
-  - aws ecr-public get-login-password --region us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - mkdir -m0700 $GNUPG_DIR
-  - echo "$GPG_RPM_SIGNING_ARCHIVE" | base64 -d | tar -xzf - -C $GNUPG_DIR
-  - chown -R root:root $GNUPG_DIR
-  - make rpm
-  - rm -rf $GNUPG_DIR
-  environment:
-    ARCH: arm
-    ENT_TARBALL_PATH: /go/artifacts
-    GNUPG_DIR: /tmpfs/gnupg
-    GPG_RPM_SIGNING_ARCHIVE:
-      from_secret: GPG_RPM_SIGNING_ARCHIVE
-    OSS_TARBALL_PATH: /go/artifacts
-    TMPDIR: /go
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-  - name: awsconfig
-    path: /root/.aws
-  - name: tmpfs
-    path: /tmpfs
-- name: Copy artifacts
-  image: docker
-  commands:
-  - cd /go/src/github.com/gravitational/teleport
-  - find build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-    \;
-  - find e/build -maxdepth 1 -iname "teleport*.rpm*" -print -exec cp {} /go/artifacts
-    \;
-- name: Assume Upload AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile default
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Upload to S3
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - cd /go/artifacts/
-  - aws s3 sync . s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}
-  environment:
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Register artifacts
-  image: docker
-  commands:
-  - WORKSPACE_DIR=$${WORKSPACE_DIR:-/}
-  - VERSION=$(cat "$WORKSPACE_DIR/go/.version.txt")
-  - RELEASES_HOST='https://releases-prod.platform.teleport.sh'
-  - echo "$RELEASES_CERT" | base64 -d > "$WORKSPACE_DIR/releases.crt"
-  - echo "$RELEASES_KEY" | base64 -d > "$WORKSPACE_DIR/releases.key"
-  - trap "rm -f '$WORKSPACE_DIR/releases.crt' '$WORKSPACE_DIR/releases.key'" EXIT
-  - CREDENTIALS="--cert $WORKSPACE_DIR/releases.crt --key $WORKSPACE_DIR/releases.key"
-  - which curl || apk add --no-cache curl
-  - |-
-    cd "$WORKSPACE_DIR/go/artifacts"
-    find . -type f ! -iname '*.sha256' ! -iname '*-unsigned.zip*' | while read -r file; do
-      # Skip files that are not results of this build
-      # (e.g. tarballs from which OS packages are made)
-      [ -f "$file.sha256" ] || continue
-
-      name="$(basename "$file" | sed -E 's/(-|_)v?[0-9].*$//')" # extract part before -vX.Y.Z
-      description="Linux ARMv7 (32-bit) RPM"
-      products="$name"
-      if [ "$name" = "tsh" ]; then
-        products="teleport teleport-ent"
-      elif [ "$name" = "Teleport Connect" -o "$name" = "teleport-connect" ]; then
-        description="Teleport Connect"
-        products="teleport teleport-ent"
-      fi
-      shasum="$(cat "$file.sha256" | cut -d ' ' -f 1)"
-
-      release_params="" # List of "-F releaseId=XXX" parameters to curl
-
-      for product in $products; do
-        status_code=$(curl $CREDENTIALS -o "$WORKSPACE_DIR/curl_out.txt" -w "%{http_code}" -F "product=$product" -F "version=$VERSION" -F notesMd="# Teleport $VERSION" -F status=draft "$RELEASES_HOST/releases")
-        if [ $status_code -ne 200 ] && [ $status_code -ne 409 ]; then
-          echo "curl HTTP status: $status_code"
-          cat $WORKSPACE_DIR/curl_out.txt
-          exit 1
-        fi
-
-        release_params="$release_params -F releaseId=$product@$VERSION"
-      done
-
-      curl $CREDENTIALS --fail -o /dev/null -F description="$description" -F os="linux" -F arch="arm" -F "file=@$file" -F "sha256=$shasum" $release_params "$RELEASES_HOST/assets";
-    done
-  environment:
-    RELEASES_CERT:
-      from_secret: RELEASES_CERT
-    RELEASES_KEY:
-      from_secret: RELEASES_KEY
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: tmpfs
-    path: /tmpfs
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-- name: tmpfs
-  temp:
-    medium: memory
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: tag-build-windows-amd64
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "${DRONE_COMMIT_SHA}"
-  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
-    chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - mkdir -pv /go/cache
-  - rm -f /root/.ssh/id_rsa
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Delegate build to GitHub
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -timeout 30m0s -workflow release-windows.yaml -workflow-ref=${DRONE_TAG}
-    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-- name: Send Slack notification
-  image: plugins/slack:1.4.1
-  settings:
-    template: |-
-      *✘ Failed:* `{{ build.event }}` / `${DRONE_STAGE_NAME}` / <{{ build.link }}|Build: #{{ build.number }}>
-      Author: <https://github.com/{{ build.author }}|{{ build.author }}> Repo: <https://github.com/{{ repo.owner }}/{{ repo.name }}/|{{ repo.owner }}/{{ repo.name }}> Branch: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commits/{{ build.branch }}|{{ build.branch }}> Commit: <https://github.com/{{ repo.owner }}/{{ repo.name }}/commit/{{ build.commit }}|{{ truncate build.commit 8 }}>
-    webhook:
-      from_secret: SLACK_WEBHOOK_DEV_TELEPORT
-  when:
-    status:
-    - failure
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-kind: pipeline
-type: kubernetes
-name: build-oss-amis
-
-trigger:
-  event:
-    - tag
-  ref:
-    include:
-      - refs/tags/v*
-  repo:
-    include:
-      - gravitational/*
-
-depends_on:
-  - build-linux-amd64
-
-workspace:
-  path: /go
-
-clone:
-  disable: true
-
-steps:
-  - name: Check out code
-    image: docker:git
-    commands:
-      - mkdir -p /go/src/github.com/gravitational/teleport
-      - cd /go/src/github.com/gravitational/teleport
-      - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-      - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-      # set version
-      - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt
-
-  - name: Assume Download AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Download built tarball artifacts from S3
-    image: amazon/aws-cli
-    environment:
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-      AWS_REGION: us-west-2
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - export VERSION=$(cat /go/.version.txt)
-      - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi
-      - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files
-
-  - name: Assume Packer AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_PACKER_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_PACKER_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: AWS_PACKER_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Build OSS AMIs
-    image: hashicorp/packer:1.9.4
-    volumes:
-      - name: dockersock
-        path: /var/run
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - apk add --no-cache aws-cli jq make
-      - packer plugins install github.com/hashicorp/amazon
-      - cd /go/src/github.com/gravitational/teleport/assets/aws
-      - export TELEPORT_VERSION=$(cat /go/.version.txt)
-      - export PUBLIC_AMI_NAME=gravitational-teleport-ami-oss-$TELEPORT_VERSION
-      - |
-        if [ "${DRONE_BUILD_EVENT}" = "tag" ]; then
-          echo "---> Building production OSS AMIs"
-          echo "---> Note: these AMIs will not be made public until the 'promote' step is run"
-          make oss-ci-build
-        else
-          echo "---> Building debug OSS AMIs"
-          make oss
-        fi
-
-  - name: Assume S3 Timestamp Sync AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Sync OSS build timestamp to S3
-    image: amazon/aws-cli
-    environment:
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-      AWS_REGION: us-west-2
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - export VERSION=$(cat /go/.version.txt)
-      - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/oss_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/
-
-services:
-  - name: Start Docker
-    image: docker:dind
-    privileged: true
-    volumes:
-      - name: dockersock
-        path: /var/run
-
-volumes:
-  - name: dockersock
-    temp: {}
-  - name: awsconfig
-    temp: {}
-
----
-kind: pipeline
-type: kubernetes
-name: build-ent-amis
-
-trigger:
-  event:
-    - tag
-  ref:
-    include:
-      - refs/tags/v*
-  repo:
-    include:
-      - gravitational/*
-
-depends_on:
-  - build-linux-amd64
-  - build-linux-amd64-fips
-
-workspace:
-  path: /go
-
-clone:
-  disable: true
-
-steps:
-  - name: Check out code
-    image: docker:git
-    commands:
-      - mkdir -p /go/src/github.com/gravitational/teleport
-      - cd /go/src/github.com/gravitational/teleport
-      - git clone https://github.com/gravitational/${DRONE_REPO_NAME}.git .
