From 524ccc10686991d63aa6f23b40a9b77f68da4cb9 Mon Sep 17 00:00:00 2001
From: Pierre Smeyers <pierre.smeyers@gmail.com>
Date: Wed, 5 Apr 2023 18:45:12 +0200
Subject: [PATCH] feat(publish): redesign publish on prod strategy

BREAKING CHANGE: $PUBLISH_ON_PROD no longer supported (replaced by $DOCKER_PROD_PUBLISH_STRATEGY - see doc)
---
 README.md                      |  5 ++---
 kicker.json                    |  7 +++++++
 templates/gitlab-ci-docker.yml | 19 +++++++++----------
 3 files changed, 18 insertions(+), 13 deletions(-)

diff --git a/README.md b/README.md
index 24d6b05..e42bc9e 100644
--- a/README.md
+++ b/README.md
@@ -80,7 +80,7 @@ You may perfectly override this and use another Docker registry, but be aware of
 * the `DOCKER_SNAPSHOT_IMAGE` requires a Docker registry that allows tag overwrite,
 * the `DOCKER_RELEASE_IMAGE` _may_ use a Docker registry that doesn't allow tag overwrite, but:
     1. you should avoid overwriting a Git tag (at it will obviously fail while trying to (re)push the Docker image),
-    2. you have to deactivate publish on `master` branch by setting the `$PUBLISH_ON_PROD` variable to `false` (as it would lead to the `master` tag being overwritten).
+    2. you have to deactivate publish on `main` (or `master`) branch by setting the `$DOCKER_PROD_PUBLISH_STRATEGY` variable to `none` (as it would lead to the `main` tag being overwritten).
 
 ### Registries and credentials
 
@@ -417,8 +417,7 @@ This job pushes (_promotes_) the built image as the _release_ image [skopeo](htt
 | --------------------- | --------------------------------------------------------------------------- | ----------------- |
 | `DOCKER_SKOPEO_IMAGE` | The Docker image used to run [skopeo](https://github.com/containers/skopeo) | `quay.io/skopeo/stable:latest` |
 | `DOCKER_PUBLISH_ARGS` | Additional [`skopeo copy` arguments](https://github.com/containers/skopeo/blob/master/docs/skopeo-copy.1.md#options) | _(none)_          |
-| `AUTODEPLOY_TO_PROD`  | Set to enable automatic publish (and deploy) on `master` branch             | _none_ (enabled)  |
-| `PUBLISH_ON_PROD`     | Determines whether this job is enabled on `master` branch                   | `true` (enabled)  |
+| `DOCKER_PROD_PUBLISH_STRATEGY`| Defines the publish to production strategy. One of `manual` (i.e. _one-click_), `auto` or `none` (disabled). | `manual` |
 | `DOCKER_SEMREL_RELEASE_DISABLED` | Set to `true` to disable [semantic-release integration](#semantic-release-integration)   | _none_ (enabled) |
 
 This job produces _output variables_ that are propagated to downstream jobs (using [dotenv artifacts](https://docs.gitlab.com/ee/ci/pipelines/job_artifacts.html#artifactsreportsdotenv)):
diff --git a/kicker.json b/kicker.json
index b25df87..c652fa2 100644
--- a/kicker.json
+++ b/kicker.json
@@ -70,6 +70,13 @@
       "default": "true",
       "type": "boolean"
     },
+    {
+      "name": "DOCKER_PROD_PUBLISH_STRATEGY",
+      "description": "Defines the publish to production strategy.",
+      "type": "enum",
+      "values": ["none", "manual", "auto"],
+      "default": "manual"
+    },
     {
       "name": "DOCKER_SEMREL_RELEASE_DISABLED",
       "description": "Disable integration with the [semantic release template](https://gitlab.com/to-be-continuous/semantic-release/)",
diff --git a/templates/gitlab-ci-docker.yml b/templates/gitlab-ci-docker.yml
index d1b33e0..ecfcb9a 100644
--- a/templates/gitlab-ci-docker.yml
+++ b/templates/gitlab-ci-docker.yml
@@ -73,9 +73,9 @@ variables:
   DOCKER_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug"
   DOCKER_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger"
 
-  # by default: DevOps pipeline
-  PUBLISH_ON_PROD: "true"
-
+  # default: one-click publish
+  DOCKER_PROD_PUBLISH_STRATEGY: manual
+  
   # default production ref name (pattern)
   PROD_REF: '/^(master|main)$/'
   # default integration ref name (pattern)
@@ -762,13 +762,12 @@ docker-publish:
     # exclude non-production branches
     - if: '$CI_COMMIT_REF_NAME !~ $PROD_REF'
       when: never
-    # exclude if $PUBLISH_ON_PROD disabled
-    - if: '$PUBLISH_ON_PROD != "true"'
-      when: never
     # exclude if snapshot is same as release image and semrel info not enabled or semrel integration disabled
     - if: '$DOCKER_SNAPSHOT_IMAGE == $DOCKER_RELEASE_IMAGE && ($SEMREL_INFO_ON == null || $SEMREL_INFO_ON == "" || $DOCKER_SEMREL_RELEASE_DISABLED == "true")'
       when: never
-    # if $AUTODEPLOY_TO_PROD: auto
-    - if: '$AUTODEPLOY_TO_PROD == "true"'
-    # else: manual + blocking
-    - when: manual
+    # support former variable (prevent breaking change)
+    - if: '$PUBLISH_ON_PROD == "false"'
+      when: never
+    - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "manual"'
+      when: manual
+    - if: '$DOCKER_PROD_PUBLISH_STRATEGY == "auto"'
-- 
GitLab