From 33b0173657099e4976a91d551bc284028944eda5 Mon Sep 17 00:00:00 2001
From: Luca Guerra <luca@guerra.sh>
Date: Mon, 8 May 2023 13:07:17 +0000
Subject: [PATCH] update(ci): react to release publishing, rewire variables

Signed-off-by: Luca Guerra <luca@guerra.sh>
---
 .github/workflows/release.yaml | 43 +++++++++++++++++++++-------------
 1 file changed, 27 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index daf83d63..da19bc0e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -1,9 +1,7 @@
 name: Release Packages and Docker images
 on:
-  push:
-    tags:
-      - '[0-9]+.[0-9]+.[0-9]+'   # final release
-      - '[0-9]+.[0-9]+.[0-9]+-*' # prerelease/RC
+  release:
+    types: [published]
 
 # Checks if any concurrent jobs is running for release CI and eventually cancel it.
 concurrency:
@@ -27,63 +25,76 @@ jobs:
         shell: python
         run: |
           import os
-          is_prerelease = '-' in '${{ github.ref_name }}'
+          import re
+
+          semver_no_meta = '''^(?P<major>0|[1-9]\d*)\.(?P<minor>0|[1-9]\d*)\.(?P<patch>0|[1-9]\d*)(?:-(?P<prerelease>(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*)(?:\.(?:0|[1-9]\d*|\d*[a-zA-Z-][0-9a-zA-Z-]*))*))?$'''
+          tag_name = '${{ github.event.release.tag_name }}'
+
+          should_publish = re.match(semver_no_meta, tag_name) is not None
+
+          is_prerelease = '-' in tag_name
 
           # Safeguard: you need to both set "latest" in GH and not have suffixes to overwrite latest
-          is_latest = '${{ steps.latest_release.outputs.release }}' == '${{ github.ref_name }}' and not is_prerelease
+          is_latest = '${{ steps.latest_release.outputs.release }}' == tag_name and not is_prerelease
 
           bucket_suffix = '-dev' if is_prerelease else ''
 
           with open(os.environ['GITHUB_OUTPUT'], 'a') as ofp:
             print(f'is_latest={is_latest}'.lower(), file=ofp)
+            print(f'should_publish={should_publish}'.lower(), file=ofp)
             print(f'bucket_suffix={bucket_suffix}', file=ofp)
-    outputs:
-      is_latest: ${{ steps.get_settings.outputs.is_latest }} 
-      bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
 
   build-packages:
+    needs: [release-settings]
+    if: ${{ needs.release-settings.outputs.should_publish == 'true' }}
     uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master
     with:
       arch: x86_64
     secrets: inherit
 
   build-packages-arm64:
+    needs: [release-settings]
+    if: ${{ needs.release-settings.outputs.should_publish == 'true' }}
     uses: falcosecurity/falco/.github/workflows/reusable_build_packages.yaml@master
     with:
       arch: aarch64
     secrets: inherit
     
   publish-packages:
-    needs: [build-packages, build-packages-arm64]
+    needs: [release-settings, build-packages, build-packages-arm64]
+    if: ${{ needs.release-settings.outputs.should_publish == 'true' }}
     uses: falcosecurity/falco/.github/workflows/reusable_publish_packages.yaml@master
     with:
-      bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
       version: ${{ needs.build-packages.outputs.version }}
     secrets: inherit
   
   # Both build-docker and its arm64 counterpart require build-packages because they use its output
   build-docker:
-    needs: [build-packages, publish-packages]
+    needs: [release-settings, build-packages, publish-packages]
+    if: ${{ needs.release-settings.outputs.should_publish == 'true' }}
     uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master
     with:
       arch: x86_64
       is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
-      bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
       version: ${{ needs.build-packages.outputs.version }}
     secrets: inherit
     
   build-docker-arm64:
-    needs: [build-packages, publish-packages]
+    needs: [release-settings, build-packages, publish-packages]
+    if: ${{ needs.release-settings.outputs.should_publish == 'true' }}
     uses: falcosecurity/falco/.github/workflows/reusable_build_docker.yaml@master
     with:
       arch: aarch64
       is_latest: ${{ needs.release-settings.outputs.is_latest == 'true' }}
-      bucket_suffix: ${{ steps.get_settings.outputs.bucket_suffix }}
+      bucket_suffix: ${{ needs.release-settings.outputs.bucket_suffix }}
       version: ${{ needs.build-packages.outputs.version }}
     secrets: inherit
 
   publish-docker:
-    needs: [build-docker, build-docker-arm64]
+    needs: [release-settings, build-docker, build-docker-arm64]
+    if: ${{ needs.release-settings.outputs.should_publish == 'true' }}
     uses: falcosecurity/falco/.github/workflows/reusable_publish_docker.yaml@master
     secrets: inherit
     with: