update drone file

.drone.yml

@@ -25,42 +25,53 @@ steps:
       - VERSION_TAG="v$DRONE_BUILD_NUMBER"
       - IMAGE_NAME="public/drone-publish-tool"
       - IMAGE_FULL="$REGISTRY_URL/$IMAGE_NAME:$VERSION_TAG"
+
       - echo "Building image $IMAGE_FULL ..."
       - docker build -t $IMAGE_FULL .
       - docker tag $IMAGE_FULL $REGISTRY_URL/$IMAGE_NAME:latest
+
       - echo "Pushing images to $REGISTRY_URL ..."
       - docker push $IMAGE_FULL
       - docker push $REGISTRY_URL/$IMAGE_NAME:latest
+
+      - DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_FULL)
       - echo "VERSION_TAG=$VERSION_TAG" >> build.env
       - echo "IMAGE_FULL=$IMAGE_FULL" >> build.env
+      - echo "IMAGE_DIGEST=$DIGEST" >> build.env
       - echo "✅ Build and push complete."
+    outputs:
+      - build.env
+
+  - name: export-env
+    image: alpine:3.20
+    commands:
+      - echo "=== 📦 Loading build.env into environment ==="
+      - export $(cat build.env | xargs)
+      - echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> /drone/env
+      - echo "IMAGE_FULL=$IMAGE_FULL" >> /drone/env
+      - echo "VERSION_TAG=$VERSION_TAG" >> /drone/env
+    depends_on:
+      - build-and-push
 
   # --------------------------------------------------
   # 2️⃣ Sign Image with Cosign (Secret-Key aus Variable)
   # --------------------------------------------------
   - name: sign-image
     image: gcr.io/projectsigstore/cosign:v2.4.0
+    entrypoint: ["cosign"]
+    commands:
+      - "sign"
+      - "--yes"
+      - "--key"
+      - "env://COSIGN_KEY"
+      - "$${IMAGE_DIGEST}"
     environment:
       COSIGN_KEY:
         from_secret: COSIGN_KEY
       COSIGN_PASSWORD:
         from_secret: COSIGN_PASSWORD
-      REGISTRY_URL:
-        from_secret: REGISTRY_URL
-      DOCKER_USER:
-        from_secret: DOCKER_USER
-      DOCKER_PASS:
-        from_secret: DOCKER_PASS
-    commands:
-      - echo "=== 🔏 Signing image with Cosign ==="
-      - . build.env
-      - echo "$DOCKER_PASS" | cosign login --username "$DOCKER_USER" --password-stdin "$REGISTRY_URL"
-      # 🔐 Cosign-Key aus Secret in temporäre Datei schreiben
-      - echo "$COSIGN_KEY" > /tmp/cosign.key
-      - chmod 600 /tmp/cosign.key
-      - cosign sign --yes --key /tmp/cosign.key "$IMAGE_FULL"
-      - shred -u /tmp/cosign.key || rm -f /tmp/cosign.key
-      - echo "✅ Image successfully signed."
+    depends_on:
+      - export-env
 
   # --------------------------------------------------
   # 3️⃣ Create Gitea Release