diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index fce25f3fd75f77bfae69c145d90224b2bb7028f3..965b7d912d90ebe98caba60b67bb7d367a39afce 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -48,18 +48,6 @@ jobs:
with:
ignore-dev: true
- - name: Generate meta info
- shell: bash
- run: |
- echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > OFFICIAL_IMAGE
-
- - name: Signing meta info file
- uses: home-assistant/actions/helpers/codenotary@master
- with:
- source: file://${{ github.workspace }}/OFFICIAL_IMAGE
- asset: OFFICIAL_IMAGE-${{ steps.version.outputs.version }}
- token: ${{ secrets.CAS_TOKEN }}
-
build_python:
name: Build PyPi package
environment: ${{ needs.init.outputs.channel }}
@@ -101,6 +89,10 @@ jobs:
if: github.repository_owner == 'home-assistant'
needs: init
runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ id-token: write
strategy:
matrix:
arch: ${{ fromJson(needs.init.outputs.architectures) }}
@@ -197,12 +189,6 @@ jobs:
run: |
echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > rootfs/OFFICIAL_IMAGE
- - name: Login to DockerHub
- uses: docker/login-action@v2.2.0
- with:
- username: ${{ secrets.DOCKERHUB_USERNAME }}
- password: ${{ secrets.DOCKERHUB_TOKEN }}
-
- name: Login to GitHub Container Registry
uses: docker/login-action@v2.2.0
with:
@@ -216,6 +202,7 @@ jobs:
args: |
$BUILD_ARGS \
--${{ matrix.arch }} \
+ --cosign \
--target /data \
--generic ${{ needs.init.outputs.version }}
env:
@@ -237,6 +224,10 @@ jobs:
if: github.repository_owner == 'home-assistant'
needs: ["init", "build_base"]
runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ packages: write
+ id-token: write
strategy:
matrix:
machine:
@@ -275,12 +266,6 @@ jobs:
echo "BUILD_ARGS=--additional-tag stable" >> $GITHUB_ENV
fi
- - name: Login to DockerHub
- uses: docker/login-action@v2.2.0
- with:
- username: ${{ secrets.DOCKERHUB_USERNAME }}
- password: ${{ secrets.DOCKERHUB_TOKEN }}
-
- name: Login to GitHub Container Registry
uses: docker/login-action@v2.2.0
with:
@@ -294,6 +279,7 @@ jobs:
args: |
$BUILD_ARGS \
--target /data/machine \
+ --cosign \
--machine "${{ needs.init.outputs.version }}=${{ matrix.machine }}"
env:
CAS_API_KEY: ${{ secrets.CAS_TOKEN }}
@@ -338,34 +324,28 @@ jobs:
if: github.repository_owner == 'home-assistant'
needs: ["init", "build_base"]
runs-on: ubuntu-latest
- strategy:
- fail-fast: false
- matrix:
- registry:
- - "ghcr.io/home-assistant"
- - "homeassistant"
steps:
- name: Checkout the repository
uses: actions/checkout@v3.5.3
+ - name: Install Cosign
+ uses: sigstore/cosign-installer@v3.0.5
+ with:
+ cosign-release: "v2.0.2"
+
- name: Login to DockerHub
- if: matrix.registry == 'homeassistant'
uses: docker/login-action@v2.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
- if: matrix.registry == 'ghcr.io/home-assistant'
uses: docker/login-action@v2.2.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- - name: Install CAS tools
- uses: home-assistant/actions/helpers/cas@master
-
- name: Build Meta Image
shell: bash
run: |
@@ -375,55 +355,78 @@ jobs:
local tag_l=${1}
local tag_r=${2}
- docker manifest create "${{ matrix.registry }}/home-assistant:${tag_l}" \
- "${{ matrix.registry }}/amd64-homeassistant:${tag_r}" \
- "${{ matrix.registry }}/i386-homeassistant:${tag_r}" \
- "${{ matrix.registry }}/armhf-homeassistant:${tag_r}" \
- "${{ matrix.registry }}/armv7-homeassistant:${tag_r}" \
- "${{ matrix.registry }}/aarch64-homeassistant:${tag_r}"
+ for registry in "ghcr.io/home-assistant" "docker.io/homeassistant"
+ do
+
+ docker manifest create "${registry}/home-assistant:${tag_l}" \
+ "${registry}/amd64-homeassistant:${tag_r}" \
+ "${registry}/i386-homeassistant:${tag_r}" \
+ "${registry}/armhf-homeassistant:${tag_r}" \
+ "${registry}/armv7-homeassistant:${tag_r}" \
+ "${registry}/aarch64-homeassistant:${tag_r}"
- docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
- "${{ matrix.registry }}/amd64-homeassistant:${tag_r}" \
- --os linux --arch amd64
+ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+ "${registry}/amd64-homeassistant:${tag_r}" \
+ --os linux --arch amd64
- docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
- "${{ matrix.registry }}/i386-homeassistant:${tag_r}" \
- --os linux --arch 386
+ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+ "${registry}/i386-homeassistant:${tag_r}" \
+ --os linux --arch 386
- docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
- "${{ matrix.registry }}/armhf-homeassistant:${tag_r}" \
- --os linux --arch arm --variant=v6
+ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+ "${registry}/armhf-homeassistant:${tag_r}" \
+ --os linux --arch arm --variant=v6
- docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
- "${{ matrix.registry }}/armv7-homeassistant:${tag_r}" \
- --os linux --arch arm --variant=v7
+ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+ "${registry}/armv7-homeassistant:${tag_r}" \
+ --os linux --arch arm --variant=v7
- docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \
- "${{ matrix.registry }}/aarch64-homeassistant:${tag_r}" \
- --os linux --arch arm64 --variant=v8
+ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
+ "${registry}/aarch64-homeassistant:${tag_r}" \
+ --os linux --arch arm64 --variant=v8
- docker manifest push --purge "${{ matrix.registry }}/home-assistant:${tag_l}"
+ docker manifest push --purge "${registry}/home-assistant:${tag_l}"
+ cosign sign --yes "${registry}/home-assistant:${tag_l}"
+
+ done
}
function validate_image() {
local image=${1}
- if ! cas authenticate --signerID notary@home-assistant.io "docker://${image}"; then
+ if ! cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp https://github.com/home-assistant/core/.* "${image}"; then
echo "Invalid signature!"
