Patrick Gniza
9e4df13fc0
All checks were successful
continuous-integration/drone/push Build is passing
131 lines
4.1 KiB
YAML
131 lines
4.1 KiB
YAML
kind: pipeline
|
||
type: docker
|
||
name: build-sign-and-release
|
||
|
||
steps:
|
||
# --------------------------------------------------
|
||
# 1️⃣ Build & Push Image
|
||
# --------------------------------------------------
|
||
- name: build-and-push
|
||
image: docker:26
|
||
privileged: true
|
||
environment:
|
||
REGISTRY_URL:
|
||
from_secret: REGISTRY_URL
|
||
DOCKER_USER:
|
||
from_secret: DOCKER_USER
|
||
DOCKER_PASS:
|
||
from_secret: DOCKER_PASS
|
||
volumes:
|
||
- name: docker_sock
|
||
path: /var/run/docker.sock
|
||
commands:
|
||
- echo "=== 🏗️ Building and Pushing Image ==="
|
||
- docker login $REGISTRY_URL -u "$DOCKER_USER" -p "$DOCKER_PASS"
|
||
- VERSION_TAG="v$DRONE_BUILD_NUMBER"
|
||
- IMAGE_NAME="public/drone-publish-tool"
|
||
- IMAGE_FULL="$REGISTRY_URL/$IMAGE_NAME:$VERSION_TAG"
|
||
|
||
- echo "Building image $IMAGE_FULL ..."
|
||
- docker build -t $IMAGE_FULL .
|
||
- docker tag $IMAGE_FULL $REGISTRY_URL/$IMAGE_NAME:latest
|
||
|
||
- echo "Pushing images to $REGISTRY_URL ..."
|
||
- docker push $IMAGE_FULL
|
||
- docker push $REGISTRY_URL/$IMAGE_NAME:latest
|
||
|
||
- DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' $IMAGE_FULL)
|
||
- echo "VERSION_TAG=$VERSION_TAG" >> build.env
|
||
- echo "IMAGE_FULL=$IMAGE_FULL" >> build.env
|
||
- echo "IMAGE_DIGEST=$DIGEST" >> build.env
|
||
- echo "✅ Build and push complete."
|
||
outputs:
|
||
- build.env
|
||
|
||
- name: export-env
|
||
image: alpine:3.20
|
||
commands:
|
||
- echo "=== 📦 Loading build.env into environment ==="
|
||
- export $(cat build.env | xargs)
|
||
- echo "IMAGE_DIGEST=$IMAGE_DIGEST" >> /drone/env
|
||
- echo "IMAGE_FULL=$IMAGE_FULL" >> /drone/env
|
||
- echo "VERSION_TAG=$VERSION_TAG" >> /drone/env
|
||
depends_on:
|
||
- build-and-push
|
||
|
||
# --------------------------------------------------
|
||
# 2️⃣ Sign Image with Cosign (Secret-Key aus Variable)
|
||
# --------------------------------------------------
|
||
- name: sign-image
|
||
image: alpine:3.20
|
||
environment:
|
||
COSIGN_KEY:
|
||
from_secret: COSIGN_KEY
|
||
COSIGN_PASSWORD:
|
||
from_secret: COSIGN_PASSWORD
|
||
REGISTRY_URL:
|
||
from_secret: REGISTRY_URL
|
||
DOCKER_USER:
|
||
from_secret: DOCKER_USER
|
||
DOCKER_PASS:
|
||
from_secret: DOCKER_PASS
|
||
commands:
|
||
- echo "=== 🔏 Installing Cosign v3.0.2 ==="
|
||
- . build.env
|
||
- apk add --no-cache curl ca-certificates
|
||
- curl -sSL -o /usr/local/bin/cosign https://github.com/sigstore/cosign/releases/download/v3.0.2/cosign-linux-amd64
|
||
- chmod +x /usr/local/bin/cosign
|
||
- cosign version
|
||
|
||
- echo "=== 🔐 Logging in to registry for signing ==="
|
||
- cosign version
|
||
- echo "$DOCKER_PASS" | cosign login --username "$DOCKER_USER" --password-stdin "$REGISTRY_URL"
|
||
|
||
- echo "=== 🔏 Signing Image ==="
|
||
|
||
- cosign sign --yes --key env://COSIGN_KEY "$IMAGE_DIGEST"
|
||
- echo "✅ Image signed successfully."
|
||
depends_on:
|
||
- export-env
|
||
|
||
# --------------------------------------------------
|
||
# 3️⃣ Create Gitea Release
|
||
# --------------------------------------------------
|
||
- name: create-release
|
||
image: curlimages/curl:8.10.1
|
||
environment:
|
||
GITEA_URL:
|
||
from_secret: GITEA_URL
|
||
GITEA_TOKEN:
|
||
from_secret: GITEA_TOKEN
|
||
commands:
|
||
- echo "=== 🏷️ Creating Gitea release ==="
|
||
- . build.env
|
||
- RELEASE_NAME="Release $VERSION_TAG"
|
||
- RELEASE_BODY="Automatisch erstellter Release für Build $DRONE_BUILD_NUMBER\n\nImage:\n\`\`\`\n$IMAGE_FULL\n\`\`\`"
|
||
- |
|
||
curl -s -X POST "$GITEA_URL/api/v1/repos/${DRONE_REPO_OWNER}/${DRONE_REPO_NAME}/releases" \
|
||
-H "Authorization: token $GITEA_TOKEN" \
|
||
-H "Content-Type: application/json" \
|
||
-d "{
|
||
\"tag_name\": \"$VERSION_TAG\",
|
||
\"name\": \"$RELEASE_NAME\",
|
||
\"body\": \"$RELEASE_BODY\",
|
||
\"draft\": false,
|
||
\"prerelease\": false
|
||
}"
|
||
- echo "✅ Release created in Gitea."
|
||
depends_on:
|
||
- sign-image
|
||
|
||
volumes:
|
||
- name: docker_sock
|
||
host:
|
||
path: /var/run/docker.sock
|
||
|
||
trigger:
|
||
event:
|
||
- push
|
||
branch:
|
||
- main
|