remove signing in workflow

2026-02-10 11:23:33 +01:00
parent c61da8358f
commit 24db920e7d
1 changed files with 13 additions and 32 deletions
--- a/.gitea/workflows/docker-builder.yml
+++ b/.gitea/workflows/docker-builder.yml
@@ -169,7 +169,7 @@ jobs:
          echo "BUILD_DATE=$BUILD_DATE" >> $GITEA_ENV


-      - name: Build & push multiarch
+- name: Build & push multiarch
        if: steps.check_files.outputs.should_build == 'true'
        shell: bash
        run: |
@@ -187,7 +187,10 @@ jobs:
            exit 1
          fi

-          # amd64 build
+          # Cache-Definitionen für bessere Übersicht
+          CACHE_REF="${REGISTRY_HOST}/${IMAGE_BASE}-cache"
+
+          # amd64 build mit Registry-Cache (mode=min für weniger Fragmente)
          docker buildx build \
            --platform linux/amd64 \
            -f ${AMD64_DOCKERFILE} \
@@ -195,10 +198,12 @@ jobs:
            --build-arg APP_VERSION="$APP_VERSION" \
            --label org.opencontainers.image.version="$APP_VERSION" \
            --label org.opencontainers.image.created="$BUILD_DATE" \
+            --cache-from type=registry,ref=${CACHE_REF}:amd64 \
+            --cache-to type=registry,ref=${CACHE_REF}:amd64,mode=min \
            -t ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
            --push .

-          # arm64 build
+          # arm64 build mit Registry-Cache (mode=min für weniger Fragmente)
          docker buildx build \
            --platform linux/arm64 \
            -f ${ARM64_DOCKERFILE} \
@@ -206,10 +211,14 @@ jobs:
            --build-arg APP_VERSION="$APP_VERSION" \
            --label org.opencontainers.image.version="$APP_VERSION" \
            --label org.opencontainers.image.created="$BUILD_DATE" \
+            --cache-from type=registry,ref=${CACHE_REF}:arm64 \
+            --cache-to type=registry,ref=${CACHE_REF}:arm64,mode=min \
            -t ${CACHE_IMAGE_NAME}:${VERSION}-arm64 \
            --push .

+          # Manifest-Erstellung (verbindet die Architekturen zu den finalen Tags)
          for TAG in $(echo $DOCKER_TAGS | tr ',' ' '); do
+            echo "Creating manifest for tag: $TAG"
            docker buildx imagetools create -t $TAG \
              ${CACHE_IMAGE_NAME}:${VERSION}-amd64 \
              ${CACHE_IMAGE_NAME}:${VERSION}-arm64
@@ -241,31 +250,3 @@ jobs:
        with:
          name: sbom
          path: sbom.spdx.json
-          
-      - name: Install cosign
-        shell: bash
-        run: |
-          curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 \
-            -o cosign
-          chmod +x cosign
-          mv cosign /usr/local/bin/
-          cosign version
-
-      - name: Sign image
-        shell: bash
-        env:
-          COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}
-          COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
-          # Diese Variable ist der wichtigste Hebel:
-          COSIGN_SKIP_REKOR_UPLOAD: "true"
-          COSIGN_REPOSITORY: ${{ env.REGISTRY_HOST }}/${{ env.IMAGE_BASE }}/signatures
-        run: |
-          echo "$COSIGN_PRIVATE_KEY" > cosign.key
-          
-          # Wir lassen NUR NOCH die absolut notwendigen Flags stehen.
-          # Keine Erwähnung von tlog oder configs mehr.
-          cosign sign --yes --key cosign.key \
-            --registry-referrers-mode legacy \
-            "${REGISTRY_HOST}/${IMAGE_BASE}:main"
-
-          rm -f cosign.key