fix typo

.drone.yml

@@ -57,19 +57,34 @@ steps:
   # 2️⃣ Sign Image with Cosign (Secret-Key aus Variable)
   # --------------------------------------------------
   - name: sign-image
-    image: gcr.io/projectsigstore/cosign:v2.4.0
-    entrypoint: ["cosign"]
-    args:
-      - "sign"
-      - "--yes"
-      - "--key"
-      - "env://COSIGN_KEY"
-      - "$${IMAGE_DIGEST}"
+    image: alpine:3.20
     environment:
       COSIGN_KEY:
         from_secret: COSIGN_KEY
       COSIGN_PASSWORD:
         from_secret: COSIGN_PASSWORD
+      REGISTRY_URL:
+        from_secret: REGISTRY_URL
+      DOCKER_USER:
+        from_secret: DOCKER_USER
+      DOCKER_PASS:
+        from_secret: DOCKER_PASS
+    commands:
+      - echo "=== 🔏 Installing Cosign v3.0.2 ==="
+      - . build.env
+      - apk add --no-cache curl ca-certificates
+      - curl -sSL -o /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64
+      - chmod +x /usr/local/bin/cosign
+      - cosign version
+      
+      - echo "=== 🔐 Logging in to registry for signing ==="
+      - cosign version
+      - echo "$DOCKER_PASS" | cosign login --username "$DOCKER_USER" --password-stdin "$REGISTRY_URL"
+
+      - echo "=== 🔏 Signing Image ==="
+
+      - cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST"
+      - echo "✅ Image signed successfully."
     depends_on:
       - export-env
 
@@ -102,8 +117,14 @@ steps:
       - echo "✅ Release created in Gitea."
     depends_on:
       - sign-image
-      
+
 volumes:
   - name: docker_sock
     host:
       path: /var/run/docker.sock
+
+trigger:
+  event:
+    - push
+  branch:
+    - main

Dockerfile

@@ -26,7 +26,7 @@ RUN apk add --no-cache \
 
 # --- Cosign installieren ---
 RUN wget -qO /usr/local/bin/cosign \
-      https://github.com/sigstore/cosign/releases/download/v2.4.0/cosign-linux-amd64 && \
+      https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64 && \
     chmod +x /usr/local/bin/cosign
 
 # --- Entrypoint-Skript ---

entrypoint.sh

@@ -2,43 +2,72 @@
 set -e
 
 echo "=== 🚀 Drone Publish Tool ==="
-echo "Image: $IMAGE_FULL"
-echo "Version: $VERSION_TAG"
+echo "Image: ${IMAGE_FULL:-<unset>}"
+echo "Version: ${VERSION_TAG:-<unset>}"
+echo "--------------------------------------"
 
-# --- 1️⃣ Signieren ---
+# --- 🧩 0️⃣ Prüfung der Umgebungsvariablen ---
+REQUIRED_VARS="REGISTRY_URL DOCKER_USER DOCKER_PASS IMAGE_FULL VERSION_TAG"
+MISSING_VARS=""
+
+for VAR in $REQUIRED_VARS; do
+  eval "VAL=\$$VAR"
+  if [ -z "$VAL" ]; then
+    MISSING_VARS="$MISSING_VARS $VAR"
+  fi
+done
+
+if [ -n "$MISSING_VARS" ]; then
+  echo "❌ Fehlende Umgebungsvariablen:$MISSING_VARS"
+  exit 1
+fi
+
+# --- 🔐 1️⃣ Login zur Registry ---
+echo "🔐 Logging in to registry $REGISTRY_URL ..."
+echo "$DOCKER_PASS" | docker login "$REGISTRY_URL" -u "$DOCKER_USER" --password-stdin >/dev/null
+echo "✅ Login successful."
+echo "--------------------------------------"
+
+# --- 📦 2️⃣ Digest ermitteln (wenn nicht vorhanden) ---
+if [ -z "$IMAGE_DIGEST" ]; then
+  echo "🔍 Kein Digest übergeben – versuche, aktuellen Digest aus Registry zu holen..."
+  IMAGE_NAME=$(echo "$IMAGE_FULL" | awk -F'/' '{print $NF}' | awk -F':' '{print $1}')
+  DIGEST=$(curl -s -u "$DOCKER_USER:$DOCKER_PASS" -I \
+    -H "Accept: application/vnd.oci.image.manifest.v1+json" \
+    "$REGISTRY_URL/v2/public/$IMAGE_NAME/manifests/$VERSION_TAG" | \
+    grep -i Docker-Content-Digest | awk '{print $2}' | tr -d '\r')
+
+  if [ -n "$DIGEST" ]; then
+    IMAGE_DIGEST="$REGISTRY_URL/public/$IMAGE_NAME@$DIGEST"
+    echo "✅ Digest gefunden: $IMAGE_DIGEST"
+  else
+    echo "❌ Konnte Digest nicht abrufen – bitte prüfen, ob Image in Registry vorhanden ist."
+    exit 1
+  fi
+else
+  echo "🔖 Digest bereits gesetzt: $IMAGE_DIGEST"
+fi
+echo "--------------------------------------"
+
+# --- ✍️ 3️⃣ Signieren ---
 if [ -n "$COSIGN_KEY" ]; then
   echo "🔏 Signing image using Cosign..."
-
-  # Temporäre Datei anlegen
-  COSIGN_KEY_FILE=$(mktemp /tmp/cosign-key-XXXXXX)
-  echo "$COSIGN_KEY" > "$COSIGN_KEY_FILE"
-  chmod 600 "$COSIGN_KEY_FILE"
-
-  # Optionales Passwort weitergeben
   export COSIGN_PASSWORD="${COSIGN_PASSWORD:-}"
 
