Stop manual release AMI publishing

tkilias · tkilias · commit 9252707981d6 · 2026-06-02T14:59:32.000+02:00
diff --git a/doc/developer_guide/aws.md b/doc/developer_guide/aws.md
@@ -9,7 +9,7 @@
 2. Open a pull request and let the PR CI validate the release version through the `Check Version Number` step in [.github/workflows/ci.yaml](https://github.com/exasol/ai-lab/blob/main/.github/workflows/ci.yaml)
 3. Merge the pull request
 4. Push the release version tag
-5. The `Release` GitHub Actions workflow authenticates to AWS via GitHub OIDC, runs `ai-lab release check`, `build`, `notes`, and `publish`, builds the AMI and VM artifacts, and publishes the Docker release image for that tag
+5. The tagged `Release` GitHub Actions workflow authenticates to AWS via GitHub OIDC, runs `ai-lab release check`, `build`, `notes`, and `publish`, builds the AMI and VM artifacts, and publishes the Docker release image for that tag
 
 ## AWS Infrastructure Workflow
 
@@ -42,6 +42,9 @@ The release now runs in GitHub Actions. PR CI validates the release version, whi
 tagged `Release` workflow both authenticate to AWS via OIDC, run the release workflow commands, build the AMI and VM
 artifacts, and publish the Docker image.
 
+Manual `workflow_dispatch` runs are treated as draft test releases: they still generate release notes and a draft GitHub
+release, but they do not make the AMI public or publish the Docker image.
+
 ### IAM permissions for GitHub Actions
 
 The AWS-backed CI and the tagged release workflow both authenticate to AWS via GitHub OIDC. The CI role should get the
diff --git a/doc/developer_guide/commands.md b/doc/developer_guide/commands.md
@@ -22,13 +22,14 @@ The following commands are used during the GitHub Actions release flow:
 
 `release` commands:
 * `check`: Validate that the repository versions and changelog are ready for a release.
-* `build`: Create the AMI and VM images via AWS APIs and publish the Docker image.
+* `build`: Create the AMI and VM images via AWS APIs and publish the Docker image for tagged releases.
 * `notes`: Generate the GitHub release notes and artifact list.
 * `publish`: Create the GitHub release from the generated notes.
 
 The release workflow commands require AWS credentials when building the AMI and VM images.
 The `build` command requires environment variable `RELEASE_DEFAULT_PASSWORD` for the temporary VM login password used during the build.
-The `build` command publishes only when environment variables `DOCKER_REGISTRY_USER` and `DOCKER_REGISTRY_PASSWORD` are set.
+The `build` command publishes only for tagged releases, and only then when environment variables `DOCKER_REGISTRY_USER`
+and `DOCKER_REGISTRY_PASSWORD` are set. Manual `workflow_dispatch` test releases skip publication.
 
 ## Developer commands
 
diff --git a/exasol/ds/sandbox/lib/release_workflow.py b/exasol/ds/sandbox/lib/release_workflow.py
@@ -79,7 +79,7 @@ def run_build(context: ReleaseContext, aws_access: AwsAccess) -> None:
     run_start_release_build(
         default_config_object,
         aws_access=aws_access,
-        publish=True,
+        publish=not context.release_is_manual,
         asset_id=context.release_asset_id,
     )
 
diff --git a/test/unit/test_release_workflow.py b/test/unit/test_release_workflow.py
@@ -98,10 +98,33 @@ def test_run_build_uses_asset_id(monkeypatch):
     args, kwargs = run_start_release_build.call_args
     assert args == (default_config_object,)
     assert kwargs["aws_access"] is aws_access
-    assert kwargs["publish"] is True
+    assert kwargs["publish"] is False
     assert kwargs["asset_id"] == "Draft Release"
 
 
+def test_run_build_publishes_tagged_releases(monkeypatch):
+    run_start_release_build = Mock()
+    monkeypatch.setattr(
+        "exasol.ds.sandbox.lib.release_workflow.run_start_release_build",
+        run_start_release_build,
+    )
+    context = ReleaseContext(
+        mode="push",
+        release_tag="5.1.0",
+        release_version="5.1.0",
+        release_ref="5.1.0",
+        release_title_input="",
+        release_asset_id="5.1.0",
+        release_is_manual=False,
+        release_notes_dir=Path("/tmp/release-notes"),
+    )
+    aws_access = AwsAccess(None)
+
+    run_build(context, aws_access)
+
+    assert run_start_release_build.call_args.kwargs["publish"] is True
+
+
 def test_run_notes_uses_manual_title(monkeypatch, tmp_path):
     write_release_notes = Mock()
     monkeypatch.setattr(

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ def run_build(context: ReleaseContext, aws_access: AwsAccess) -> None:`
`79`	`79`	`run_start_release_build(`
`80`	`80`	`default_config_object,`
`81`	`81`	`aws_access=aws_access,`
`82`		`- publish=True,`
	`82`	`+ publish=not context.release_is_manual,`
`83`	`83`	`asset_id=context.release_asset_id,`
`84`	`84`	`)`
`85`	`85`