-      - git checkout ${DRONE_TAG:-$DRONE_COMMIT}
-      # set version
-      - if [[ "${DRONE_TAG}" != "" ]]; then echo "${DRONE_TAG##v}" > /go/.version.txt; else egrep ^VERSION Makefile | cut -d= -f2 > /go/.version.txt; fi; cat /go/.version.txt
-
-  - name: Assume Download AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Download built tarball artifacts from S3
-    image: amazon/aws-cli
-    environment:
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-      AWS_REGION: us-west-2
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - export VERSION=$(cat /go/.version.txt)
-      - if [[ "${DRONE_TAG}" != "" ]]; then export S3_PATH="tag/$${DRONE_TAG##v}/"; else export S3_PATH="tag/"; fi
-      - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files
-      - aws s3 cp s3://$AWS_S3_BUCKET/teleport/$${S3_PATH}teleport-ent-v$${VERSION}-linux-amd64-fips-bin.tar.gz /go/src/github.com/gravitational/teleport/assets/aws/files
-
-  - name: Assume Packer AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_PACKER_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_PACKER_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: AWS_PACKER_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Build Enterprise AMIs
-    image: hashicorp/packer:1.9.4
-    volumes:
-      - name: dockersock
-        path: /var/run
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - apk add --no-cache aws-cli jq make
-      - packer plugins install github.com/hashicorp/amazon
-      - cd /go/src/github.com/gravitational/teleport/assets/aws
-      - export TELEPORT_VERSION=$(cat /go/.version.txt)
-      - export PUBLIC_AMI_NAME=gravitational-teleport-ami-ent-$TELEPORT_VERSION
-      - export FIPS_AMI_NAME=gravitational-teleport-ami-ent-$TELEPORT_VERSION-fips
-      - |
-        if [ "${DRONE_BUILD_EVENT}" = "tag" ]; then
-          echo "---> Building production Enterprise AMIs"
-          echo "---> Note: these AMIs will not be made public until the 'promote' step is run"
-          make ent-ci-build
-        else
-          echo "---> Building debug Enterprise AMIs"
-          make ent
-        fi
-
-  - name: Assume S3 Timestamp Sync AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Sync Enterprise build timestamp to S3
-    image: amazon/aws-cli
-    environment:
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-      AWS_REGION: us-west-2
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - export VERSION=$(cat /go/.version.txt)
-      - aws s3 cp /go/src/github.com/gravitational/teleport/assets/aws/files/build/ent_build_timestamp.txt s3://$AWS_S3_BUCKET/teleport/ami/$${VERSION}/
-
-services:
-  - name: Start Docker
-    image: docker:dind
-    privileged: true
-    volumes:
-      - name: dockersock
-        path: /var/run
-
-volumes:
-  - name: dockersock
-    temp: {}
-  - name: awsconfig
-    temp: {}
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/buildbox.go (main.buildboxPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: build-buildboxes
-environment:
-  BUILDBOX_VERSION: teleport15
-  GID: "1000"
-  UID: "1000"
-trigger:
-  event:
-    include:
-    - push
-  repo:
-    include:
-    - gravitational/teleport
-  branch:
-    include:
-    - master
-    - branch/*
-workspace:
-  path: /go/src/github.com/gravitational/teleport
-clone:
-  disable: true
-steps:
-- name: Check out code
-  image: docker:git
-  commands:
-  - git clone --depth 1 --single-branch --branch ${DRONE_SOURCE_BRANCH:-master} https://github.com/gravitational/${DRONE_REPO_NAME}.git
-    .
-  - git checkout ${DRONE_COMMIT}
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Configure Staging AWS Profile
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      > /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile staging
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_KEY
-    AWS_ROLE:
-      from_secret: STAGING_BUILDBOX_DRONE_ECR_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: STAGING_BUILDBOX_DRONE_USER_ECR_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Configure Production AWS Profile
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[production]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      >> /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile production
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_KEY
-    AWS_ROLE:
-      from_secret: PRODUCTION_BUILDBOX_DRONE_ECR_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: PRODUCTION_BUILDBOX_DRONE_USER_ECR_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Build and push buildbox
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make aws-cli
-  - chown -R $UID:$GID /go
-  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
-    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - make -C build.assets buildbox
-  - docker tag public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
-    login -u="AWS" --password-stdin public.ecr.aws
-  - docker push public.ecr.aws/gravitational/teleport-buildbox:$BUILDBOX_VERSION
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build and push buildbox-arm
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make aws-cli
-  - chown -R $UID:$GID /go
-  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
-    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - make -C build.assets buildbox-arm
-  - docker tag public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
-    login -u="AWS" --password-stdin public.ecr.aws
-  - docker push public.ecr.aws/gravitational/teleport-buildbox-arm:$BUILDBOX_VERSION
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build and push buildbox-centos7
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make aws-cli
-  - chown -R $UID:$GID /go
-  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
-    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - make -C build.assets buildbox-centos7
-  - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
-    login -u="AWS" --password-stdin public.ecr.aws
-  - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7:$BUILDBOX_VERSION
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Build and push buildbox-centos7-fips
-  image: docker
-  pull: if-not-exists
-  commands:
-  - apk add --no-cache make aws-cli
-  - chown -R $UID:$GID /go
-  - aws ecr get-login-password --profile staging --region=us-west-2 | docker login
-    -u="AWS" --password-stdin 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - make -C build.assets buildbox-centos7-fips
-  - docker tag public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION-$DRONE_COMMIT_SHA
-  - docker logout 146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - aws ecr-public get-login-password --profile production --region=us-east-1 | docker
-    login -u="AWS" --password-stdin public.ecr.aws
-  - docker push public.ecr.aws/gravitational/teleport-buildbox-centos7-fips:$BUILDBOX_VERSION
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: publish-os-package-repos
-trigger:
-  event:
-    include:
-    - promote
-  target:
-    include:
-    - production
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "${DRONE_COMMIT_SHA}"
-  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
-    chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - mkdir -pv /go/cache
-  - rm -f /root/.ssh/id_rsa
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Determine if release should go to development or production
-  image: golang:1.18-alpine
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - mkdir -pv "/go/vars"
-  - (CGO_ENABLED=0 go run ./cmd/check -tag ${DRONE_TAG} -check prerelease && echo
-    "promote" || echo "build") > "/go/vars/release-environment.txt"
-  depends_on:
-  - Check out code