-  # Signieren (mit --yes, falls ohne Interaktion)
-  cosign sign --yes --key "$COSIGN_KEY_FILE" "$IMAGE_FULL"
-
-  # Digest extrahieren (zur Info oder für Gitea-Release)
-  SIGN_DIGEST=$(cosign verify --key "$COSIGN_KEY_FILE" "$IMAGE_FULL" 2>/dev/null | grep docker-manifest-digest | head -n1 | awk -F'"' '{print $4}')
-
-  # Schlüssel sicher löschen
-  shred -u "$COSIGN_KEY_FILE" 2>/dev/null || rm -f "$COSIGN_KEY_FILE"
+  cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST"
 
   echo "✅ Image successfully signed."
 else
   echo "⚠️ Skipping signing step (no COSIGN_KEY provided)"
 fi
+echo "--------------------------------------"
 
-# --- 2️⃣ Gitea Release erstellen ---
+# --- 🏷️ 4️⃣ Gitea Release erstellen ---
 if [ -n "$GITEA_TOKEN" ] && [ -n "$GITEA_REPO" ] && [ -n "$GITEA_URL" ]; then
   echo "🏷️ Creating Gitea release for $VERSION_TAG..."
 
-  RELEASE_BODY="Automatischer Release für $VERSION_TAG\n\nImage: $IMAGE_FULL"
-  [ -n "$SIGN_DIGEST" ] && RELEASE_BODY="$RELEASE_BODY\n\nSignatur-Digest: $SIGN_DIGEST"
-
-  curl -s -X POST "$GITEA_URL/api/v1/repos/$GITEA_REPO/releases" \
+  RELEASE_BODY="Automatischer Release für $VERSION_TAG\n\nImage: $IMAGE_FULL\n\nDigest: $IMAGE_DIGEST"
+  curl -sf -X POST "$GITEA_URL/api/v1/repos/$GITEA_REPO/releases" \
     -H "Authorization: token $GITEA_TOKEN" \
     -H "Content-Type: application/json" \
     -d "{
@@ -47,11 +76,11 @@ if [ -n "$GITEA_TOKEN" ] && [ -n "$GITEA_REPO" ] && [ -n "$GITEA_URL" ]; then
           \"body\": \"$RELEASE_BODY\",
           \"draft\": false,
           \"prerelease\": false
-        }"
-
-  echo "✅ Gitea release created."
+        }" \
+    && echo "✅ Gitea release created." \
+    || echo "⚠️ Fehler beim Erstellen des Gitea-Releases."
 else
-  echo "⚠️ Skipping Gitea release creation (missing vars)"
+  echo "⚠️ Skipping Gitea release creation (missing GITEA vars)"
 fi
 
 echo "=== ✅ Done ==="