Add support for a --no-push option

When making security-related releases, we want to do all release-tagging
related activity locally, without exposing the actual change.  This is
to support a "binary-only" release to give admins the opportunity to
install the upgrade without making details of the vulnerability public.

One an embargo period is over, the local changes may be pushed to
github.

Care must be taken that this does not trigger the usual build process,
as this will result in packages with different checksum values.

bin/tag-releases

@@ -10,11 +10,23 @@ etc=$(cd $(dirname "$0")/../etc; pwd)
 . $share/functions
 . $etc/paths
 
+if [ "$1" = "--help" ] || [ "$1" = "-h" ]; then
+    echo "--auto-tag   tag without prompting for confirmation"
+    echo "--no-push    do not push any changes"
+    echo "--help  -h   this information"
+    exit 0
+fi
+
 if [ "$1" = "--auto-tag" ]; then
     auto_tag=1
     shift
 fi
 
+if [ "$1" = "--no-push" ]; then
+    no_push=1
+    shift
+fi
+
 if [ $# -gt 0 ]; then
     BRANCHES="$@"
 else
@@ -102,6 +114,11 @@ if [ "$auto_tag" != "1" ]; then
     [ "$answer" = "continue" ] || fail "Aborted at user request."
 fi
 
+if [ "$no_push" = "1" ]; then
+    nopush_option=-DpushChanges=false
+fi
+
+
 for branch in $release_branches; do
     git checkout -q $branch
     git clean -df >/dev/null
@@ -111,5 +128,5 @@ for branch in $release_branches; do
     echo "==="
     echo "===    Preparing for $next_tag"
     echo "==="
-    mvn -B release:prepare
+    mvn -B ${nopush_option} release:prepare
 done