From 61adca7361473a17bce76b5d1bceb5c880b4505d Mon Sep 17 00:00:00 2001 From: Patrick Gniza Date: Sat, 8 Nov 2025 18:16:42 +0100 Subject: [PATCH] update entrypoint --- entrypoint.sh | 83 ++++++++++++++++++++++++++++++++++----------------- 1 file changed, 56 insertions(+), 27 deletions(-) diff --git a/entrypoint.sh b/entrypoint.sh index 49b6cca..8f042b8 100644 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -2,43 +2,72 @@ set -e echo "=== 🚀 Drone Publish Tool ===" -echo "Image: $IMAGE_FULL" -echo "Version: $VERSION_TAG" +echo "Image: ${IMAGE_FULL:-}" +echo "Version: ${VERSION_TAG:-}" +echo "--------------------------------------" -# --- 1️⃣ Signieren --- +# --- 🧩 0️⃣ Prüfung der Umgebungsvariablen --- +REQUIRED_VARS="REGISTRY_URL DOCKER_USER DOCKER_PASS IMAGE_FULL VERSION_TAG" +MISSING_VARS="" + +for VAR in $REQUIRED_VARS; do + eval "VAL=\$$VAR" + if [ -z "$VAL" ]; then + MISSING_VARS="$MISSING_VARS $VAR" + fi +done + +if [ -n "$MISSING_VARS" ]; then + echo "❌ Fehlende Umgebungsvariablen:$MISSING_VARS" + exit 1 +fi + +# --- 🔐 1️⃣ Login zur Registry --- +echo "🔐 Logging in to registry $REGISTRY_URL ..." +echo "$DOCKER_PASS" | docker login "$REGISTRY_URL" -u "$DOCKER_USER" --password-stdin >/dev/null +echo "✅ Login successful." +echo "--------------------------------------" + +# --- 📦 2️⃣ Digest ermitteln (wenn nicht vorhanden) --- +if [ -z "$IMAGE_DIGEST" ]; then + echo "🔍 Kein Digest übergeben – versuche, aktuellen Digest aus Registry zu holen..." + IMAGE_NAME=$(echo "$IMAGE_FULL" | awk -F'/' '{print $NF}' | awk -F':' '{print $1}') + DIGEST=$(curl -s -u "$DOCKER_USER:$DOCKER_PASS" -I \ + -H "Accept: application/vnd.oci.image.manifest.v1+json" \ + "$REGISTRY_URL/v2/public/$IMAGE_NAME/manifests/$VERSION_TAG" | \ + grep -i Docker-Content-Digest | awk '{print $2}' | tr -d '\r') + + if [ -n "$DIGEST" ]; then + IMAGE_DIGEST="$REGISTRY_URL/public/$IMAGE_NAME@$DIGEST" + echo "✅ Digest gefunden: $IMAGE_DIGEST" + else + echo "❌ Konnte Digest nicht abrufen – bitte prüfen, ob Image in Registry vorhanden ist." + exit 1 + fi +else + echo "🔖 Digest bereits gesetzt: $IMAGE_DIGEST" +fi +echo "--------------------------------------" + +# --- ✍️ 3️⃣ Signieren --- if [ -n "$COSIGN_KEY" ]; then echo "🔏 Signing image using Cosign..." - - # Temporäre Datei anlegen - COSIGN_KEY_FILE=$(mktemp /tmp/cosign-key-XXXXXX) - echo "$COSIGN_KEY" > "$COSIGN_KEY_FILE" - chmod 600 "$COSIGN_KEY_FILE" - - # Optionales Passwort weitergeben export COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" - # Signieren (mit --yes, falls ohne Interaktion) - cosign sign --yes --key "$COSIGN_KEY_FILE" "$IMAGE_FULL" - - # Digest extrahieren (zur Info oder für Gitea-Release) - SIGN_DIGEST=$(cosign verify --key "$COSIGN_KEY_FILE" "$IMAGE_FULL" 2>/dev/null | grep docker-manifest-digest | head -n1 | awk -F'"' '{print $4}') - - # Schlüssel sicher löschen - shred -u "$COSIGN_KEY_FILE" 2>/dev/null || rm -f "$COSIGN_KEY_FILE" + cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST" echo "✅ Image successfully signed." else echo "⚠️ Skipping signing step (no COSIGN_KEY provided)" fi +echo "--------------------------------------" -# --- 2️⃣ Gitea Release erstellen --- +# --- 🏷️ 4️⃣ Gitea Release erstellen --- if [ -n "$GITEA_TOKEN" ] && [ -n "$GITEA_REPO" ] && [ -n "$GITEA_URL" ]; then echo "🏷️ Creating Gitea release for $VERSION_TAG..." - RELEASE_BODY="Automatischer Release für $VERSION_TAG\n\nImage: $IMAGE_FULL" - [ -n "$SIGN_DIGEST" ] && RELEASE_BODY="$RELEASE_BODY\n\nSignatur-Digest: $SIGN_DIGEST" - - curl -s -X POST "$GITEA_URL/api/v1/repos/$GITEA_REPO/releases" \ + RELEASE_BODY="Automatischer Release für $VERSION_TAG\n\nImage: $IMAGE_FULL\n\nDigest: $IMAGE_DIGEST" + curl -sf -X POST "$GITEA_URL/api/v1/repos/$GITEA_REPO/releases" \ -H "Authorization: token $GITEA_TOKEN" \ -H "Content-Type: application/json" \ -d "{ @@ -47,11 +76,11 @@ if [ -n "$GITEA_TOKEN" ] && [ -n "$GITEA_REPO" ] && [ -n "$GITEA_URL" ]; then \"body\": \"$RELEASE_BODY\", \"draft\": false, \"prerelease\": false - }" - - echo "✅ Gitea release created." + }" \ + && echo "✅ Gitea release created." \ + || echo "⚠️ Fehler beim Erstellen des Gitea-Releases." else - echo "⚠️ Skipping Gitea release creation (missing vars)" + echo "⚠️ Skipping Gitea release creation (missing GITEA vars)" fi echo "=== ✅ Done ==="