-- name: Publish Teleport to stable/${DRONE_TAG} apt repo
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow
-    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
-    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent"
-    -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=${DRONE_TAG}" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-  depends_on:
-  - Determine if release should go to development or production
-- name: Wait - Publish Teleport to stable/${DRONE_TAG} yum repo
-  image: alpine:latest
-  commands:
-  - sleep 10
-  depends_on:
-  - Determine if release should go to development or production
-- name: Publish Teleport to stable/${DRONE_TAG} yum repo
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow
-    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
-    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent"
-    -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=${DRONE_TAG}" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-  depends_on:
-  - Wait - Publish Teleport to stable/${DRONE_TAG} yum repo
-- name: Wait - Publish teleport-ent-updater to stable/cloud apt repo
-  image: alpine:latest
-  commands:
-  - sleep 20
-  depends_on:
-  - Determine if release should go to development or production
-- name: Publish teleport-ent-updater to stable/cloud apt repo
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow
-    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
-    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-name-filter=teleport-ent-updater*"
-    -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=cloud" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-  depends_on:
-  - Wait - Publish teleport-ent-updater to stable/cloud apt repo
-- name: Wait - Publish teleport-ent-updater to stable/cloud yum repo
-  image: alpine:latest
-  commands:
-  - sleep 30
-  depends_on:
-  - Determine if release should go to development or production
-- name: Publish teleport-ent-updater to stable/cloud yum repo
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow
-    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
-    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-name-filter=teleport-ent-updater*"
-    -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=cloud" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-  depends_on:
-  - Wait - Publish teleport-ent-updater to stable/cloud yum repo
-- name: Wait - Publish Teleport to stable/rolling apt repo
-  image: alpine:latest
-  commands:
-  - sleep 40
-  depends_on:
-  - Determine if release should go to development or production
-- name: Publish Teleport to stable/rolling apt repo
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -series-run -series-run-filter .*apt.* -timeout 12h0m0s -workflow
-    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
-    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent"
-    -input "release-channel=stable" -input "repo-type=apt" -input "version-channel=rolling" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-  depends_on:
-  - Wait - Publish Teleport to stable/rolling apt repo
-- name: Wait - Publish Teleport to stable/rolling yum repo
-  image: alpine:latest
-  commands:
-  - sleep 50
-  depends_on:
-  - Determine if release should go to development or production
-- name: Publish Teleport to stable/rolling yum repo
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -series-run -series-run-filter .*yum.* -timeout 12h0m0s -workflow
-    deploy-packages.yaml -workflow-ref=refs/heads/master -input "artifact-tag=${DRONE_TAG}"
-    -input "environment=$(cat "/go/vars/release-environment.txt")" -input "package-to-test=teleport-ent"
-    -input "release-channel=stable" -input "repo-type=yum" -input "version-channel=rolling" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-  depends_on:
-  - Wait - Publish Teleport to stable/rolling yum repo
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-kind: pipeline
-type: kubernetes
-name: promote-build
-
-trigger:
-  event:
-    - promote
-  target:
-    - production
-  repo:
-    include:
-      - gravitational/*
-
-workspace:
-  path: /go
-
-clone:
-  disable: true
-
-steps:
-  - name: Check if commit is tagged
-    image: alpine
-    commands:
-      - "[ -n ${DRONE_TAG} ] || (echo 'DRONE_TAG is not set. Is the commit tagged?' && exit 1)"
-
-  - name: Assume Download AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Download artifacts from S3
-    image: amazon/aws-cli
-    commands:
-      - mkdir -p /go/artifacts
-      - aws s3 sync s3://$AWS_S3_BUCKET/teleport/tag/${DRONE_TAG##v}/ /go/artifacts/
-    environment:
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-      AWS_REGION: us-west-2
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Assume Upload AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: PRODUCTION_AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: PRODUCTION_AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  # Uploads to Houston
-  - name: Upload artifacts to production S3
-    image: amazon/aws-cli
-    environment:
-      AWS_REGION: us-east-1
-      AWS_S3_BUCKET:
-        from_secret: PRODUCTION_AWS_S3_BUCKET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - cd /go/artifacts/
-      - aws s3 sync --acl public-read . s3://$AWS_S3_BUCKET/teleport/${DRONE_TAG##v}
-
-  - name: Check out code
-    image: docker:git
-    commands:
-      - |
-        mkdir -p /go/src/github.com/gravitational/teleport
-        cd /go/src/github.com/gravitational/teleport
-        git init && git remote add origin ${DRONE_REMOTE_URL}
-        git fetch origin +refs/tags/${DRONE_TAG}:
-        git checkout -qf FETCH_HEAD
-
-  - name: Assume AMI Download AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Download AMI timestamps
-    image: amazon/aws-cli
-    environment:
-      AWS_S3_BUCKET:
-        from_secret: AWS_S3_BUCKET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - mkdir -p /go/src/github.com/gravitational/teleport/assets/aws/files/build
-      - aws s3 sync s3://$AWS_S3_BUCKET/teleport/ami/${DRONE_TAG##v}/ /go/src/github.com/gravitational/teleport/assets/aws/files/build
-
-  - name: Assume AMI Publish AWS Role
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: PRODUCTION_AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: PRODUCTION_AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: PRODUCTION_AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: Make AMIs public
-    image: docker
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - apk add --no-cache aws-cli bash jq make
-      - cd /go/src/github.com/gravitational/teleport/assets/aws
-      - |
-        make change-amis-to-public-oss
-        make change-amis-to-public-ent
-        make change-amis-to-public-ent-fips
-
-  - name: "Helm: Assume Download AWS Role"
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: PRODUCTION_CHARTS_AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  # Download all previously packaged charts. This is needed to rebuild the
-  # index and re-publish the repository.
-  - name: "Helm: Download chart repository"
-    image: amazon/aws-cli
-    environment:
-      AWS_REGION: us-west-2
-      AWS_S3_BUCKET:
-        from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - mkdir -p /go/chart
-      - aws s3 sync s3://$AWS_S3_BUCKET/ /go/chart
-
-  - name: "Helm: Package chart repository"
-    image: alpine/helm:latest
-    commands:
-      - cd /go/chart
-      - helm package /go/src/github.com/gravitational/teleport/examples/chart/teleport-cluster
-      - helm package /go/src/github.com/gravitational/teleport/examples/chart/teleport-kube-agent
-      # copy index.html to root of the S3 bucket.
