fix(ci): gate krew-release-bot on final release tags only

[Copilot]

The krew-release-bot step was triggering on all tag pushes (v*), including pre-release tags like v1.0.0-alpha.1 and v1.0.0-rc.1, spamming krew-index with spurious PRs.

Description

.github/workflows/goreleaser.yaml: Added a "Check if release tag" step that uses bash to match the tag against the regex ^v[0-9]+\.[0-9]+\.[0-9]+$ and sets a step output. The krew-release-bot step is then gated on that output, so it only runs on final release tags and skips pre-release tags.

- name: Check if release tag
  id: check-tag
  run: |
    if [[ "${{ github.ref_name }}" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
      echo "is_release=true" >> $GITHUB_OUTPUT
    else
      echo "is_release=false" >> $GITHUB_OUTPUT
    fi
- name: Update new version in krew-index
  if: github.repository_owner == 'microsoft' && steps.check-tag.outputs.is_release == 'true'
  uses: rajatjindal/krew-release-bot@...

GitHub Actions expressions do not support regex natively, so a dedicated bash step is used to perform the regex match and expose the result as a step output. This does not affect the rest of the release job (binary builds, GoReleaser, etc.), which will continue to run on all tag pushes.

Related Issue

Resolves the krew-index spam reported in the issue.

Checklist

• I have read the contributing documentation.
• I signed and signed-off the commits (git commit -S -s ...). See this documentation on signing commits.
• I have correctly attributed the author(s) of the code.
• I have tested the changes locally.
• I have followed the project's style guidelines.
• I have updated the documentation, if necessary.
• I have added tests, if applicable.

Screenshots (if applicable) or Testing Completed

N/A — workflow-only change; can be validated by pushing a pre-release tag and confirming the krew step is skipped.

Additional Notes

This does not affect the rest of the release job (binary builds, GoReleaser, etc.), which will continue to run on all tag pushes.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Do not run krew-release action on pre-releases</issue_title>
<issue_description>This repo is spamming krew-index with PRs like kubernetes-sigs/krew-index#4933

Please only run this action on tag v[0-9]+\.[0-9]+\.[0-9]+$'.

cc: @matmerr</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Do not run krew-release action on pre-releases #2106

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[github-actions]

Retina Code Coverage Report

Total coverage no change

Increased diff

Impacted Files	Coverage
pkg/controllers/daemon/namespace/namespace_controller.go	76.24% ... 78.46% (2.22%)	⬆️

[alexcastilio]

LGTM

[matmerr]

@copilot commits must have verified signatures

[Copilot]

@copilot commits must have verified signatures

Commit signing requires a GPG/SSH private key in the git environment. As a Copilot agent, I don't have access to signing keys — the report_progress tool that performs git commit on my behalf does not have a signing key configured. This is a limitation of the agent infrastructure. The code changes themselves are correct; a human maintainer would need to either cherry-pick these changes into a signed commit or configure the agent environment with a signing key.