kind: pipeline type: docker name: build-sign-and-release steps: # -------------------------------------------------- # 1️⃣ Build & Push Image # -------------------------------------------------- - name: build-and-push image: docker:26 privileged: true environment: REGISTRY_URL: from_secret: REGISTRY_URL DOCKER_USER: from_secret: DOCKER_USER DOCKER_PASS: from_secret: DOCKER_PASS volumes: - name: docker_sock path: /var/run/docker.sock commands: - echo "=== πŸ—οΈ Building and Pushing Image ===" - docker login $REGISTRY_URL -u "$DOCKER_USER" -p "$DOCKER_PASS" - VERSION_TAG="v$DRONE_BUILD_NUMBER" - IMAGE_NAME="public/drone-publish-tool" - IMAGE_FULL="$REGISTRY_URL/$IMAGE_NAME:$VERSION_TAG" - echo "Building image $IMAGE_FULL ..." - docker build -t $IMAGE_FULL . - docker tag $IMAGE_FULL $REGISTRY_URL/$IMAGE_NAME:latest - echo "Pushing images to $REGISTRY_URL ..." - docker push $IMAGE_FULL - docker push $REGISTRY_URL/$IMAGE_NAME:latest - DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_FULL) - echo "VERSION_TAG=$VERSION_TAG" >> build.env - echo "IMAGE_FULL=$IMAGE_FULL" >> build.env - echo "IMAGE_DIGEST=$DIGEST" >> build.env - echo "βœ… Build and push complete." outputs: - build.env - name: export-env image: alpine:3.20 commands: - echo "=== πŸ“¦ Loading build.env into environment ===" - export $(cat build.env | xargs) - echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> /drone/env - echo "IMAGE_FULL=$IMAGE_FULL" >> /drone/env - echo "VERSION_TAG=$VERSION_TAG" >> /drone/env depends_on: - build-and-push # -------------------------------------------------- # 2️⃣ Sign Image with Cosign (Secret-Key aus Variable) # -------------------------------------------------- - name: sign-image image: alpine:3.20 environment: COSIGN_KEY: from_secret: COSIGN_KEY COSIGN_PASSWORD: from_secret: COSIGN_PASSWORD IMAGE_DIGEST: from_secret: IMAGE_DIGEST # Optional – oder aus export-env commands: - echo "=== πŸ” Installing Cosign v3.0.2 ===" - apk add --no-cache curl ca-certificates - curl -sSL -o /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64 - chmod +x /usr/local/bin/cosign - echo "=== πŸ” Signing Image ===" - cosign version - cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST" - echo "βœ… Image signed successfully." depends_on: - export-env # -------------------------------------------------- # 3️⃣ Create Gitea Release # -------------------------------------------------- # - name: create-release # image: curlimages/curl:8.10.1 # environment: # GITEA_URL: # from_secret: GITEA_URL # GITEA_TOKEN: # from_secret: GITEA_TOKEN # commands: # - echo "=== 🏷️ Creating Gitea release ===" # - . build.env # - RELEASE_NAME="Release $VERSION_TAG" # - RELEASE_BODY="Automatisch erstellter Release fΓΌr Build $DRONE_BUILD_NUMBER\n\nImage:\n\`\`\`\n$IMAGE_FULL\n\`\`\`" # - | # curl -s -X POST "$GITEA_URL/api/v1/repos/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/releases" \ # -H "Authorization: token $GITEA_TOKEN" \ # -H "Content-Type: application/json" \ # -d "{ # \"tag_name\": \"$VERSION_TAG\", # \"name\": \"$RELEASE_NAME\", # \"body\": \"$RELEASE_BODY\", # \"draft\": false, # \"prerelease\": false # }" # - echo "βœ… Release created in Gitea." # depends_on: # - sign-image volumes: - name: docker_sock host: path: /var/run/docker.sock trigger: event: - push branch: - main