Infra: dgit-repos-server-debian: Run check_package on push

[dgit.git] / infra / dgit-repos-policy-debian

diff --git a/infra/dgit-repos-policy-debian b/infra/dgit-repos-policy-debian
index 9c2153df5e9e487ee2293ac3364066765ff4ba1f..e665a636566242c95b844c518a3eebaad93870ce 100755 (executable)
--- a/infra/dgit-repos-policy-debian
+++ b/infra/dgit-repos-policy-debian
@@ -219,15 +219,16 @@ sub check_package () {
     my $age = time -  $mtime;
     printdebug "check_package age=$age\n";
 
-    return 0 if $age < $new_upload_propagation_slop;
-
-    return 0 if new_has_vsn_in_our_history();
-
     if (good_suite_has_vsn_in_our_history) {
        chmod $publicmode, "." or die $!;
+       $pkg_secret = 0;
        return 0;
     }
 
+    return 0 if $age < $new_upload_propagation_slop;
+
+    return 0 if new_has_vsn_in_our_history();
+
     printdebug "check_package secret, deleted, tainting\n";
 
     git_for_each_ref('refs/tags', sub {
@@ -260,6 +261,8 @@ sub action_push () {
     getpackage();
     getpushinfo();
 
+    check_package(); # might make package public, or might add taints
+
     return 0 unless $pkg_exists;
     return 0 unless $pkg_secret;