ci: switch image publishing to docker/github-builder

.github/workflows/build-and-publish.yml

@@ -7,161 +7,60 @@ on:
       - development
   release:
     types: [published]
+  pull_request:
 
 permissions:
   contents: read
-  packages: write
 
 env:
-  dockerhub: ${{ secrets.DOCKERHUB_NAMESPACE }}/pihole
-  ghcr: ghcr.io/${{ github.repository_owner }}/pihole
   components_branch: ${{ github.event_name == 'release' && 'master' || 'development' }}
 
 jobs:
-  build:
-    runs-on: ${{ matrix.runner }}
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - platform: linux/amd64
-            runner: ubuntu-latest
-          - platform: linux/386
-            runner: ubuntu-latest
-          - platform: linux/arm/v6
-            runner: ubuntu-24.04-arm
-          - platform: linux/arm/v7
-            runner: ubuntu-24.04-arm
-          - platform: linux/arm64
-            runner: ubuntu-24.04-arm
-          - platform: linux/riscv64
-            runner: ubuntu-24.04-arm
-
+  build-prepare:
+    runs-on: ubuntu-24.04
+    outputs:
+      components_branch: ${{ env.components_branch }}
     steps:
-      - name: Prepare name for digest up/download
-        run: |
-          platform=${{ matrix.platform }}
-          echo "PLATFORM_PAIR=${platform//\//-}" >> $GITHUB_ENV
-
-      - &checkout-repo
-        name: Checkout Repo
-        if: github.event_name != 'schedule'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
-
-      - &checkout-dev
-        name: Checkout dev branch if scheduled
-        if: github.event_name == 'schedule'
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd #v6.0.2
-        with:
-          ref: development
-
-      - &docker-meta
-        name: Docker meta
-        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf #v6.0.0
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          images: |
-            ${{ env.dockerhub }}
-            ${{ env.ghcr }}
-          flavor: |
-            latest=${{ startsWith(github.ref, 'refs/tags/') }}
-          tags: |
-            type=schedule,pattern=nightly
-            type=raw,value=nightly,enable=${{ github.event_name == 'push' }}
-            type=ref,event=tag
+      # FIXME: can't use env object in reusable workflow inputs: https://github.com/orgs/community/discussions/26671
+      - run: echo "Exposing env vars for reusable workflow"
 
-      - &login-dockerhub
-        name: Login to Docker Hub
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #v4.0.0
-        with:
-          registry: docker.io
+  build:
+    uses: docker/github-builder/.github/workflows/build.yml@v1
+    needs:
+      - build-prepare
+    permissions:
+      contents: read # same as global permissions
+      id-token: write # for signing attestation(s) with GitHub OIDC Token
+      packages: write # required to push to GHCR
+    with:
+      setup-qemu: true
+      cache: true
+      cache-scope: build
+      context: src
+      output: image
+      build-args: |
+        PIHOLE_DOCKER_TAG={{meta.version}}
+        FTL_BRANCH=${{ needs.build-prepare.outputs.components_branch }}
+        CORE_BRANCH=${{ needs.build-prepare.outputs.components_branch }}
+        WEB_BRANCH=${{ needs.build-prepare.outputs.components_branch }}
+        PADD_BRANCH=${{ needs.build-prepare.outputs.components_branch }}
+      platforms: linux/amd64,linux/386,linux/arm/v6,linux/arm/v7,linux/arm64,linux/riscv64
+      push: ${{ github.event_name != 'pull_request' }}
+      set-meta-labels: true
+      meta-images: |
+        pihole/pihole
+        ghcr.io/${{ github.repository_owner }}/pihole
+      meta-tags: |
+        type=schedule,pattern=nightly
+        type=raw,value=nightly,enable=${{ github.event_name == 'push' }}
+        type=ref,event=tag
+      meta-flavor: |
+        latest=${{ startsWith(github.ref, 'refs/tags/') }}
+    secrets:
+      registry-auths: |
+        - registry: docker.io
           username: ${{ secrets.DOCKERHUB_USER }}
           password: ${{ secrets.DOCKERHUB_PASS }}
-
-      - &login-ghcr
-        name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 #v4.0.0
-        with:
-          registry: ghcr.io
+        - registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a #v4.0.0
-        with:
-          platforms: ${{ matrix.platform}}
-
-      - &setup-buildx
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd #v4.0.0
-        with:
-          # Buildx version 0.31.1 broke our publish workflow, this need to be revised when 0.32.0 is released
-          # https://github.com/docker/buildx/releases/tag/v0.31.1
-          version: v0.31.0
-
-      - name: Build container and push by digest
-        id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 #v7.0.0
-        with:
-          context: ./src/
-          platforms: ${{ matrix.platform }}
-          build-args: |
-            PIHOLE_DOCKER_TAG=${{ steps.meta.outputs.version }}
-            FTL_BRANCH=${{ env.components_branch }}
-            CORE_BRANCH=${{ env.components_branch }}
-            WEB_BRANCH=${{ env.components_branch }}
-            PADD_BRANCH=${{ env.components_branch }}
-          labels: ${{ steps.meta.outputs.labels }}
-          outputs: |
-            type=image,name=${{ env.dockerhub }},push-by-digest=true,name-canonical=true,push=true
-
-      - name: Export digests
-        run: |
-          mkdir -p /tmp/digests
-          digest_docker="${{ steps.build.outputs.digest }}"
-          touch "/tmp/digests/${digest_docker#sha256:}"
-
-      - name: Upload digest
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f #v7.0.0
-        with:
-          name: digests-${{ env.PLATFORM_PAIR }}
-          path: /tmp/digests/*
-          if-no-files-found: error
-          retention-days: 1
-
-  # Merge all the digests into a single file
-  # If we would push immediately above, the individual runners would overwrite each other's images
-  # https://docs.docker.com/build/ci/github-actions/multi-platform/#distribute-build-across-multiple-runners
-  merge-and-deploy:
-    runs-on: ubuntu-latest
-    needs:
-      - build
-    steps:
-      - *checkout-repo
-      - *checkout-dev
-
-      - name: Download digests
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c #v8.0.1
-        with:
-          path: /tmp/digests
-          pattern: digests-*
-          merge-multiple: true
-
-      - *setup-buildx
-      - *docker-meta
-      - *login-dockerhub
-      - *login-ghcr
-
-      - name: Create manifest list and push (DockerHub and GitHub Container Registry)
-        working-directory: /tmp/digests
-        run: |
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.dockerhub }}@sha256:%s ' *)
-          docker buildx imagetools create $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \
-            $(printf '${{ env.ghcr }}@sha256:%s ' *)
-
-      - name: Inspect images
-        run: |
-          docker buildx imagetools inspect ${{ env.dockerhub }}:${{ steps.meta.outputs.version }}
-          docker buildx imagetools inspect ${{ env.ghcr }}:${{ steps.meta.outputs.version }}