cosign-sign/.woodpecker/release.yaml

# depends_on:
#   - test

when:
  # - event: [tag]
  - event: push
    branch: ${CI_DEFAULT_BRANCH}

variables:
  - &buildx-plugin "woodpeckerci/plugin-docker-buildx:6.0.2"
  - &repo "registry.mareshq.com/woodpecker-plugins/cosign-sign"
  - &platforms "linux/arm64/v8,linux/amd64"
  - &container_tools_image "registry.mareshq.com/library/container-tools:commit-4870dfe6aab84eb0"

steps:
  publish-next:
    image: *buildx-plugin
    settings:
      repo: *repo
      platforms: *platforms
      tag: next
      logins:
        - registry: https://registry.mareshq.com
          username:
            from_secret: registry_username
          password:
            from_secret: registry_password
    when:
      branch: main
      event: push

  publish-tag:
    image: *buildx-plugin
    settings:
      repo: *repo
      platforms: *platforms
      tag: [latest, "${CI_COMMIT_TAG}"]
      logins:
        - registry: https://registry.mareshq.com
          username:
            from_secret: registry_username
          password:
            from_secret: registry_password
    when:
      event: tag

  sign-next:
    image: *container_tools_image
    environment:
      COSIGN_PASSWORD: "" # testing, so empty password is OK
      COSIGN_KEY:
        from_secret: cosign_key
    commands:
      - echo $COSIGN_KEY > ./cosign.key
      - cosign sign --key ./cosign.key --recursive registry.mareshq.com/woodpecker-plugins/cosign-sign:next
    when:
      event: push
      branch: main

  # sign-tag:
  #   image: *container_tools_image
  #   environment:
  #     COSIGN_PASSWORD: "" # testing, so empty password is OK
  #     COSIGN_KEY:
  #       from_secret: cosign_key
  #   commands:
  #     - echo $COSIGN_KEY > ./cosign.key
  #     - cosign sign --key ./cosign.key --recursive registry.mareshq.com/woodpecker-plugins/cosign-sign:latest
  #     - cosign sign --key ./cosign.key --recursive registry.mareshq.com/woodpecker-plugins/cosign-sign:$${CI_COMMIT_TAG}
  #   when:
  #     event: tag