1078 prerelease vs release (#1235)

Signed-off-by: Christian Mesh <christianmesh1@gmail.com>
Signed-off-by: siddharthasonker95 <158144589+siddharthasonker95@users.noreply.github.com>
Co-authored-by: Christian Mesh <christianmesh1@gmail.com>

.github/workflows/release.yml

@@ -6,6 +6,10 @@ on:
       tag:
         description: "Git tag (leave empty for dry run)"
         required: false
+      prerelease:
+        description: "Is this a pre-release?"
+        required: true
+        type: boolean
 
 jobs:
   release:
@@ -46,6 +50,34 @@ jobs:
         env:
           TARGET_VERSION: ${{inputs.tag}}
 
+      - name: Check if tag is on main branch or version branch
+        id: validate_tag
+        run: |
+          IS_TAG_ON_MAIN=$(git branch -a --contains ${{inputs.tag}} | grep -q "main" && echo true || echo false)
+          IS_TAG_ON_VERSION=$(git branch -a --contains ${{inputs.tag}} | grep -E "^v[0-9]+\.[0-9]+" && echo true || echo false)
+          echo "IS_TAG_ON_MAIN=${IS_TAG_ON_MAIN}" >> $GITHUB_OUTPUT
+          echo "IS_TAG_ON_VERSION=${IS_TAG_ON_VERSION}" >> $GITHUB_OUTPUT
+
+      - name: Check if release is allowed or not
+        id: validate_release
+        run: |
+          if [[ "${{ inputs.prerelease }}" == "false" && "${{ steps.validate_tag.outputs.IS_TAG_ON_MAIN }}" == "true" ]]; then
+            echo "ERROR: Creating stable release from a tag on main is not allowed."
+            exit 1
+          fi
+
+      - name: Check eligibility for archive push
+        id: archive
+        run: |
+          PUSH_ARCHIVE=$(
+            [[ 
+              "${{ inputs.prerelease }}" == "true" && 
+              ("${{ steps.validate_tag.outputs.IS_TAG_ON_MAIN }}" == "true" || 
+              "${{ steps.validate_tag.outputs.IS_TAG_ON_VERSION }}" == "true") 
+            ]] && echo false || echo true
+          )
+          echo "PUSH_ARCHIVE=${PUSH_ARCHIVE}" >> $GITHUB_ENV
+
       - name: Determine Go version
         id: go
         uses: ./.github/actions/go-version
@@ -97,6 +129,7 @@ jobs:
           # goreleaser won't sign the packages.
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_STORE_TOKEN }}
+          SNAPCRAFT_CHANNEL: ${{ inputs.prerelease &&  'edge' || 'stable' }}
 
       - name: Remove GPG key
         if: always()
@@ -113,7 +146,7 @@ jobs:
           path: dist
 
       - name: Upload Debian packages to PackageCloud
-        if: startsWith(inputs.tag, 'v')
+        if: startsWith(inputs.tag, 'v') && steps.archive.outputs.PUSH_ARCHIVE
         uses: computology/packagecloud-github-action@v0.6
         with:
                 PACKAGE-NAME: dist/*.deb
@@ -122,7 +155,7 @@ jobs:
                 PACKAGECLOUD-DISTRO: any/any
                 PACKAGECLOUD-TOKEN: ${{ secrets.PACKAGECLOUD_TOKEN }}
       - name: Upload RPM packages to PackageCloud
-        if: startsWith(inputs.tag, 'v')
+        if: startsWith(inputs.tag, 'v') && steps.archive.outputs.PUSH_ARCHIVE
         uses: computology/packagecloud-github-action@v0.6
         with:
                 PACKAGE-NAME: dist/*.rpm

.goreleaser.yaml

@@ -171,6 +171,7 @@ docker_manifests:
       - ghcr.io/opentofu/opentofu:{{ .Version }}-arm64
       - ghcr.io/opentofu/opentofu:{{ .Version }}-arm
       - ghcr.io/opentofu/opentofu:{{ .Version }}-386
+    skip_push: auto
 
 nfpms:
   - file_name_template: '{{ .ProjectName }}_{{ .Version }}_{{ .Arch }}'
@@ -206,7 +207,7 @@ snapcrafts:
       safely and efficiently. OpenTofu can manage existing and popular service
       providers as well as custom in-house solutions.
     base: core22
-    grade: stable
+    grade: "{{ .Env.SNAPCRAFT_CHANNEL }}"
     confinement: classic
     license: MPL-2.0
     apps: