#!/bin/sh
set -e

echo "=== 🚀 Drone Publish Tool ==="
echo "Image: $IMAGE_FULL"
echo "Version: $VERSION_TAG"

# --- 1️⃣ Signieren ---
if [ -n "$COSIGN_KEY" ]; then
  echo "🔏 Signing image using Cosign..."

  # Temporäre Datei anlegen
  COSIGN_KEY_FILE=$(mktemp /tmp/cosign-key-XXXXXX)
  echo "$COSIGN_KEY" > "$COSIGN_KEY_FILE"
  chmod 600 "$COSIGN_KEY_FILE"

  # Optionales Passwort weitergeben
  export COSIGN_PASSWORD="${COSIGN_PASSWORD:-}"

  # Signieren (mit --yes, falls ohne Interaktion)
  cosign sign --yes --key "$COSIGN_KEY_FILE" "$IMAGE_FULL"

  # Digest extrahieren (zur Info oder für Gitea-Release)
  SIGN_DIGEST=$(cosign verify --key "$COSIGN_KEY_FILE" "$IMAGE_FULL" 2>/dev/null | grep docker-manifest-digest | head -n1 | awk -F'"' '{print $4}')

  # Schlüssel sicher löschen
  shred -u "$COSIGN_KEY_FILE" 2>/dev/null || rm -f "$COSIGN_KEY_FILE"

  echo "✅ Image successfully signed."
else
  echo "⚠️ Skipping signing step (no COSIGN_KEY provided)"
fi

# --- 2️⃣ Gitea Release erstellen ---
if [ -n "$GITEA_TOKEN" ] && [ -n "$GITEA_REPO" ] && [ -n "$GITEA_URL" ]; then
  echo "🏷️ Creating Gitea release for $VERSION_TAG..."

  RELEASE_BODY="Automatischer Release für $VERSION_TAG\n\nImage: $IMAGE_FULL"
  [ -n "$SIGN_DIGEST" ] && RELEASE_BODY="$RELEASE_BODY\n\nSignatur-Digest: $SIGN_DIGEST"

  curl -s -X POST "$GITEA_URL/api/v1/repos/$GITEA_REPO/releases" \
    -H "Authorization: token $GITEA_TOKEN" \
    -H "Content-Type: application/json" \
    -d "{
          \"tag_name\": \"$VERSION_TAG\",
          \"name\": \"Release $VERSION_TAG\",
          \"body\": \"$RELEASE_BODY\",
          \"draft\": false,
          \"prerelease\": false
        }"

  echo "✅ Gitea release created."
else
  echo "⚠️ Skipping Gitea release creation (missing vars)"
fi

echo "=== ✅ Done ==="