Gate CLI macOS signing on vars.ENABLE_MACOS_SIGNING

Signed-off-by: Dom Del Nano <ddelnano@gmail.com>

Author: ddelnano

.github/workflows/cli_release.yaml

@@ -24,6 +24,8 @@ jobs:
       image: ${{ needs.get-dev-image.outputs.image-with-tag }}
     env:
       ARTIFACT_UPLOAD_LOG: "artifact_uploads.json"
+      # When macOS signing is enabled, push-signed-artifacts owns the manifest update.
+      MANIFEST_UPDATES: ${{ vars.ENABLE_MACOS_SIGNING == 'true' && '' || 'manifest_updates.json' }}
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
       with:
@@ -79,8 +81,14 @@ jobs:
       with:
         name: artifact-upload-log
         path: ${{ env.ARTIFACT_UPLOAD_LOG }}
+    - if: vars.ENABLE_MACOS_SIGNING != 'true'
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
+      with:
+        name: manifest-updates
+        path: manifest_updates.json
   sign-release:
     name: Sign Release for MacOS
+    if: vars.ENABLE_MACOS_SIGNING == 'true'
     runs-on: macos-latest
     needs: build-release
     steps:
@@ -115,6 +123,7 @@ jobs:
         path: artifacts/
   push-signed-artifacts:
     name: Push Signed Artifacts for MacOS
+    if: vars.ENABLE_MACOS_SIGNING == 'true'
     runs-on: ubuntu-latest
     needs: [get-dev-image, sign-release]
     container:
@@ -162,7 +171,11 @@ jobs:
   create-github-release:
     name: Create Release on Github
     runs-on: ubuntu-latest
-    needs: push-signed-artifacts
+    needs: [build-release, push-signed-artifacts]
+    if: |
+      always() &&
+      needs.build-release.result == 'success' &&
+      (needs.push-signed-artifacts.result == 'success' || needs.push-signed-artifacts.result == 'skipped')
     permissions:
       contents: write
     steps:
@@ -187,8 +200,15 @@ jobs:
         gh release create "${TAG_NAME}" "${prerelease[@]}" \
           --title "CLI ${TAG_NAME#release/cli/}" \
           --notes $'Pixie CLI Release:\n'"${changelog}"
-        gh release upload "${TAG_NAME}" linux-artifacts/* macos-artifacts/*
+        shopt -s nullglob
+        upload_paths=(linux-artifacts/*)
+        if [[ -d macos-artifacts ]]; then
+          upload_paths+=(macos-artifacts/*)
+        fi
+        gh release upload "${TAG_NAME}" "${upload_paths[@]}"
   update-gh-artifacts-manifest:
+    if: |
+      always() && needs.create-github-release.result == 'success'
     runs-on: oracle-8cpu-32gb-x86-64
     needs: [get-dev-image, create-github-release]
     container:

ci/cli_build_release.sh

@@ -95,3 +95,8 @@ upload_artifacts "${release_tag}"
 if [[ ! $release_tag == *"-"* ]]; then
   upload_artifacts "latest"
 fi
+
+# Create manifest update for downstream jobs.
+if [[ -n "${MANIFEST_UPDATES:-}" ]]; then
+  create_manifest_update "cli" "${release_tag}" > "${MANIFEST_UPDATES}"
+fi