-      - cp /go/src/github.com/gravitational/teleport/examples/chart/index.html /go/chart
-      # this will index all previous versions of the charts downloaded from the S3 bucket,
-      # plus the just-packaged charts listed above
-      - helm repo index /go/chart
-      - ls /go/chart
-
-  - name: "Helm: Assume Upload AWS Role"
-    image: amazon/aws-cli
-    commands:
-      - aws sts get-caller-identity
-      - |-
-        printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-          $(aws sts assume-role \
-            --role-arn "$AWS_ROLE" \
-            --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-            --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-            --output text) \
-          > /root/.aws/credentials
-      - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-      - aws sts get-caller-identity --profile default
-    environment:
-      AWS_ACCESS_KEY_ID:
-        from_secret: PRODUCTION_CHARTS_AWS_ACCESS_KEY_ID
-      AWS_SECRET_ACCESS_KEY:
-        from_secret: PRODUCTION_CHARTS_AWS_SECRET_ACCESS_KEY
-      AWS_ROLE:
-        from_secret: PRODUCTION_CHARTS_AWS_ROLE
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-
-  - name: "Helm: Publish chart repository to S3"
-    image: amazon/aws-cli
-    environment:
-      AWS_REGION: us-west-2
-      AWS_S3_BUCKET:
-        from_secret: PRODUCTION_CHARTS_AWS_S3_BUCKET
-    volumes:
-      - name: awsconfig
-        path: /root/.aws
-    commands:
-      - cd /go/chart/
-      - aws s3 sync . s3://$AWS_S3_BUCKET/
-
-services:
-  - name: Start Docker
-    image: docker:dind
-    privileged: true
-    volumes:
-      - name: dockersock
-        path: /var/run
-      - name: tmpfs
-        path: /tmpfs
-
-volumes:
-  - name: awsconfig
-    temp: {}
-  - name: dockersock
-    temp: {}
-  - name: tmpfs
-    temp:
-      medium: memory
-  # these persistent volumes cache RPMs/DEBs near Drone so that we don't need to download the
-  # entire repo contents from S3 every time to build the repo, we just sync any differences
-  - name: rpmrepo
-    claim:
-      name: drone-s3-rpmrepo-pvc
-  - name: debrepo
-    claim:
-      name: drone-s3-debrepo-pvc
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: promote-teleport-oci-distroless-images
-trigger:
-  event:
-    include:
-    - promote
-  target:
-    include:
-    - production
-    - promote-distroless
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "${DRONE_COMMIT_SHA}"
-  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
-    chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - mkdir -pv /go/cache
-  - rm -f /root/.ssh/id_rsa
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Delegate build to GitHub
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -timeout 2h30m0s -workflow promote-teleport-oci-distroless.yml -workflow-ref=${DRONE_TAG}
-    -input "release-source-tag=${DRONE_TAG}" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: promote-teleport-hardened-amis
-trigger:
-  event:
-    include:
-    - promote
-  target:
-    include:
-    - production
-    - promote-hardened-amis
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "${DRONE_COMMIT_SHA}"
-  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
-    chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - mkdir -pv /go/cache
-  - rm -f /root/.ssh/id_rsa
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Delegate build to GitHub
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -timeout 2h30m0s -workflow promote-teleport-hardened-amis.yaml -workflow-ref=${DRONE_TAG}
-    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
-    "release-source-tag=${DRONE_TAG}" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: promote-teleport-kube-agent-updater-oci-images
-trigger:
-  event:
-    include:
-    - promote
-  target:
-    include:
-    - production
-    - promote-updater
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-steps:
-- name: Check out code
-  image: docker:git
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "${DRONE_COMMIT_SHA}"
-  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
-    chmod 600 /root/.ssh/id_rsa
-  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
-  - git submodule update --init e
-  - mkdir -pv /go/cache
-  - rm -f /root/.ssh/id_rsa
-  environment:
-    GITHUB_PRIVATE_KEY:
-      from_secret: GITHUB_PRIVATE_KEY
-- name: Delegate build to GitHub
-  image: golang:1.18-alpine
-  pull: if-not-exists
-  commands:
-  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
-  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
-    -tag-workflow -timeout 2h30m0s -workflow promote-teleport-kube-agent-updater-oci.yml
-    -workflow-ref=${DRONE_TAG} -input "release-source-tag=${DRONE_TAG}" '
-  environment:
-    GHA_APP_KEY:
-      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
-image_pull_secrets:
-- DOCKERHUB_CREDENTIALS
-
----
-################################################
-# Generated using dronegen, do not edit by hand!
-# Use 'make dronegen' to update.
-# Generated at dronegen/container_images_release_version.go (main.(*ReleaseVersion).buildVersionPipeline)
-################################################
-
-kind: pipeline
-type: kubernetes
-name: teleport-container-images-branch-tag
-environment:
-  DEBIAN_FRONTEND: noninteractive
-trigger:
-  event:
-    include:
-    - tag
-  ref:
-    include:
-    - refs/tags/v*
-  repo:
-    include:
-    - gravitational/*
-workspace:
-  path: /go
-clone:
-  disable: true
-depends_on:
-- clean-up-previous-build
-steps:
-- name: Wait for docker
-  image: docker
-  pull: if-not-exists
-  commands:
-  - timeout 30s /bin/sh -c 'while [ ! -S /var/run/docker.sock ]; do sleep 1; done'
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  environment:
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: dockersock
-    path: /var/run
-  - name: dockerconfig
-    path: /root/.docker
-- name: Wait for docker registry
-  image: alpine
-  pull: if-not-exists
-  commands:
-  - apk add curl
-  - timeout 30s /bin/sh -c 'while [ "$(curl -s -o /dev/null -w %{http_code} http://drone-docker-registry:5000/)"
-    != "200" ]; do sleep 1; done'
-- name: Check out code
-  image: alpine/git:latest
-  pull: if-not-exists
-  commands:
-  - mkdir -pv "/go/src/github.com/gravitational/teleport"
-  - cd "/go/src/github.com/gravitational/teleport"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "$DRONE_TAG"
-- name: Build full semver
-  image: alpine
-  commands:
-  - mkdir -pv $(dirname "/go/var/full-version")
-  - echo $DRONE_TAG | sed 's/v//' > "/go/var/full-version"
-  - echo $(cat "/go/var/full-version")
-- name: Assume ECR - staging AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[ecr-staging]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      >> /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile ecr-staging
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: STAGING_TELEPORT_DRONE_USER_ECR_KEY
-    AWS_ROLE:
-      from_secret: STAGING_TELEPORT_DRONE_ECR_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: STAGING_TELEPORT_DRONE_USER_ECR_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-- name: Assume ECR - authenticated-pull AWS Role
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[ecr-authenticated-pull]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      >> /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile ecr-authenticated-pull
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_KEY
-    AWS_ROLE:
-      from_secret: PRODUCTION_TELEPORT_DRONE_ECR_AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: PRODUCTION_TELEPORT_DRONE_USER_ECR_SECRET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Assume ECR - staging AWS Role
-- name: Assume S3 Download AWS Role for teleport
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[s3-download-teleport]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      >> /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile s3-download-teleport
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Download Teleport Dockerfile to "/go/build/Dockerfile-teleport" for teleport
-  image: alpine/git:latest
-  commands:
-  - mkdir -pv "/tmp/repo"
-  - cd "/tmp/repo"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "$DRONE_TAG"
-  - mkdir -pv $(dirname "/go/build/Dockerfile-teleport")
-  - cp "/tmp/repo/build.assets/charts/Dockerfile" "/go/build/Dockerfile-teleport"
-  depends_on:
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Download "teleport_v15-tag_amd64.deb" artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - END_TIME=$(( $(date +%s) + 3600 ))
-  - TIMED_OUT=true
-  - while [ $(date +%s) -lt $${END_TIME?} ]; do
-  - SUCCESS=true
-  - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr
-    -s ' ' | cut -d' ' -f 4 | grep -x teleport_$(cat "/go/var/full-version")_amd64.deb
-    || SUCCESS=false
-  - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;'
-  - echo 'Condition not met yet, waiting another 60 seconds...'
-  - sleep 60
-  - done
-  - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [
-    "$SUCCESS" = "true" ]'' && exit 1'
-  - mkdir -pv "/go/build"
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport_$(cat
-    "/go/var/full-version")_amd64.deb /go/build/teleport_$(cat "/go/var/full-version")_amd64.deb
-  environment:
-    AWS_PROFILE: s3-download-teleport
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Assume S3 Download AWS Role for teleport
-  - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport" for teleport
-- name: Build teleport image "teleport:v15-amd64"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/build" && cd "/go/build"
-  - mkdir -pv "/tmp/teleport-v15-amd64-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-v15-amd64-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-v15-amd64-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-v15-amd64-builder" --config "/tmp/teleport-v15-amd64-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-v15-amd64-builder" --target "teleport"
-    --platform "linux/amd64" --tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-amd64
-    --file "/go/build/Dockerfile-teleport" --build-arg DEB_PATH=teleport_$(cat "/go/var/full-version")_amd64.deb
-    /go/build
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-v15-amd64-builder"
-  - rm -rf "/tmp/teleport-v15-amd64-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Download "teleport_v15-tag_amd64.deb" artifacts from S3
-- name: Download "teleport_v15-tag_arm.deb" artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - END_TIME=$(( $(date +%s) + 3600 ))
-  - TIMED_OUT=true
-  - while [ $(date +%s) -lt $${END_TIME?} ]; do
-  - SUCCESS=true
-  - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr
-    -s ' ' | cut -d' ' -f 4 | grep -x teleport_$(cat "/go/var/full-version")_arm.deb
-    || SUCCESS=false
-  - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;'
-  - echo 'Condition not met yet, waiting another 60 seconds...'
