first commit

.drone.yml

@@ -0,0 +1,96 @@
+kind: pipeline
+type: docker
+name: build-sign-and-release
+
+steps:
+  # --------------------------------------------------
+  # 1️⃣ Build & Push Image
+  # --------------------------------------------------
+  - name: build-and-push
+    image: docker:26
+    privileged: true
+    environment:
+      REGISTRY_URL:
+        from_secret: REGISTRY_URL
+      DOCKER_USER:
+        from_secret: DOCKER_USER
+      DOCKER_PASS:
+        from_secret: DOCKER_PASS
+    volumes:
+      - name: docker_sock
+        path: /var/run/docker.sock
+    commands:
+      - echo "=== 🏗️ Building and Pushing Image ==="
+      - docker login $REGISTRY_URL -u "$DOCKER_USER" -p "$DOCKER_PASS"
+      - VERSION_TAG="v$DRONE_BUILD_NUMBER"
+      - IMAGE_NAME="public/drone-publish-tool"
+      - IMAGE_FULL="$REGISTRY_URL/$IMAGE_NAME:$VERSION_TAG"
+      - echo "Building image $IMAGE_FULL ..."
+      - docker build -t $IMAGE_FULL .
+      - docker tag $IMAGE_FULL $REGISTRY_URL/$IMAGE_NAME:latest
+      - echo "Pushing images to $REGISTRY_URL ..."
+      - docker push $IMAGE_FULL
+      - docker push $REGISTRY_URL/$IMAGE_NAME:latest
+      - echo "VERSION_TAG=$VERSION_TAG" >> build.env
+      - echo "IMAGE_FULL=$IMAGE_FULL" >> build.env
+      - echo "✅ Build and push complete."
+
+  # --------------------------------------------------
+  # 2️⃣ Sign Image with Cosign (Secret-Key aus Variable)
+  # --------------------------------------------------
+  - name: sign-image
+    image: gcr.io/projectsigstore/cosign:v2.4.0
+    environment:
+      COSIGN_KEY:
+        from_secret: COSIGN_KEY
+      COSIGN_PASSWORD:
+        from_secret: COSIGN_PASSWORD
+      REGISTRY_URL:
+        from_secret: REGISTRY_URL
+      DOCKER_USER:
+        from_secret: DOCKER_USER
+      DOCKER_PASS:
+        from_secret: DOCKER_PASS
+    commands:
+      - echo "=== 🔏 Signing image with Cosign ==="
+      - . build.env
+      - echo "$DOCKER_PASS" | cosign login --username "$DOCKER_USER" --password-stdin "$REGISTRY_URL"
+      # 🔐 Cosign-Key aus Secret in temporäre Datei schreiben
+      - echo "$COSIGN_KEY" > /tmp/cosign.key
+      - chmod 600 /tmp/cosign.key
+      - cosign sign --yes --key /tmp/cosign.key "$IMAGE_FULL"
+      - shred -u /tmp/cosign.key || rm -f /tmp/cosign.key
+      - echo "✅ Image successfully signed."
+
+  # --------------------------------------------------
+  # 3️⃣ Create Gitea Release
+  # --------------------------------------------------
+  - name: create-release
+    image: curlimages/curl:8.10.1
+    environment:
+      GITEA_URL:
+        from_secret: GITEA_URL
+      GITEA_TOKEN:
+        from_secret: GITEA_TOKEN
+    commands:
+      - echo "=== 🏷️ Creating Gitea release ==="
+      - . build.env
+      - RELEASE_NAME="Release $VERSION_TAG"
+      - RELEASE_BODY="Automatisch erstellter Release für Build $DRONE_BUILD_NUMBER\n\nImage:\n\`\`\`\n$IMAGE_FULL\n\`\`\`"
+      - |
+        curl -s -X POST "$GITEA_URL/api/v1/repos/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/releases" \
+          -H "Authorization: token $GITEA_TOKEN" \
+          -H "Content-Type: application/json" \
+          -d "{
+                \"tag_name\": \"$VERSION_TAG\",
+                \"name\": \"$RELEASE_NAME\",
+                \"body\": \"$RELEASE_BODY\",
+                \"draft\": false,
+                \"prerelease\": false
+              }"
+      - echo "✅ Release created in Gitea."
+
+volumes:
+  - name: docker_sock
+    host:
+      path: /var/run/docker.sock