kind: pipeline
type: docker
name: build-sign-and-release

steps:
  # --------------------------------------------------
  # 1️⃣ Build & Push Image
  # --------------------------------------------------
  - name: build-and-push
    image: docker:26
    privileged: true
    environment:
      REGISTRY_URL:
        from_secret: REGISTRY_URL
      DOCKER_USER:
        from_secret: DOCKER_USER
      DOCKER_PASS:
        from_secret: DOCKER_PASS
    volumes:
      - name: docker_sock
        path: /var/run/docker.sock
    commands:
      - echo "=== 🏗️ Building and Pushing Image ==="
      - docker login $REGISTRY_URL -u "$DOCKER_USER" -p "$DOCKER_PASS"
      - VERSION_TAG="v$DRONE_BUILD_NUMBER"
      - IMAGE_NAME="public/drone-publish-tool"
      - IMAGE_FULL="$REGISTRY_URL/$IMAGE_NAME:$VERSION_TAG"
      - echo "Building image $IMAGE_FULL ..."
      - docker build -t $IMAGE_FULL .
      - docker tag $IMAGE_FULL $REGISTRY_URL/$IMAGE_NAME:latest
      - echo "Pushing images to $REGISTRY_URL ..."
      - docker push $IMAGE_FULL
      - docker push $REGISTRY_URL/$IMAGE_NAME:latest
      - echo "VERSION_TAG=$VERSION_TAG" >> build.env
      - echo "IMAGE_FULL=$IMAGE_FULL" >> build.env
      - echo "✅ Build and push complete."

  # --------------------------------------------------
  # 2️⃣ Sign Image with Cosign (Secret-Key aus Variable)
  # --------------------------------------------------
  - name: sign-image
    image: gcr.io/projectsigstore/cosign:v2.4.0
    environment:
      COSIGN_KEY:
        from_secret: COSIGN_KEY
      COSIGN_PASSWORD:
        from_secret: COSIGN_PASSWORD
      REGISTRY_URL:
        from_secret: REGISTRY_URL
      DOCKER_USER:
        from_secret: DOCKER_USER
      DOCKER_PASS:
        from_secret: DOCKER_PASS
    commands:
      - echo "=== 🔏 Signing image with Cosign ==="
      - . build.env
      - echo "$DOCKER_PASS" | cosign login --username "$DOCKER_USER" --password-stdin "$REGISTRY_URL"
      # 🔐 Cosign-Key aus Secret in temporäre Datei schreiben
      - echo "$COSIGN_KEY" > /tmp/cosign.key
      - chmod 600 /tmp/cosign.key
      - cosign sign --yes --key /tmp/cosign.key "$IMAGE_FULL"
      - shred -u /tmp/cosign.key || rm -f /tmp/cosign.key
      - echo "✅ Image successfully signed."

  # --------------------------------------------------
  # 3️⃣ Create Gitea Release
  # --------------------------------------------------
  - name: create-release
    image: curlimages/curl:8.10.1
    environment:
      GITEA_URL:
        from_secret: GITEA_URL
      GITEA_TOKEN:
        from_secret: GITEA_TOKEN
    commands:
      - echo "=== 🏷️ Creating Gitea release ==="
      - . build.env
      - RELEASE_NAME="Release $VERSION_TAG"
      - RELEASE_BODY="Automatisch erstellter Release für Build $DRONE_BUILD_NUMBER\n\nImage:\n\`\`\`\n$IMAGE_FULL\n\`\`\`"
      - |
        curl -s -X POST "$GITEA_URL/api/v1/repos/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/releases" \
          -H "Authorization: token $GITEA_TOKEN" \
          -H "Content-Type: application/json" \
          -d "{
                \"tag_name\": \"$VERSION_TAG\",
                \"name\": \"$RELEASE_NAME\",
                \"body\": \"$RELEASE_BODY\",
                \"draft\": false,
                \"prerelease\": false
              }"
      - echo "✅ Release created in Gitea."

volumes:
  - name: docker_sock
    host:
      path: /var/run/docker.sock