update entrypoint

entrypoint.sh

@@ -2,43 +2,72 @@
 set -e
 
 echo "=== 🚀 Drone Publish Tool ==="
-echo "Image: $IMAGE_FULL"
+echo "Image: ${IMAGE_FULL:-<unset>}"
-echo "Version: $VERSION_TAG"
+echo "Version: ${VERSION_TAG:-<unset>}"
+echo "--------------------------------------"
 
-# --- 1️⃣ Signieren ---
+# --- 🧩 0️⃣ Prüfung der Umgebungsvariablen ---
+REQUIRED_VARS="REGISTRY_URL DOCKER_USER DOCKER_PASS IMAGE_FULL VERSION_TAG"
+MISSING_VARS=""
+
+for VAR in $REQUIRED_VARS; do
+  eval "VAL=\$$VAR"
+  if [ -z "$VAL" ]; then
+    MISSING_VARS="$MISSING_VARS $VAR"
+  fi
+done
+
+if [ -n "$MISSING_VARS" ]; then
+  echo "❌ Fehlende Umgebungsvariablen:$MISSING_VARS"
+  exit 1
+fi
+
+# --- 🔐 1️⃣ Login zur Registry ---
+echo "🔐 Logging in to registry $REGISTRY_URL ..."
+echo "$DOCKER_PASS" | docker login "$REGISTRY_URL" -u "$DOCKER_USER" --password-stdin >/dev/null
+echo "✅ Login successful."
+echo "--------------------------------------"
+
+# --- 📦 2️⃣ Digest ermitteln (wenn nicht vorhanden) ---
+if [ -z "$IMAGE_DIGEST" ]; then
+  echo "🔍 Kein Digest übergeben – versuche, aktuellen Digest aus Registry zu holen..."
+  IMAGE_NAME=$(echo "$IMAGE_FULL" | awk -F'/' '{print $NF}' | awk -F':' '{print $1}')
+  DIGEST=$(curl -s -u "$DOCKER_USER:$DOCKER_PASS" -I \
+    -H "Accept: application/vnd.oci.image.manifest.v1+json" \
+    "$REGISTRY_URL/v2/public/$IMAGE_NAME/manifests/$VERSION_TAG" | \
+    grep -i Docker-Content-Digest | awk '{print $2}' | tr -d '\r')
+
+  if [ -n "$DIGEST" ]; then
+    IMAGE_DIGEST="$REGISTRY_URL/public/$IMAGE_NAME@$DIGEST"
+    echo "✅ Digest gefunden: $IMAGE_DIGEST"
+  else
+    echo "❌ Konnte Digest nicht abrufen – bitte prüfen, ob Image in Registry vorhanden ist."
+    exit 1
+  fi
+else
+  echo "🔖 Digest bereits gesetzt: $IMAGE_DIGEST"
+fi
+echo "--------------------------------------"
+
+# --- ✍️ 3️⃣ Signieren ---
 if [ -n "$COSIGN_KEY" ]; then
   echo "🔏 Signing image using Cosign..."
-
-  # Temporäre Datei anlegen
-  COSIGN_KEY_FILE=$(mktemp /tmp/cosign-key-XXXXXX)
-  echo "$COSIGN_KEY" > "$COSIGN_KEY_FILE"
-  chmod 600 "$COSIGN_KEY_FILE"
-
-  # Optionales Passwort weitergeben
   export COSIGN_PASSWORD="${COSIGN_PASSWORD:-}"
 
-  # Signieren (mit --yes, falls ohne Interaktion)
+  cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST"
-  cosign sign --yes --key "$COSIGN_KEY_FILE" "$IMAGE_FULL"
-
-  # Digest extrahieren (zur Info oder für Gitea-Release)
-  SIGN_DIGEST=$(cosign verify --key "$COSIGN_KEY_FILE" "$IMAGE_FULL" 2>/dev/null | grep docker-manifest-digest | head -n1 | awk -F'"' '{print $4}')
-
-  # Schlüssel sicher löschen
-  shred -u "$COSIGN_KEY_FILE" 2>/dev/null || rm -f "$COSIGN_KEY_FILE"
 
   echo "✅ Image successfully signed."
 else
   echo "⚠️ Skipping signing step (no COSIGN_KEY provided)"
 fi
+echo "--------------------------------------"
 
-# --- 2️⃣ Gitea Release erstellen ---
+# --- 🏷️ 4️⃣ Gitea Release erstellen ---
 if [ -n "$GITEA_TOKEN" ] && [ -n "$GITEA_REPO" ] && [ -n "$GITEA_URL" ]; then
   echo "🏷️ Creating Gitea release for $VERSION_TAG..."
 
-  RELEASE_BODY="Automatischer Release für $VERSION_TAG\n\nImage: $IMAGE_FULL"
+  RELEASE_BODY="Automatischer Release für $VERSION_TAG\n\nImage: $IMAGE_FULL\n\nDigest: $IMAGE_DIGEST"
-  [ -n "$SIGN_DIGEST" ] && RELEASE_BODY="$RELEASE_BODY\n\nSignatur-Digest: $SIGN_DIGEST"
+  curl -sf -X POST "$GITEA_URL/api/v1/repos/$GITEA_REPO/releases" \
-
-  curl -s -X POST "$GITEA_URL/api/v1/repos/$GITEA_REPO/releases" \
     -H "Authorization: token $GITEA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{
@@ -47,11 +76,11 @@ if [ -n "$GITEA_TOKEN" ] && [ -n "$GITEA_REPO" ] && [ -n "$GITEA_URL" ]; then
           \"body\": \"$RELEASE_BODY\",
           \"draft\": false,
           \"prerelease\": false
-        }"
+        }" \
-
+    && echo "✅ Gitea release created." \
-  echo "✅ Gitea release created."
+    || echo "⚠️ Fehler beim Erstellen des Gitea-Releases."
 else
-  echo "⚠️ Skipping Gitea release creation (missing vars)"
+  echo "⚠️ Skipping Gitea release creation (missing GITEA vars)"
 fi
 
 echo "=== ✅ Done ==="