kind: pipeline type: docker name: build-sign-and-release steps: # -------------------------------------------------- # 1️⃣ Build & Push Image # -------------------------------------------------- - name: build-and-push image: docker:26 privileged: true environment: REGISTRY_URL: from_secret: REGISTRY_URL DOCKER_USER: from_secret: DOCKER_USER DOCKER_PASS: from_secret: DOCKER_PASS volumes: - name: docker_sock path: /var/run/docker.sock commands: - echo "=== πŸ—οΈ Building and Pushing Image ===" - docker login $REGISTRY_URL -u "$DOCKER_USER" -p "$DOCKER_PASS" - VERSION_TAG="v$DRONE_BUILD_NUMBER" - IMAGE_NAME="public/drone-publish-tool" - IMAGE_FULL="$REGISTRY_URL/$IMAGE_NAME:$VERSION_TAG" - echo "Building image $IMAGE_FULL ..." - docker build -t $IMAGE_FULL . - docker tag $IMAGE_FULL $REGISTRY_URL/$IMAGE_NAME:latest - echo "Pushing images to $REGISTRY_URL ..." - docker push $IMAGE_FULL - docker push $REGISTRY_URL/$IMAGE_NAME:latest - DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_FULL) - echo "VERSION_TAG=$VERSION_TAG" >> build.env - echo "IMAGE_FULL=$IMAGE_FULL" >> build.env - echo "IMAGE_DIGEST=$DIGEST" >> build.env - echo "βœ… Build and push complete." outputs: - build.env - name: export-env image: alpine:3.20 commands: - echo "=== πŸ“¦ Loading build.env into environment ===" - export $(cat build.env | xargs) - echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> /drone/env - echo "IMAGE_FULL=$IMAGE_FULL" >> /drone/env - echo "VERSION_TAG=$VERSION_TAG" >> /drone/env depends_on: - build-and-push # -------------------------------------------------- # 2️⃣ Sign Image with Cosign (Secret-Key aus Variable) # -------------------------------------------------- - name: sign-image image: alpine:3.20 environment: COSIGN_KEY: from_secret: COSIGN_KEY COSIGN_PASSWORD: from_secret: COSIGN_PASSWORD REGISTRY_URL: from_secret: REGISTRY_URL DOCKER_USER: from_secret: DOCKER_USER DOCKER_PASS: from_secret: DOCKER_PASS commands: - echo "=== πŸ” Installing Cosign v3.0.2 ===" - . build.env - apk add --no-cache curl ca-certificates - curl -sSL -o /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64 - chmod +x /usr/local/bin/cosign - cosign version - echo "=== πŸ” Logging in to registry for signing ===" - cosign version - echo "$DOCKER_PASS" | cosign login --username "$DOCKER_USER" --password-stdin "$REGISTRY_URL" - echo "=== πŸ” Signing Image ===" - cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST" - echo "βœ… Image signed successfully." depends_on: - export-env # -------------------------------------------------- # 3️⃣ Create Gitea Release # -------------------------------------------------- - name: create-release image: curlimages/curl:8.10.1 environment: GITEA_URL: from_secret: GITEA_URL GITEA_TOKEN: from_secret: GITEA_TOKEN commands: - echo "=== 🏷️ Creating Gitea release ===" - . build.env - RELEASE_NAME="Release $VERSION_TAG" - RELEASE_BODY="Automatisch erstellter Release fΓΌr Build $DRONE_BUILD_NUMBER\n\nImage:\n\`\`\`\n$IMAGE_FULL\n\`\`\`" - | curl -s -X POST "$GITEA_URL/api/v1/repos/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/releases" \ -H "Authorization: token $GITEA_TOKEN" \ -H "Content-Type: application/json" \ -d "{ \"tag_name\": \"$VERSION_TAG\", \"name\": \"$RELEASE_NAME\", \"body\": \"$RELEASE_BODY\", \"draft\": false, \"prerelease\": false }" - echo "βœ… Release created in Gitea." depends_on: - sign-image volumes: - name: docker_sock host: path: /var/run/docker.sock trigger: event: - push branch: - main