-  - sleep 60
-  - done
-  - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [
-    "$SUCCESS" = "true" ]'' && exit 1'
-  - mkdir -pv "/go/build"
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport_$(cat
-    "/go/var/full-version")_arm.deb /go/build/teleport_$(cat "/go/var/full-version")_arm.deb
-  environment:
-    AWS_PROFILE: s3-download-teleport
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Assume S3 Download AWS Role for teleport
-  - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport" for teleport
-- name: Build teleport image "teleport:v15-arm"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/build" && cd "/go/build"
-  - mkdir -pv "/tmp/teleport-v15-arm-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-v15-arm-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-v15-arm-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-v15-arm-builder" --config "/tmp/teleport-v15-arm-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-v15-arm-builder" --target "teleport"
-    --platform "linux/arm" --tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm
-    --file "/go/build/Dockerfile-teleport" --build-arg DEB_PATH=teleport_$(cat "/go/var/full-version")_arm.deb
-    /go/build
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-v15-arm-builder"
-  - rm -rf "/tmp/teleport-v15-arm-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Download "teleport_v15-tag_arm.deb" artifacts from S3
-- name: Download "teleport_v15-tag_arm64.deb" artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - END_TIME=$(( $(date +%s) + 3600 ))
-  - TIMED_OUT=true
-  - while [ $(date +%s) -lt $${END_TIME?} ]; do
-  - SUCCESS=true
-  - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr
-    -s ' ' | cut -d' ' -f 4 | grep -x teleport_$(cat "/go/var/full-version")_arm64.deb
-    || SUCCESS=false
-  - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;'
-  - echo 'Condition not met yet, waiting another 60 seconds...'
-  - sleep 60
-  - done
-  - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [
-    "$SUCCESS" = "true" ]'' && exit 1'
-  - mkdir -pv "/go/build"
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport_$(cat
-    "/go/var/full-version")_arm64.deb /go/build/teleport_$(cat "/go/var/full-version")_arm64.deb
-  environment:
-    AWS_PROFILE: s3-download-teleport
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Assume S3 Download AWS Role for teleport
-  - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport" for teleport
-- name: Build teleport image "teleport:v15-arm64"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/build" && cd "/go/build"
-  - mkdir -pv "/tmp/teleport-v15-arm64-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-v15-arm64-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-v15-arm64-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-v15-arm64-builder" --config "/tmp/teleport-v15-arm64-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-v15-arm64-builder" --target "teleport"
-    --platform "linux/arm64" --tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm64
-    --file "/go/build/Dockerfile-teleport" --build-arg DEB_PATH=teleport_$(cat "/go/var/full-version")_arm64.deb
-    /go/build
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-v15-arm64-builder"
-  - rm -rf "/tmp/teleport-v15-arm64-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Download "teleport_v15-tag_arm64.deb" artifacts from S3
-- name: Tag and push image "teleport:v15-amd64" to ECR - staging
-  image: docker
-  commands:
-  - docker pull --platform "linux/amd64" drone-docker-registry:5000/teleport:$(cat
-    "/go/var/full-version")-amd64
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-amd64 > /dev/null 2>&1 && echo 'Found existing image,
-    skipping' || (docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-amd64
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat "/go/var/full-version")-amd64
-    && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-amd64)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport image "teleport:v15-amd64"
-- name: Tag and push image "teleport:v15-arm" to ECR - staging
-  image: docker
-  commands:
-  - docker pull --platform "linux/arm" drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-arm > /dev/null 2>&1 && echo 'Found existing image, skipping'
-    || (docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat "/go/var/full-version")-arm
-    && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-arm)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport image "teleport:v15-arm"
-- name: Tag and push image "teleport:v15-arm64" to ECR - staging
-  image: docker
-  commands:
-  - docker pull --platform "linux/arm64" drone-docker-registry:5000/teleport:$(cat
-    "/go/var/full-version")-arm64
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-arm64 > /dev/null 2>&1 && echo 'Found existing image,
-    skipping' || (docker tag drone-docker-registry:5000/teleport:$(cat "/go/var/full-version")-arm64
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat "/go/var/full-version")-arm64
-    && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-arm64)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport image "teleport:v15-arm64"
-- name: Create manifest and push "teleport:full" to ECR - staging
-  image: docker
-  commands:
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version") > /dev/null 2>&1 && echo 'Found existing image, skipping'
-    || (docker manifest create 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version") --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-amd64 --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-arm --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version")-arm64 && docker manifest push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport:$(cat
-    "/go/var/full-version"))
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Tag and push image "teleport:v15-amd64" to ECR - staging
-  - Tag and push image "teleport:v15-arm" to ECR - staging
-  - Tag and push image "teleport:v15-arm64" to ECR - staging
-- name: Assume S3 Download AWS Role for teleport-ent
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[s3-download-teleport-ent]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      >> /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile s3-download-teleport-ent
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent" for teleport-ent
-  image: alpine/git:latest
-  commands:
-  - mkdir -pv "/tmp/repo"
-  - cd "/tmp/repo"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "$DRONE_TAG"
-  - mkdir -pv $(dirname "/go/build/Dockerfile-teleport-ent")
-  - cp "/tmp/repo/build.assets/charts/Dockerfile" "/go/build/Dockerfile-teleport-ent"
-  depends_on:
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Download "teleport-ent_v15-tag_amd64.deb" artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - END_TIME=$(( $(date +%s) + 3600 ))
-  - TIMED_OUT=true
-  - while [ $(date +%s) -lt $${END_TIME?} ]; do
-  - SUCCESS=true
-  - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr
-    -s ' ' | cut -d' ' -f 4 | grep -x teleport-ent_$(cat "/go/var/full-version")_amd64.deb
-    || SUCCESS=false
-  - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;'
-  - echo 'Condition not met yet, waiting another 60 seconds...'
-  - sleep 60
-  - done
-  - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [
-    "$SUCCESS" = "true" ]'' && exit 1'
-  - mkdir -pv "/go/build"
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport-ent_$(cat
-    "/go/var/full-version")_amd64.deb /go/build/teleport-ent_$(cat "/go/var/full-version")_amd64.deb
-  environment:
-    AWS_PROFILE: s3-download-teleport-ent
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Assume S3 Download AWS Role for teleport-ent
-  - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent" for teleport-ent
-- name: Build teleport-ent image "teleport-ent:v15-amd64"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/build" && cd "/go/build"
-  - mkdir -pv "/tmp/teleport-ent-v15-amd64-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-ent-v15-amd64-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-ent-v15-amd64-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-ent-v15-amd64-builder" --config "/tmp/teleport-ent-v15-amd64-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-ent-v15-amd64-builder" --target
-    "teleport" --platform "linux/amd64" --tag drone-docker-registry:5000/teleport-ent:$(cat
-    "/go/var/full-version")-amd64 --file "/go/build/Dockerfile-teleport-ent" --build-arg
-    DEB_PATH=teleport-ent_$(cat "/go/var/full-version")_amd64.deb /go/build
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-ent-v15-amd64-builder"
-  - rm -rf "/tmp/teleport-ent-v15-amd64-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Download "teleport-ent_v15-tag_amd64.deb" artifacts from S3
-- name: Download "teleport-ent_v15-tag_arm.deb" artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - END_TIME=$(( $(date +%s) + 3600 ))
-  - TIMED_OUT=true
-  - while [ $(date +%s) -lt $${END_TIME?} ]; do
-  - SUCCESS=true
-  - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr
-    -s ' ' | cut -d' ' -f 4 | grep -x teleport-ent_$(cat "/go/var/full-version")_arm.deb
-    || SUCCESS=false
-  - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;'
-  - echo 'Condition not met yet, waiting another 60 seconds...'
