[AI-6754] Only sign and upload ddev packages in tags (DataDog#23414)

* only sign and upload ddev packages in PRs and master

* Add back schedule

* Add should-sign-and-upload step

* Address feedback

Author: sarah-witt

.github/workflows/build-ddev.yml

@@ -52,6 +52,27 @@ jobs:
         fi
         echo "base_tags=team:agent-integrations,service:ddev,context:$context" >> $GITHUB_OUTPUT
 
+  should-sign-and-upload:
+    name: Determine signing conditions
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        # Override workflow-level working-directory since this job does not checkout code
+        working-directory: .
+    outputs:
+      result: ${{ steps.check.outputs.result }}
+    steps:
+    - id: check
+      env:
+        EVENT_NAME: ${{ github.event_name }}
+        REF: ${{ github.ref }}
+      run: |
+        result=false
+        if [[ "$EVENT_NAME" == "schedule" || ( "$EVENT_NAME" == "push" && "$REF" == refs/tags/* ) ]]; then
+          result=true
+        fi
+        echo "result=$result" >> $GITHUB_OUTPUT
+
   python-artifacts:
     name: Build wheel and source distribution
     runs-on: ubuntu-latest
@@ -315,9 +336,10 @@ jobs:
 
   windows-packaging:
     name: Build Windows installers
-    if: github.event_name == 'push' || github.event.pull_request.head.repo.full_name == github.repository
+    if: github.event_name == 'push' || github.event_name == 'schedule' || github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - define-tags
+    - should-sign-and-upload
     - binaries
     runs-on: windows-2022
     permissions:
@@ -429,6 +451,7 @@ jobs:
         mv build/*/release/*/*.{exe,msi} installers
 
     - name: Upload installers
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: installers-${{ runner.os }}
@@ -437,9 +460,10 @@ jobs:
 
   macos-packaging:
     name: Build macOS installer and sign/notarize artifacts
-    if: github.event_name == 'push'
+    if: github.event_name == 'push' || github.event_name == 'schedule' || github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - define-tags
+    - should-sign-and-upload
     - binaries
     runs-on: macos-14-large
     permissions:
@@ -483,6 +507,7 @@ jobs:
         tar --strip-components=1 -xzf - -C /usr/local/bin "$ARCHIVE_NAME/rcodesign"
 
     - name: Write credentials
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       env:
         APPLE_DEVELOPER_ID_APPLICATION_CERTIFICATE: "${{ secrets.APPLE_DEVELOPER_ID_APPLICATION_CERTIFICATE }}"
         APPLE_DEVELOPER_ID_APPLICATION_PRIVATE_KEY: "${{ secrets.APPLE_DEVELOPER_ID_APPLICATION_PRIVATE_KEY }}"
@@ -560,13 +585,12 @@ jobs:
     - name: Extract staged standalone binaries
       run: ${{ steps.script-extract.outputs.script }}
 
-    # Signing and notarization steps are skipped for Dependabot PRs (no access to Apple secrets)
     - name: Sign standalone binaries
-      if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       run: ${{ steps.script-sign.outputs.script }}
 
     - name: Notarize standalone binaries
-      if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       run: ${{ steps.script-notarize.outputs.script }}
 
     - name: Archive standalone binaries
@@ -599,11 +623,11 @@ jobs:
       run: ${{ steps.script-extract.outputs.script }}
 
     - name: Sign managed binaries
-      if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       run: ${{ steps.script-sign.outputs.script }}
 
     - name: Notarize managed binaries
-      if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       run: ${{ steps.script-notarize.outputs.script }}
 
     # bin/<APP_NAME>-<VERSION>-<TARGET> -> targets/<TARGET>/<APP_NAME>
@@ -646,7 +670,7 @@ jobs:
         echo "path=$pkg_file" >> "$GITHUB_OUTPUT"
 
     - name: Sign PKG
-      if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       run: >-
         rcodesign sign -vv
         --pem-source /tmp/certificate-installer.pem
@@ -655,15 +679,15 @@ jobs:
         "signed/${{ steps.pkg.outputs.path }}"
 
     - name: Notarize PKG
-      if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       run: >-
         rcodesign notary-submit
         --api-key-path /tmp/app-store-connect.json
         --staple
         "signed/${{ steps.pkg.outputs.path }}"
 
     - name: Upload installer
-      if: github.event_name != 'pull_request' || github.event.pull_request.user.login != 'dependabot[bot]'
+      if: needs.should-sign-and-upload.outputs.result == 'true'
       uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
       with:
         name: installers-${{ runner.os }}