97 lines
3.3 KiB
YAML
97 lines
3.3 KiB
YAML
kind: pipeline
|
||
type: docker
|
||
name: build-sign-and-release
|
||
|
||
steps:
|
||
# --------------------------------------------------
|
||
# 1️⃣ Build & Push Image
|
||
# --------------------------------------------------
|
||
- name: build-and-push
|
||
image: docker:26
|
||
privileged: true
|
||
environment:
|
||
REGISTRY_URL:
|
||
from_secret: REGISTRY_URL
|
||
DOCKER_USER:
|
||
from_secret: DOCKER_USER
|
||
DOCKER_PASS:
|
||
from_secret: DOCKER_PASS
|
||
volumes:
|
||
- name: docker_sock
|
||
path: /var/run/docker.sock
|
||
commands:
|
||
- echo "=== 🏗️ Building and Pushing Image ==="
|
||
- docker login $REGISTRY_URL -u "$DOCKER_USER" -p "$DOCKER_PASS"
|
||
- VERSION_TAG="v$DRONE_BUILD_NUMBER"
|
||
- IMAGE_NAME="public/drone-publish-tool"
|
||
- IMAGE_FULL="$REGISTRY_URL/$IMAGE_NAME:$VERSION_TAG"
|
||
- echo "Building image $IMAGE_FULL ..."
|
||
- docker build -t $IMAGE_FULL .
|
||
- docker tag $IMAGE_FULL $REGISTRY_URL/$IMAGE_NAME:latest
|
||
- echo "Pushing images to $REGISTRY_URL ..."
|
||
- docker push $IMAGE_FULL
|
||
- docker push $REGISTRY_URL/$IMAGE_NAME:latest
|
||
- echo "VERSION_TAG=$VERSION_TAG" >> build.env
|
||
- echo "IMAGE_FULL=$IMAGE_FULL" >> build.env
|
||
- echo "✅ Build and push complete."
|
||
|
||
# --------------------------------------------------
|
||
# 2️⃣ Sign Image with Cosign (Secret-Key aus Variable)
|
||
# --------------------------------------------------
|
||
- name: sign-image
|
||
image: gcr.io/projectsigstore/cosign:v2.4.0
|
||
environment:
|
||
COSIGN_KEY:
|
||
from_secret: COSIGN_KEY
|
||
COSIGN_PASSWORD:
|
||
from_secret: COSIGN_PASSWORD
|
||
REGISTRY_URL:
|
||
from_secret: REGISTRY_URL
|
||
DOCKER_USER:
|
||
from_secret: DOCKER_USER
|
||
DOCKER_PASS:
|
||
from_secret: DOCKER_PASS
|
||
commands:
|
||
- echo "=== 🔏 Signing image with Cosign ==="
|
||
- . build.env
|
||
- echo "$DOCKER_PASS" | cosign login --username "$DOCKER_USER" --password-stdin "$REGISTRY_URL"
|
||
# 🔐 Cosign-Key aus Secret in temporäre Datei schreiben
|
||
- echo "$COSIGN_KEY" > /tmp/cosign.key
|
||
- chmod 600 /tmp/cosign.key
|
||
- cosign sign --yes --key /tmp/cosign.key "$IMAGE_FULL"
|
||
- shred -u /tmp/cosign.key || rm -f /tmp/cosign.key
|
||
- echo "✅ Image successfully signed."
|
||
|
||
# --------------------------------------------------
|
||
# 3️⃣ Create Gitea Release
|
||
# --------------------------------------------------
|
||
- name: create-release
|
||
image: curlimages/curl:8.10.1
|
||
environment:
|
||
GITEA_URL:
|
||
from_secret: GITEA_URL
|
||
GITEA_TOKEN:
|
||
from_secret: GITEA_TOKEN
|
||
commands:
|
||
- echo "=== 🏷️ Creating Gitea release ==="
|
||
- . build.env
|
||
- RELEASE_NAME="Release $VERSION_TAG"
|
||
- RELEASE_BODY="Automatisch erstellter Release für Build $DRONE_BUILD_NUMBER\n\nImage:\n\`\`\`\n$IMAGE_FULL\n\`\`\`"
|
||
- |
|
||
curl -s -X POST "$GITEA_URL/api/v1/repos/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/releases" \
|
||
-H "Authorization: token $GITEA_TOKEN" \
|
||
-H "Content-Type: application/json" \
|
||
-d "{
|
||
\"tag_name\": \"$VERSION_TAG\",
|
||
\"name\": \"$RELEASE_NAME\",
|
||
\"body\": \"$RELEASE_BODY\",
|
||
\"draft\": false,
|
||
\"prerelease\": false
|
||
}"
|
||
- echo "✅ Release created in Gitea."
|
||
|
||
volumes:
|
||
- name: docker_sock
|
||
host:
|
||
path: /var/run/docker.sock
|