forked from chriscrowe/docker-pihole-unbound
-
Notifications
You must be signed in to change notification settings - Fork 1
131 lines (114 loc) · 5.19 KB
/
docker-publish.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
name: Publish Docker Images
on:
workflow_dispatch: # Manual trigger
push:
branches:
- main
paths:
- 'one-container/pihole-unbound/Dockerfile'
jobs:
publish-image:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3.6.0
with:
cosign-release: 'v2.2.4'
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3.6.1
# Set up QEMU to enable multi-platform builds
- name: Set up QEMU
uses: docker/setup-qemu-action@v3.2.0
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Login to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@v3.3.0
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to Github Container Registry (GHCR)
if: github.event_name != 'pull_request'
uses: docker/login-action@v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract Pihole version from Dockerfile
id: extract-version
run: |
VERSION=$(grep -oP '(?<=pihole/pihole:)\S+' one-container/pihole-unbound/Dockerfile)
echo "Extracted pihole version is: $VERSION"
echo "PIHOLE_VERSION=$VERSION" >> "$GITHUB_OUTPUT"
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@v5.5.1
with:
# List of Docker images to use as base name for tags
images: |
docker.io/${{ vars.DOCKERHUB_USERNAME }}/docker-pihole-unbound
ghcr.io/${{ github.repository_owner }}/docker-pihole-unbound
# Generate Docker tags based on the following events/attributes
tags: |
type=raw,value=${{ steps.extract-version.outputs.PIHOLE_VERSION }}
type=raw,value=latest
# Set the OCI Image Specification source label to the base image repository, to enable tools
# like Renovate and Dependabot to automatically fetch release notes for new versions.
# We cannot use https://github.com/pi-hole/pi-hole directly, since it uses a different versioning scheme.
labels: |
org.opencontainers.image.source=https://github.com/pi-hole/docker-pi-hole
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v6.7.0
with:
context: one-container/pihole-unbound
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64
cache-from: type=gha
cache-to: type=gha,mode=max
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the published Docker image
if: ${{ github.event_name != 'pull_request' }}
env:
# https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
TAGS: ${{ steps.meta.outputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
- uses: softprops/action-gh-release@v2.0.8
with:
tag_name: ${{ steps.extract-version.outputs.PIHOLE_VERSION }}
body: |
#### This is an update for the `one-container` configuration
- Updating Pi-Hole base image to `${{ steps.extract-version.outputs.PIHOLE_VERSION }}` ([link](https://github.com/pi-hole/docker-pi-hole/releases/tag/${{ steps.extract-version.outputs.PIHOLE_VERSION }}))
#### Update instructions
```shell
docker-compose pull
docker-compose up -d
```
make_latest: true