Automatically update one-container image with new pihole images (#252)

* Hardcode Docker image version so Renovate can update it

* Add workflow to publish Docker image

* Updating base image version to 2024.05.0

* Add renovate.json (#1)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

* Let Renovate automerge Docker tag updates in one-container/pihole-unbound/Dockerfile

* Update pihole/pihole Docker tag to v2024.07.0

* Remove obsolete build script

* Specifiy platforms to build image workflow step

* Automatically generate a GitHub release when publishing a Docker image

* Overwrite OCI Image Specification source label to enable release note fetching for Renovate and Dependabot

* Build image for all platforms that the base image also supports

* Update docker/build-push-action action to v6.8.0 (#3)

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

.github/workflows/docker-publish.yml

@@ -0,0 +1,131 @@
+name: Publish Docker Images
+
+on:
+  workflow_dispatch:  # Manual trigger
+  push:
+    branches:
+      - main
+    paths:
+      - 'one-container/pihole-unbound/Dockerfile'
+
+jobs:
+  publish-image:
+
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      # This is used to complete the identity challenge
+      # with sigstore/fulcio when running outside of PRs.
+      id-token: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      # Install the cosign tool except on PR
+      # https://github.com/sigstore/cosign-installer
+      - name: Install cosign
+        if: github.event_name != 'pull_request'
+        uses: sigstore/[email protected]
+        with:
+          cosign-release: 'v2.2.4'
+
+      # Set up BuildKit Docker container builder to be able to build
+      # multi-platform images and export cache
+      # https://github.com/docker/setup-buildx-action
+      - name: Set up Docker Buildx
+        uses: docker/[email protected]
+
+      # Set up QEMU to enable multi-platform builds
+      - name: Set up QEMU
+        uses: docker/[email protected]
+
+      # Login against a Docker registry except on PR
+      # https://github.com/docker/login-action
+      - name: Login to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/[email protected]
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Login to Github Container Registry (GHCR)
+        if: github.event_name != 'pull_request'
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract Pihole version from Dockerfile
+        id: extract-version
+        run: |
+          VERSION=$(grep -oP '(?<=pihole/pihole:)\S+' one-container/pihole-unbound/Dockerfile)
+          echo "Extracted pihole version is: $VERSION"
+          echo "PIHOLE_VERSION=$VERSION" >> "$GITHUB_OUTPUT"
+
+      # Extract metadata (tags, labels) for Docker
+      # https://github.com/docker/metadata-action
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/[email protected]
+        with:
+          # List of Docker images to use as base name for tags
+          images: |
+            docker.io/${{ vars.DOCKERHUB_USERNAME }}/docker-pihole-unbound
+            ghcr.io/${{ github.repository_owner }}/docker-pihole-unbound    
+          # Generate Docker tags based on the following events/attributes
+          tags: |
+            type=raw,value=${{ steps.extract-version.outputs.PIHOLE_VERSION }}
+            type=raw,value=latest
+          # Set the OCI Image Specification source label to the base image repository, to enable tools 
+          # like Renovate and Dependabot to automatically fetch release notes for new versions.
+          # We cannot use https://github.com/pi-hole/pi-hole directly, since it uses a different versioning scheme.
+          labels: |
+            org.opencontainers.image.source=https://github.com/pi-hole/docker-pi-hole
+
+      # Build and push Docker image with Buildx (don't push on PR)
+      # https://github.com/docker/build-push-action
+      - name: Build and push Docker image
+        id: build-and-push
+        uses: docker/[email protected]
+        with:
+          context: one-container/pihole-unbound
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Sign the resulting Docker image digest except on PRs.
+      # This will only write to the public Rekor transparency log when the Docker
+      # repository is public to avoid leaking data.  If you would like to publish
+      # transparency data even for private images, pass --force to cosign below.
+      # https://github.com/sigstore/cosign
+      - name: Sign the published Docker image
+        if: ${{ github.event_name != 'pull_request' }}
+        env:
+          # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          TAGS: ${{ steps.meta.outputs.tags }}
+          DIGEST: ${{ steps.build-and-push.outputs.digest }}
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
+
+      - uses: softprops/[email protected]
+        with:
+          tag_name: ${{ steps.extract-version.outputs.PIHOLE_VERSION }}
+          body: |
+            #### This is an update for the `one-container` configuration
+
+            - Updating Pi-Hole base image to `${{ steps.extract-version.outputs.PIHOLE_VERSION }}` ([link](https://github.com/pi-hole/docker-pi-hole/releases/tag/${{ steps.extract-version.outputs.PIHOLE_VERSION }}))
+
+            #### Update instructions
+
+            ```shell
+            docker-compose pull
+            docker-compose up -d
+            ```
+          make_latest: true

one-container/pihole-unbound/Dockerfile

@@ -1,5 +1,4 @@
-ARG PIHOLE_VERSION
-FROM pihole/pihole:${PIHOLE_VERSION:-latest}
+FROM pihole/pihole:2024.07.0
 RUN apt update && apt install -y unbound
 
 COPY lighttpd-external.conf /etc/lighttpd/external.conf 

renovate.json

@@ -0,0 +1,16 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "packageRules": [
+    {
+      "matchDatasources": ["docker"],
+      "matchFileNames": ["one-container/pihole-unbound/Dockerfile"],
+      "updateTypes": ["major", "minor", "patch"],
+      "automerge": true,
+      "automergeType": "branch",
+      "ignoreTests": true
+    }
+  ]
+}