-  - sleep 60
-  - done
-  - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [
-    "$SUCCESS" = "true" ]'' && exit 1'
-  - mkdir -pv "/go/build"
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport-ent_$(cat
-    "/go/var/full-version")_arm.deb /go/build/teleport-ent_$(cat "/go/var/full-version")_arm.deb
-  environment:
-    AWS_PROFILE: s3-download-teleport-ent
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Assume S3 Download AWS Role for teleport-ent
-  - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent" for teleport-ent
-- name: Build teleport-ent image "teleport-ent:v15-arm"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/build" && cd "/go/build"
-  - mkdir -pv "/tmp/teleport-ent-v15-arm-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-ent-v15-arm-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-ent-v15-arm-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-ent-v15-arm-builder" --config "/tmp/teleport-ent-v15-arm-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-ent-v15-arm-builder" --target "teleport"
-    --platform "linux/arm" --tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm
-    --file "/go/build/Dockerfile-teleport-ent" --build-arg DEB_PATH=teleport-ent_$(cat
-    "/go/var/full-version")_arm.deb /go/build
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-ent-v15-arm-builder"
-  - rm -rf "/tmp/teleport-ent-v15-arm-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Download "teleport-ent_v15-tag_arm.deb" artifacts from S3
-- name: Download "teleport-ent_v15-tag_arm64.deb" artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - END_TIME=$(( $(date +%s) + 3600 ))
-  - TIMED_OUT=true
-  - while [ $(date +%s) -lt $${END_TIME?} ]; do
-  - SUCCESS=true
-  - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr
-    -s ' ' | cut -d' ' -f 4 | grep -x teleport-ent_$(cat "/go/var/full-version")_arm64.deb
-    || SUCCESS=false
-  - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;'
-  - echo 'Condition not met yet, waiting another 60 seconds...'
-  - sleep 60
-  - done
-  - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [
-    "$SUCCESS" = "true" ]'' && exit 1'
-  - mkdir -pv "/go/build"
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport-ent_$(cat
-    "/go/var/full-version")_arm64.deb /go/build/teleport-ent_$(cat "/go/var/full-version")_arm64.deb
-  environment:
-    AWS_PROFILE: s3-download-teleport-ent
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Assume S3 Download AWS Role for teleport-ent
-  - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent" for teleport-ent
-- name: Build teleport-ent image "teleport-ent:v15-arm64"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/build" && cd "/go/build"
-  - mkdir -pv "/tmp/teleport-ent-v15-arm64-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-ent-v15-arm64-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-ent-v15-arm64-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-ent-v15-arm64-builder" --config "/tmp/teleport-ent-v15-arm64-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-ent-v15-arm64-builder" --target
-    "teleport" --platform "linux/arm64" --tag drone-docker-registry:5000/teleport-ent:$(cat
-    "/go/var/full-version")-arm64 --file "/go/build/Dockerfile-teleport-ent" --build-arg
-    DEB_PATH=teleport-ent_$(cat "/go/var/full-version")_arm64.deb /go/build
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-ent-v15-arm64-builder"
-  - rm -rf "/tmp/teleport-ent-v15-arm64-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Download "teleport-ent_v15-tag_arm64.deb" artifacts from S3
-- name: Tag and push image "teleport-ent:v15-amd64" to ECR - staging
-  image: docker
-  commands:
-  - docker pull --platform "linux/amd64" drone-docker-registry:5000/teleport-ent:$(cat
-    "/go/var/full-version")-amd64
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-amd64 > /dev/null 2>&1 && echo 'Found existing image,
-    skipping' || (docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-amd64
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-amd64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-amd64)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport-ent image "teleport-ent:v15-amd64"
-- name: Tag and push image "teleport-ent:v15-arm" to ECR - staging
-  image: docker
-  commands:
-  - docker pull --platform "linux/arm" drone-docker-registry:5000/teleport-ent:$(cat
-    "/go/var/full-version")-arm
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-arm > /dev/null 2>&1 && echo 'Found existing image, skipping'
-    || (docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-arm && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-arm)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport-ent image "teleport-ent:v15-arm"
-- name: Tag and push image "teleport-ent:v15-arm64" to ECR - staging
-  image: docker
-  commands:
-  - docker pull --platform "linux/arm64" drone-docker-registry:5000/teleport-ent:$(cat
-    "/go/var/full-version")-arm64
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-arm64 > /dev/null 2>&1 && echo 'Found existing image,
-    skipping' || (docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-arm64
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-arm64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-arm64)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport-ent image "teleport-ent:v15-arm64"
-- name: Create manifest and push "teleport-ent:full" to ECR - staging
-  image: docker
-  commands:
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version") > /dev/null 2>&1 && echo 'Found existing image, skipping'
-    || (docker manifest create 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version") --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-amd64 --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-arm --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-arm64 && docker manifest push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version"))
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Tag and push image "teleport-ent:v15-amd64" to ECR - staging
-  - Tag and push image "teleport-ent:v15-arm" to ECR - staging
-  - Tag and push image "teleport-ent:v15-arm64" to ECR - staging
-- name: Assume S3 Download AWS Role for teleport-ent-fips
-  image: amazon/aws-cli
-  pull: if-not-exists
-  commands:
-  - aws sts get-caller-identity
-  - |-
-    printf "[s3-download-teleport-ent-fips]\naws_access_key_id = %s\naws_secret_access_key = %s\naws_session_token = %s\n" \
-      $(aws sts assume-role \
-        --role-arn "$AWS_ROLE" \
-        --role-session-name $(echo "drone-${DRONE_REPO}-${DRONE_BUILD_NUMBER}" | sed "s|/|-|g") \
-        --query "Credentials.[AccessKeyId,SecretAccessKey,SessionToken]" \
-        --output text) \
-      >> /root/.aws/credentials
-  - unset AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY
-  - aws sts get-caller-identity --profile s3-download-teleport-ent-fips
-  environment:
-    AWS_ACCESS_KEY_ID:
-      from_secret: AWS_ACCESS_KEY_ID
-    AWS_ROLE:
-      from_secret: AWS_ROLE
-    AWS_SECRET_ACCESS_KEY:
-      from_secret: AWS_SECRET_ACCESS_KEY
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent-fips" for
-    teleport-ent-fips
-  image: alpine/git:latest
-  commands:
-  - mkdir -pv "/tmp/repo"
-  - cd "/tmp/repo"
-  - git init
-  - git remote add origin ${DRONE_REMOTE_URL}
-  - git fetch origin --tags
-  - git checkout -qf "$DRONE_TAG"
-  - mkdir -pv $(dirname "/go/build/Dockerfile-teleport-ent-fips")
-  - cp "/tmp/repo/build.assets/charts/Dockerfile" "/go/build/Dockerfile-teleport-ent-fips"
-  depends_on:
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Download "teleport-ent_v15-tag-fips_amd64.deb" artifacts from S3
-  image: amazon/aws-cli
-  commands:
-  - END_TIME=$(( $(date +%s) + 3600 ))
-  - TIMED_OUT=true
-  - while [ $(date +%s) -lt $${END_TIME?} ]; do
-  - SUCCESS=true
-  - aws s3 ls s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/ | tr
-    -s ' ' | cut -d' ' -f 4 | grep -x teleport-ent_$(cat "/go/var/full-version")-fips_amd64.deb
-    || SUCCESS=false
-  - '[ "$SUCCESS" = "true" ] && TIMED_OUT=false && break;'
-  - echo 'Condition not met yet, waiting another 60 seconds...'
-  - sleep 60
-  - done
-  - '[ $${TIMED_OUT?} = true ] && echo ''Timed out while waiting for condition: [
-    "$SUCCESS" = "true" ]'' && exit 1'
-  - mkdir -pv "/go/build"
-  - aws s3 cp s3://$AWS_S3_BUCKET/teleport/tag/$(cat "/go/var/full-version")/teleport-ent_$(cat
-    "/go/var/full-version")-fips_amd64.deb /go/build/teleport-ent_$(cat "/go/var/full-version")-fips_amd64.deb
-  environment:
-    AWS_PROFILE: s3-download-teleport-ent-fips
-    AWS_REGION: us-west-2
-    AWS_S3_BUCKET:
-      from_secret: AWS_S3_BUCKET
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  depends_on:
-  - Assume S3 Download AWS Role for teleport-ent-fips
-  - Download Teleport Dockerfile to "/go/build/Dockerfile-teleport-ent-fips" for teleport-ent-fips
-- name: Build teleport-ent-fips image "teleport-ent:v15-fips-amd64"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/build" && cd "/go/build"
-  - mkdir -pv "/tmp/teleport-ent-v15-fips-amd64-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-ent-v15-fips-amd64-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-ent-v15-fips-amd64-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-ent-v15-fips-amd64-builder" --config "/tmp/teleport-ent-v15-fips-amd64-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-ent-v15-fips-amd64-builder" --target
-    "teleport-fips" --platform "linux/amd64" --tag drone-docker-registry:5000/teleport-ent:$(cat
-    "/go/var/full-version")-fips-amd64 --file "/go/build/Dockerfile-teleport-ent-fips"
-    --build-arg DEB_PATH=teleport-ent_$(cat "/go/var/full-version")-fips_amd64.deb
-    /go/build
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-ent-v15-fips-amd64-builder"
-  - rm -rf "/tmp/teleport-ent-v15-fips-amd64-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Download "teleport-ent_v15-tag-fips_amd64.deb" artifacts from S3
-- name: Tag and push image "teleport-ent:v15-fips-amd64" to ECR - staging
-  image: docker
-  commands:
-  - docker pull --platform "linux/amd64" drone-docker-registry:5000/teleport-ent:$(cat
-    "/go/var/full-version")-fips-amd64
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-fips-amd64 > /dev/null 2>&1 && echo 'Found existing image,
-    skipping' || (docker tag drone-docker-registry:5000/teleport-ent:$(cat "/go/var/full-version")-fips-amd64
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-fips-amd64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-fips-amd64)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport-ent-fips image "teleport-ent:v15-fips-amd64"
-- name: Create manifest and push "teleport-ent:full-fips" to ECR - staging
-  image: docker
-  commands:
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-fips > /dev/null 2>&1 && echo 'Found existing image, skipping'
-    || (docker manifest create 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-fips --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-fips-amd64 && docker manifest push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-ent:$(cat
-    "/go/var/full-version")-fips)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
-  environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Tag and push image "teleport-ent:v15-fips-amd64" to ECR - staging
-- name: Build teleport-operator image "teleport-operator:v15-amd64"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/src/github.com/gravitational/teleport" && cd "/go/src/github.com/gravitational/teleport"
-  - mkdir -pv "/tmp/teleport-operator-v15-amd64-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-operator-v15-amd64-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-operator-v15-amd64-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-operator-v15-amd64-builder" --config "/tmp/teleport-operator-v15-amd64-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-operator-v15-amd64-builder" --platform
-    "linux/amd64" --tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-amd64
-    --file "/go/src/github.com/gravitational/teleport/integrations/operator/Dockerfile"
-    --build-arg BUILDBOX=public.ecr.aws/gravitational/teleport-buildbox:teleport15
-    --build-arg COMPILER_NAME=x86_64-linux-gnu-gcc --build-arg GOLANG_VERSION=go1.21.4
-    --build-arg PROTOC_VERSION=3.20.3 --build-arg TARGETARCH=amd64 --build-arg BUILD_ARCH=amd64
-    /go/src/github.com/gravitational/teleport
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-operator-v15-amd64-builder"
-  - rm -rf "/tmp/teleport-operator-v15-amd64-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Build teleport-operator image "teleport-operator:v15-arm"
-  image: docker
-  commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/src/github.com/gravitational/teleport" && cd "/go/src/github.com/gravitational/teleport"
-  - mkdir -pv "/tmp/teleport-operator-v15-arm-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-operator-v15-arm-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-operator-v15-arm-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-operator-v15-arm-builder" --config "/tmp/teleport-operator-v15-arm-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-operator-v15-arm-builder" --platform
-    "linux/arm" --tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm
-    --file "/go/src/github.com/gravitational/teleport/integrations/operator/Dockerfile"
-    --build-arg BUILDBOX=public.ecr.aws/gravitational/teleport-buildbox-arm:teleport15
-    --build-arg COMPILER_NAME=arm-linux-gnueabihf-gcc --build-arg GOLANG_VERSION=go1.21.4
-    --build-arg PROTOC_VERSION=3.20.3 --build-arg TARGETARCH=arm --build-arg BUILD_ARCH=amd64
-    /go/src/github.com/gravitational/teleport
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-operator-v15-arm-builder"
-  - rm -rf "/tmp/teleport-operator-v15-arm-builder"
-  environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Build teleport-operator image "teleport-operator:v15-arm64"
-  image: docker
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
   commands:
-  - docker run --privileged --rm tonistiigi/binfmt --install all
-  - mkdir -pv "/go/src/github.com/gravitational/teleport" && cd "/go/src/github.com/gravitational/teleport"
-  - mkdir -pv "/tmp/teleport-operator-v15-arm64-builder"
-  - echo '[registry."drone-docker-registry:5000"]' > "/tmp/teleport-operator-v15-arm64-builder/buildkitd.toml"
-  - echo '  http = true' >> "/tmp/teleport-operator-v15-arm64-builder/buildkitd.toml"
-  - docker buildx create --driver "docker-container" --driver-opt "network=host" --name
-    "teleport-operator-v15-arm64-builder" --config "/tmp/teleport-operator-v15-arm64-builder/buildkitd.toml"
-  - apk add --no-cache aws-cli
-  - aws ecr-public get-login-password --region=us-east-1 | docker login -u="AWS" --password-stdin
-    public.ecr.aws
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker buildx build --push --builder "teleport-operator-v15-arm64-builder" --platform
-    "linux/arm64" --tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm64
-    --file "/go/src/github.com/gravitational/teleport/integrations/operator/Dockerfile"
-    --build-arg BUILDBOX=public.ecr.aws/gravitational/teleport-buildbox-arm:teleport15
-    --build-arg COMPILER_NAME=aarch64-linux-gnu-gcc --build-arg GOLANG_VERSION=go1.21.4
-    --build-arg PROTOC_VERSION=3.20.3 --build-arg TARGETARCH=arm64 --build-arg BUILD_ARCH=amd64
-    /go/src/github.com/gravitational/teleport
-  - docker logout "public.ecr.aws"
-  - docker buildx rm "teleport-operator-v15-arm64-builder"
-  - rm -rf "/tmp/teleport-operator-v15-arm64-builder"
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow promote-teleport-oci-distroless.yml -workflow-ref=${DRONE_TAG}
+    -input "release-source-tag=${DRONE_TAG}" '
   environment:
-    AWS_PROFILE: ecr-authenticated-pull
-    DOCKER_BUILDKIT: "1"
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Assume ECR - authenticated-pull AWS Role
-  - Wait for docker
-  - Wait for docker registry
-  - Check out code
-  - Build full semver
-  - Assume ECR - staging AWS Role
-  - Assume ECR - authenticated-pull AWS Role
-- name: Tag and push image "teleport-operator:v15-amd64" to ECR - staging
-  image: docker
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
+kind: pipeline
+type: kubernetes
+name: promote-teleport-hardened-amis
+trigger:
+  event:
+    include:
+    - promote
+  target:
+    include:
+    - production
+    - promote-hardened-amis
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+steps:
+- name: Check out code
+  image: docker:git
+  pull: if-not-exists
   commands:
-  - docker pull --platform "linux/amd64" drone-docker-registry:5000/teleport-operator:$(cat
-    "/go/var/full-version")-amd64
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-amd64 > /dev/null 2>&1 && echo 'Found existing image,
-    skipping' || (docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-amd64
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-amd64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-amd64)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
   environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport-operator image "teleport-operator:v15-amd64"
-- name: Tag and push image "teleport-operator:v15-arm" to ECR - staging
-  image: docker
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
   commands:
-  - docker pull --platform "linux/arm" drone-docker-registry:5000/teleport-operator:$(cat
-    "/go/var/full-version")-arm
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-arm > /dev/null 2>&1 && echo 'Found existing image, skipping'
-    || (docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-arm && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-arm)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow promote-teleport-hardened-amis.yaml -workflow-ref=${DRONE_TAG}
+    -input oss-teleport-repo=${DRONE_REPO} -input oss-teleport-ref=${DRONE_TAG} -input
+    "release-source-tag=${DRONE_TAG}" '
   environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport-operator image "teleport-operator:v15-arm"
-- name: Tag and push image "teleport-operator:v15-arm64" to ECR - staging
-  image: docker
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
+image_pull_secrets:
+- DOCKERHUB_CREDENTIALS
+
+---
+################################################
+# Generated using dronegen, do not edit by hand!
