fix: prevent attempt of double publishing of cosign.pub

.ci/jenkins/tools/ko.groovy

@@ -21,9 +21,9 @@ void install() {
 private def registrySecret(String registry) {
     String path
     switch (registry) {
-        case "DockerHub": path = "keptn-jenkins/monaco/dockerhub-deploy"
-        case "DT": path = "keptn-jenkins/monaco/registry-deploy"
-        default: path = "keptn-jenkins/monaco/registry-deploy"
+        case "DockerHub": path = "keptn-jenkins/monaco/dockerhub-deploy"; break
+        case "DT": path = "keptn-jenkins/monaco/registry-deploy"; break
+        default: path = "keptn-jenkins/monaco/registry-deploy"; break
     }
 
     return [[path        : "${path}",
@@ -37,7 +37,7 @@ private def registrySecret(String registry) {
 
 void loginToRegistry(Map args = [registry: null]) {
     withVault(vaultSecrets: registrySecret(args.registry)) {
-        sh(label: "sign in to container registry",
+        sh(label: "sign in to ${args.registry} registry",
             script: 'ko login --username=$username --password=$password $registry')
     }
 }

.ci/releasePipeline.groovy

@@ -35,16 +35,7 @@ pipeline {
                     stage("Build binaries") {
                         def tasks = [:]
 
-                        tasks["Docker container"] = {
-                            stage("for testing") {
-                                releaseDockerContainer(ctx, "DT")
-                            }
-                            if (isRelease(ctx)) {
-                                stage ("for DockerHub") {
-                                    releaseDockerContainer(ctx, "DockerHub")
-                                }
-                            }
-                        }
+                        tasks["Docker container"] = { releaseDockerContainer(ctx) }
 
                         //linux
                         for (arch in ["amd64", "arm64", "386"]) {
@@ -189,23 +180,33 @@ void releaseBinary(Context ctx, Release release) {
     }
 }
 
-void releaseDockerContainer(Context ctx, String registry) {
-    stage("Build Docker") {
-        def ko = load(".ci/jenkins/tools/ko.groovy")
-        ko.install()
+void releaseDockerContainer(Context ctx) {
+    createAndPublishContainer(ctx, "DT")
+
+    if (isRelease(ctx)) {
+        createAndPublishContainer(ctx, "DockerHub")
+
         def cosign = load(".ci/jenkins/tools/cosign.groovy")
-        cosign.install("latest")
+        ctx.githubRelease.addToRelease(rawData: cosign.getPublicKey(), underName: "cosign.pub")
+    }
+}
 
-        List<String> tags = [ctx.version]
-        if (isFinal(ctx)) {
-            tags << "latest"
-            ctx.githubRelease.addToRelease(rawData: cosign.getPublicKey(), underName: "cosign.pub")
-        }
+void createAndPublishContainer(Context ctx, String registry) {
+    def ko = load(".ci/jenkins/tools/ko.groovy")
+    ko.install()
+    def cosign = load(".ci/jenkins/tools/cosign.groovy")
+    cosign.install("latest")
 
-        ko.loginToRegistry(registry: registry)
-        image = ko.buildContainer(tags: tags, registry: registry)
-        cosign.sign(image)
+    List<String> tags = [ctx.version]
+    if (isFinal(ctx)) {
+        tags << "latest"
     }
+
+    ko.loginToRegistry(registry: registry)
+    image = ko.buildContainer(tags: tags, registry: registry)
+    cosign.sign(image)
+
+    echo "Created docker image ${image}"
 }
 
 void signWinBinaries(Map args = [source: null, version: null, destDir: null, projectName: null]) {

Makefile

@@ -135,8 +135,3 @@ IMAGE_PATH ?= $(REPO_PATH)/$(CONTAINER_NAME)
 docker-container: install-ko
 	@echo Building docker container...
 	KO_DOCKER_REPO=$(IMAGE_PATH) VERSION=$(VERSION) ko build --bare --sbom=none --tags=$(TAGS) ./cmd/monaco
-
-sign-verify-image:
-	@go install github.com/sigstore/cosign/v2/cmd/[email protected]
-	COSIGN_PASSWORD=$(COSIGN_PASSWORD) cosign sign --key env://cosign_key $(FULL_IMAGE_NAME) -y
-	cosign verify --key env://cosign_pub $(FULL_IMAGE_NAME)