From 24db920e7d5b88e0975dda1e03448e30c1434a37 Mon Sep 17 00:00:00 2001
From: pi-farm <info@pi-farm.de>
Date: Tue, 10 Feb 2026 11:23:33 +0100
Subject: [PATCH] remove signing in workflow

---
 .gitea/workflows/docker-builder.yml | 45 +++++++++--------------------
 1 file changed, 13 insertions(+), 32 deletions(-)

diff --git a/.gitea/workflows/docker-builder.yml b/.gitea/workflows/docker-builder.yml
index e6053ca..07dca0b 100644
--- a/.gitea/workflows/docker-builder.yml
+++ b/.gitea/workflows/docker-builder.yml
@@ -169,7 +169,7 @@ jobs:
           echo "BUILD_DATE=$BUILD_DATE" >> $GITEA_ENV
 
 
-      - name: Build & push multiarch
+- name: Build & push multiarch
         if: steps.check_files.outputs.should_build == 'true'
         shell: bash
         run: |
@@ -187,7 +187,10 @@ jobs:
             exit 1
           fi
 
-          # amd64 build
+          # Cache-Definitionen für bessere Übersicht
+          CACHE_REF="${REGISTRY_HOST}/${IMAGE_BASE}-cache"
+
+          # amd64 build mit Registry-Cache (mode=min für weniger Fragmente)
           docker buildx build \
             --platform linux/amd64 \
             -f ${AMD64_DOCKERFILE} \
@@ -195,10 +198,12 @@ jobs:
             --build-arg APP_VERSION="$APP_VERSION" \
             --label org.opencontainers.image.version="$APP_VERSION" \
             --label org.opencontainers.image.created="$BUILD_DATE" \
+            --cache-from type=registry,ref=${CACHE_REF}:amd64 \
+            --cache-to type=registry,ref=${CACHE_REF}:amd64,mode=min \
             -t ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
             --push .
 
-          # arm64 build
+          # arm64 build mit Registry-Cache (mode=min für weniger Fragmente)
           docker buildx build \
             --platform linux/arm64 \
             -f ${ARM64_DOCKERFILE} \
@@ -206,10 +211,14 @@ jobs:
             --build-arg APP_VERSION="$APP_VERSION" \
             --label org.opencontainers.image.version="$APP_VERSION" \
             --label org.opencontainers.image.created="$BUILD_DATE" \
+            --cache-from type=registry,ref=${CACHE_REF}:arm64 \
+            --cache-to type=registry,ref=${CACHE_REF}:arm64,mode=min \
             -t ${CACHE_IMAGE_NAME}:${VERSION}-arm64 \
             --push .
 
+          # Manifest-Erstellung (verbindet die Architekturen zu den finalen Tags)
           for TAG in $(echo $DOCKER_TAGS | tr ',' ' '); do
+            echo "Creating manifest for tag: $TAG"
             docker buildx imagetools create -t $TAG \
               ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
               ${CACHE_IMAGE_NAME}:${VERSION}-arm64
@@ -240,32 +249,4 @@ jobs:
         uses: actions/upload-artifact@v3
         with:
           name: sbom
-          path: sbom.spdx.json
-          
-      - name: Install cosign
-        shell: bash
-        run: |
-          curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
-            -o cosign
-          chmod +x cosign
-          mv cosign /usr/local/bin/
-          cosign version
-
-      - name: Sign image
-        shell: bash
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          # Diese Variable ist der wichtigste Hebel:
-          COSIGN_SKIP_REKOR_UPLOAD: "true"
-          COSIGN_REPOSITORY: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_BASE }}/signatures
-        run: |
-          echo "$COSIGN_PRIVATE_KEY" > cosign.key
-          
-          # Wir lassen NUR NOCH die absolut notwendigen Flags stehen.
-          # Keine Erwähnung von tlog oder configs mehr.
-          cosign sign --yes --key cosign.key \
-            --registry-referrers-mode legacy \
-            "${REGISTRY_HOST}/${IMAGE_BASE}:main"
-
-          rm -f cosign.key
\ No newline at end of file
+          path: sbom.spdx.json
\ No newline at end of file