tweak dry run logic

.github/actions/upload_managed_plugin/action.yml

@@ -2,12 +2,16 @@ name: upload-managed-plugin
 description: Upload binaries as rpk managed plugin
 inputs:
   aws_access_key_id:
-    default: UNSET
+    description: For accessing S3 bucket
+    required: true
   aws_secret_access_key:
-    default: UNSET
+    description: For accessing S3 bucket
+    required: true
   aws_region:
+    description: For accessing S3 bucket
     required: true
   aws_s3_bucket:
+    description: S3 bucket to use
     required: true
   artifacts_file:
     description: Path to goreleaser artifacts.json
@@ -19,16 +23,19 @@ inputs:
     description: Root dir of goreleaser project
     required: true
   plugin_name:
+    description: Should match the goreleaser build id for the binary  E.g. "connect"
     required: true
   goos:
-    description: CSV list of target OS's
+    description: CSV list of target OS's to filter on
     required: true
   goarch:
-    description: CSV list of target arch's
+    description: CSV list of target arch's to filter on
     required: true
   repo_hostname:
+    description: RPK Plugins repo hostname. E.g. rpk-plugins.redpanda.com
     required: true
   dry_run:
+    description: Dry run means skipping writes to S3
     required: true
 
 runs:

.github/workflows/release_rpk_connect_plugin_dry_run.yml → .github/workflows/upload_plugin.yml

@@ -1,14 +1,25 @@
-name: Release rpk connect plugin (managed)
+name: Upload rpk connect plugin to S3
 
 on:
   push:
     branches:
       - main
+    tags:
+      # This filter affects how DRY_RUN is determined.  RC's will get DRY_RUN=true
+      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - 'v[0-9]+.[0-9]+.[0-9]+-rc[0-9]+'
   pull_request: { }
   workflow_dispatch: { }
 
+env:
+  # Only write to S3 for real, if:
+  # 1) it was a tag push
+  # 2) the tag looks like a real release tag (not an RC).
+  # This works in conjunction with workflow tag filters above
+  DRY_RUN: ${{ !( github.ref_type == 'tag' && !contains( github.ref, 'rc' ) ) }}
+
 jobs:
-  build_and_push_rpk_connect_plugin:
+  upload_rpk_connect_plugin:
     # Let's make this fast
     runs-on: ubuntu-latest-32
     permissions:
@@ -21,16 +32,14 @@ jobs:
           aws-region: ${{ vars.RP_AWS_CRED_REGION }}
           role-to-assume: arn:aws:iam::${{ secrets.RP_AWS_CRED_ACCOUNT_ID }}:role/${{ vars.RP_AWS_CRED_BASE_ROLE_NAME }}${{ github.event.repository.name }}
 
-      - name: Get secrets from AWS Secrets Manager
+      - name: Get secrets from AWS Secrets Manager (for read/writing S3-backed plugins repo)
         uses: aws-actions/aws-secretsmanager-get-secrets@v2
         with:
           secret-ids: |
             ,sdlc/prod/github/rpk_plugin_publisher
           parse-json-secrets: true
 
-      - run: "echo ACCESS_THING ${{ env.RPK_PLUGIN_PUBLISHER_AWS_ACCESS_KEY_ID }}"
-
-      - name: Check Out Repo
+      - name: Check out code repo
         uses: actions/checkout@v4
 
       - name: Install Go
@@ -39,17 +48,13 @@ jobs:
           go-version: 1.22.x
           check-latest: true
 
-      - name: Create a git tag (LOCAL ONLY)
-        # We pick something that won't look like a latest version, and doesn't clash with any real version
-        run: git tag -a v0.0.9999 -m "v0.0.9999"
-
       - name: Build binaries
         uses: goreleaser/goreleaser-action@v6
         with:
           version: 1.26.2
           args: build --timeout 120m
 
-      - name: Upload binaries as rpk managed plugin
+      - name: Upload connect plugin to S3
         uses: ./.github/actions/upload_managed_plugin
         with:
           aws_access_key_id: ${{ env.RPK_PLUGIN_PUBLISHER_AWS_ACCESS_KEY_ID }}
@@ -63,5 +68,5 @@ jobs:
           goos: linux,darwin
           goarch: amd64,arm64
           repo_hostname: rpk-plugins.redpanda.com
-          # IMPORTANT
-          dry_run: true
+          dry_run: ${{ env.DRY_RUN }}
+