+# Use 'make dronegen' to update.
+# Generated at dronegen/gha.go (main.ghaMultiBuildPipeline)
+################################################
+
+kind: pipeline
+type: kubernetes
+name: promote-teleport-kube-agent-updater-oci-images
+trigger:
+  event:
+    include:
+    - promote
+  target:
+    include:
+    - production
+    - promote-updater
+  repo:
+    include:
+    - gravitational/*
+workspace:
+  path: /go
+clone:
+  disable: true
+steps:
+- name: Check out code
+  image: docker:git
+  pull: if-not-exists
   commands:
-  - docker pull --platform "linux/arm64" drone-docker-registry:5000/teleport-operator:$(cat
-    "/go/var/full-version")-arm64
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-arm64 > /dev/null 2>&1 && echo 'Found existing image,
-    skipping' || (docker tag drone-docker-registry:5000/teleport-operator:$(cat "/go/var/full-version")-arm64
-    146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-arm64 && docker push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-arm64)
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+  - mkdir -pv "/go/src/github.com/gravitational/teleport"
+  - cd "/go/src/github.com/gravitational/teleport"
+  - git init
+  - git remote add origin ${DRONE_REMOTE_URL}
+  - git fetch origin --tags
+  - git checkout -qf "${DRONE_COMMIT_SHA}"
+  - mkdir -m 0700 /root/.ssh && echo "$GITHUB_PRIVATE_KEY" > /root/.ssh/id_rsa &&
+    chmod 600 /root/.ssh/id_rsa
+  - ssh-keyscan -H github.com > /root/.ssh/known_hosts 2>/dev/null && chmod 600 /root/.ssh/known_hosts
+  - git submodule update --init e
+  - mkdir -pv /go/cache
+  - rm -f /root/.ssh/id_rsa
   environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Build teleport-operator image "teleport-operator:v15-arm64"
-- name: Create manifest and push "teleport-operator:full" to ECR - staging
-  image: docker
+    GITHUB_PRIVATE_KEY:
+      from_secret: GITHUB_PRIVATE_KEY
+- name: Delegate build to GitHub
+  image: golang:1.18-alpine
+  pull: if-not-exists
   commands:
-  - apk add --no-cache aws-cli
-  - aws ecr get-login-password --region=us-west-2 | docker login -u="AWS" --password-stdin
-    146628656107.dkr.ecr.us-west-2.amazonaws.com
-  - printenv DOCKERHUB_PASSWORD | docker login -u="$DOCKERHUB_USERNAME" --password-stdin
-  - docker manifest inspect 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version") > /dev/null 2>&1 && echo 'Found existing image, skipping'
-    || (docker manifest create 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version") --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-amd64 --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-arm --amend 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version")-arm64 && docker manifest push 146628656107.dkr.ecr.us-west-2.amazonaws.com/gravitational/teleport-operator:$(cat
-    "/go/var/full-version"))
-  - docker logout "146628656107.dkr.ecr.us-west-2.amazonaws.com"
+  - cd "/go/src/github.com/gravitational/teleport/build.assets/tooling"
+  - 'go run ./cmd/gh-trigger-workflow -owner ${DRONE_REPO_OWNER} -repo teleport.e
+    -tag-workflow -timeout 2h30m0s -workflow promote-teleport-kube-agent-updater-oci.yml
+    -workflow-ref=${DRONE_TAG} -input "release-source-tag=${DRONE_TAG}" '
   environment:
-    AWS_PROFILE: ecr-staging
-    DOCKERHUB_PASSWORD:
-      from_secret: DOCKERHUB_READONLY_TOKEN
-    DOCKERHUB_USERNAME:
-      from_secret: DOCKERHUB_USERNAME
-  volumes:
-  - name: awsconfig
-    path: /root/.aws
-  - name: dockersock
-    path: /var/run
-  depends_on:
-  - Tag and push image "teleport-operator:v15-amd64" to ECR - staging
-  - Tag and push image "teleport-operator:v15-arm" to ECR - staging
-  - Tag and push image "teleport-operator:v15-arm64" to ECR - staging
-services:
-- name: Start Docker
-  image: docker:dind
-  privileged: true
-  volumes:
-  - name: dockersock
-    path: /var/run
-- name: drone-docker-registry
-  image: registry:2
-  privileged: false
-  volumes: []
-volumes:
-- name: awsconfig
-  temp: {}
-- name: dockersock
-  temp: {}
-- name: dockerconfig
-  temp: {}
+    GHA_APP_KEY:
+      from_secret: GITHUB_WORKFLOW_APP_PRIVATE_KEY
 image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 
@@ -7542,10 +2379,10 @@ clone:
   disable: true
 depends_on:
 - clean-up-previous-build
-- build-linux-amd64-deb
-- build-linux-amd64-fips-deb
-- build-linux-arm64-deb
-- build-linux-arm-deb
+- build-linux-amd64
+- build-linux-amd64-fips
+- build-linux-arm64
+- build-linux-arm
 steps:
 - name: Check out code
   image: docker:git
@@ -7606,8 +2443,8 @@ clone:
   disable: true
 depends_on:
 - clean-up-previous-build
-- build-linux-amd64-deb
-- build-linux-amd64-fips-deb
+- build-linux-amd64
+- build-linux-amd64-fips
 steps:
 - name: Check out code
   image: docker:git
@@ -16391,6 +11228,6 @@ image_pull_secrets:
 - DOCKERHUB_CREDENTIALS
 ---
 kind: signature
-hmac: 1b4e51f6e9336c6ed109964655c1b5f6f79bb4b9d5095cf6390563eaaafc3d55
+hmac: d72551602673fa4517625b0c256ace013883e01a27d5c37bab811bab0e20cc3a
 
 ...