ci/ipsec: Fix downgrade version retrieval

[qmonnet]

Figuring out the right "previous patch release version number" to downgrade to in print-downgrade-version.sh turns out to be more complex than expected 0 1 2 3.

This commit is an attempt to 1) fix issues with the current script and 2) overall make the script clearer, so we can avoid repeating these mistakes.

As for the fixes, there are two things that are not correct with the current version. First, we're trying to validate the existence of the tag to downgrade to, in case the script runs on top of a release preparation commit for which file VERSION has been updated to a value that does not yet contains a corresponding tag. This part of the script is actually OK, but not the way we call it in the IPsec workflow: we use fetch-tags: true but fetch-depth: 0 (the default), and the two are not compatible, a shallow clone results in no tags being fetched.

To address this, we retrieve the tag differently: instead of relying on "fetch-tags" from the workflow, we call "git fetch" from the script itself, provided the preconditions are met (we only run it from a Git repository, if the "origin" remote is defined). If the tag exists, either locally or remotely, then we can use it. Otherwise, the script considers that it runs from a release preparation Pull Request, and decrements the patch release number.

The second issue is that we would return no value from the script if the patch release is zero. This is to avoid any attempt to find a previous patch release when working on a development branch. However, this logics is incorrect (it comes from a previous version of the script where we would always decrement the patch number). After the first release of a new minor version, it's fine to have a patch number at 0. What we should check instead is whether the version ends with -dev.

This commit brings additional changes for clarity: more comments, and a better separation between the "get latest patch release" and "get previous stable branch" cases, moving the relevant code to independent functions, plus better argument handling. We also edit the IPsec workflow to add some logs about the version retrieved. The logs should also display the script's error messages, if any, that are printed to stderr.

Sample output from the script:

VERSION     Tag exists  Prevous minor   Previous patch release

1.14.3      Y           v1.13           v1.14.3
1.14.1      Y           v1.13           v1.14.1
1.14.0      Y           v1.13           v1.14.0
1.14.1-dev  N           v1.13           <error>
1.15.0-dev  N           v1.14           <error>
1.13.90     N           v1.12           v1.13.89  <- decremented
2.0.0       N           <error>         <error>
2.0.1       N           <error>         v2.0.0    <- decremented
2.1.1       N           v2.0            v2.1.0    <- decremented

Split diff view recommended to review the new version of print-downgrade-version.sh.

[qmonnet]

/ci-ipsec-upgrade

[qmonnet]

/ci-ipsec-upgrade

[qmonnet]

Tested in CI, in particular for the “downgrade to latest patch version” job:

• On main, the steps are skipped (no latest patch version on branch, so this is expected)
• On v1.15, current HEAD, we downgrade to v1.15.0 (expected)
• On v1.15, with a test commit to change VERSION's content to v1.15.1, we decrement and downgrade to v1.15.0 (expected)
• On v1.15, with a test commit to change VERSION's content to v1.16.0, we skip the remaining steps (no way to decrement from v1.16.0 - this is the expected behaviour).

[qmonnet]

/test

[pippolo84]

@qmonnet just a heads up that I was unable to backport this to v1.12 because of the conflicts, so I added the backport-author label.