From a20ea5887947ab3752cec000ff72b34279a5c0cd Mon Sep 17 00:00:00 2001
From: Vassiliy Yegorov <va@egorovanet.ru>
Date: Thu, 26 Mar 2026 19:12:56 +0700
Subject: [PATCH] init

---
 .gitea/workflows/build-sign-push.yaml | 35 +++++++++++++--------------
 .gitignore                            |  3 ++-
 keys/cosign.pub                       |  4 +++
 3 files changed, 23 insertions(+), 19 deletions(-)
 create mode 100644 keys/cosign.pub

diff --git a/.gitea/workflows/build-sign-push.yaml b/.gitea/workflows/build-sign-push.yaml
index 1d97f10..af592fd 100644
--- a/.gitea/workflows/build-sign-push.yaml
+++ b/.gitea/workflows/build-sign-push.yaml
@@ -9,22 +9,27 @@ env:
   REGISTRY: git.realmanual.ru
   IMAGE: git.realmanual.ru/${{ gitea.repository }}
 
+permissions:
+  contents: read
+  packages: write
+
 jobs:
   build-and-sign:
     runs-on: ubuntu-22.04
-    permissions:
-      contents: read
-      packages: write
-
+    container: catthehacker/ubuntu:act-latest
     steps:
-      - name: checkout
-        uses: actions/checkout@v4
-      # --- build ---
-      - name: set up docker buildx
-        uses: docker/setup-buildx-action@v3
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v4.1.0
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3.6.0
+      
       - name: Read Version
         id: version
-        run: echo "VERSION=$(cat image/VERSION)" >> $GITHUB_OUTPUT                
+        run: echo "VERSION=$(cat backend/VERSION)" >> $GITHUB_OUTPUT             
+        
       - name: login to registry
         uses: docker/login-action@v3
         with:
@@ -34,7 +39,7 @@ jobs:
 
       - name: build and push
         id: build
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@v6
         with:
           context: ./image
           push: true
@@ -45,12 +50,6 @@ jobs:
           # digest понадобится для подписи — по тегу подписывать нельзя
           outputs: type=image,push=true
 
-      # --- sign ---
-      # cosign надо ставить отдельно — в ubuntu-latest его нет
-      - name: install cosign
-        uses: sigstore/cosign-installer@v3
-        with:
-          cosign-release: 'v3.0.5'
 
       - name: sign image
         env:
@@ -69,5 +68,5 @@ jobs:
           IMAGE_DIGEST: ${{ steps.build.outputs.digest }}
         run: |
           cosign verify \
-            --key cosign.pub \
+            --key keys/cosign.pub \
             ${{ env.IMAGE }}@${IMAGE_DIGEST}
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 3fa176f..2305ad3 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
-keys/*
\ No newline at end of file
+keys/cosign.key
+keys/.env
\ No newline at end of file
diff --git a/keys/cosign.pub b/keys/cosign.pub
new file mode 100644
index 0000000..7510db3
--- /dev/null
+++ b/keys/cosign.pub
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEZZ/9MbR3WZg9K/pk936vukFjeWVt
+2oMpW4OmElpIq1aH3jZIA03Hwm7FVdhyumb1vPu5k0DOV8RX4UIs6rkhzA==
+-----END PUBLIC KEY-----