From 3dd74cdda9120231525588c22eb1370bb0a2a9ef Mon Sep 17 00:00:00 2001
From: pi-farm <info@pi-farm.de>
Date: Mon, 9 Feb 2026 21:19:52 +0100
Subject: [PATCH] fix sign step

---
 .gitea/workflows/docker-builder.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.gitea/workflows/docker-builder.yml b/.gitea/workflows/docker-builder.yml
index b998a30..235fa60 100644
--- a/.gitea/workflows/docker-builder.yml
+++ b/.gitea/workflows/docker-builder.yml
@@ -252,18 +252,17 @@ jobs:
           cosign version
 
       - name: Sign image
+        if: env.IS_TAG == 'true'
         shell: bash
         run: |
           set -euo pipefail
 
           IMAGE_TO_SIGN="${REGISTRY_HOST}/${IMAGE_BASE}:${VERSION}"
-
           echo "Signing image $IMAGE_TO_SIGN"
 
-          # Cosign login falls nötig
-          export COSIGN_PASSWORD="${{ secrets.COSIGN_KEY }}"
-          
-          cosign sign --key <(echo "$COSIGN_PASSWORD") "$IMAGE_TO_SIGN"
+          # Key nur für Tags nutzen
+          cosign sign --key <(echo "${{ secrets.COSIGN_KEY }}") "$IMAGE_TO_SIGN"
+