exit 1
fi
}
- docker pull "${{ matrix.registry }}/amd64-homeassistant:${{ needs.init.outputs.version }}"
- docker pull "${{ matrix.registry }}/i386-homeassistant:${{ needs.init.outputs.version }}"
- docker pull "${{ matrix.registry }}/armhf-homeassistant:${{ needs.init.outputs.version }}"
- docker pull "${{ matrix.registry }}/armv7-homeassistant:${{ needs.init.outputs.version }}"
- docker pull "${{ matrix.registry }}/aarch64-homeassistant:${{ needs.init.outputs.version }}"
-
- validate_image "${{ matrix.registry }}/amd64-homeassistant:${{ needs.init.outputs.version }}"
- validate_image "${{ matrix.registry }}/i386-homeassistant:${{ needs.init.outputs.version }}"
- validate_image "${{ matrix.registry }}/armhf-homeassistant:${{ needs.init.outputs.version }}"
- validate_image "${{ matrix.registry }}/armv7-homeassistant:${{ needs.init.outputs.version }}"
- validate_image "${{ matrix.registry }}/aarch64-homeassistant:${{ needs.init.outputs.version }}"
+ function push_dockerhub() {
+ local image=${1}
+ local tag=${2}
+
+ docker tag "ghcr.io/home-assistant/${image}:${tag}" "docker.io/homeassistant/${image}:${tag}"
+ docker push "docker.io/homeassistant/${image}:${tag}"
+ cosign sign --yes "docker.io/homeassistant/${image}:${tag}"
+ }
+
+ # Pull images from github container registry and verify signature
+ docker pull "ghcr.io/home-assistant/amd64-homeassistant:${{ needs.init.outputs.version }}"
+ docker pull "ghcr.io/home-assistant/i386-homeassistant:${{ needs.init.outputs.version }}"
+ docker pull "ghcr.io/home-assistant/armhf-homeassistant:${{ needs.init.outputs.version }}"
+ docker pull "ghcr.io/home-assistant/armv7-homeassistant:${{ needs.init.outputs.version }}"
+ docker pull "ghcr.io/home-assistant/aarch64-homeassistant:${{ needs.init.outputs.version }}"
+
+ validate_image "ghcr.io/home-assistant/amd64-homeassistant:${{ needs.init.outputs.version }}"
+ validate_image "ghcr.io/home-assistant/i386-homeassistant:${{ needs.init.outputs.version }}"
+ validate_image "ghcr.io/home-assistant/armhf-homeassistant:${{ needs.init.outputs.version }}"
+ validate_image "ghcr.io/home-assistant/armv7-homeassistant:${{ needs.init.outputs.version }}"
+ validate_image "ghcr.io/home-assistant/aarch64-homeassistant:${{ needs.init.outputs.version }}"
+
+ # Upload images to dockerhub
+ push_dockerhub "amd64-homeassistant" "${{ needs.init.outputs.version }}"
+ push_dockerhub "i386-homeassistant" "${{ needs.init.outputs.version }}"
+ push_dockerhub "armhf-homeassistant" "${{ needs.init.outputs.version }}"
+ push_dockerhub "armv7-homeassistant" "${{ needs.init.outputs.version }}"
+ push_dockerhub "aarch64-homeassistant" "${{ needs.init.outputs.version }}"
# Create version tag
create_manifest "${{ needs.init.outputs.version }}" "${{ needs.init.outputs.version }}"
diff --git a/build.yaml b/build.yaml
index b32aa38dff6a9ca936fe4bc5eebc5b88b0b8ea62..a181e9d154872b597f01295c1f685fd15df691b4 100644
--- a/build.yaml
+++ b/build.yaml
@@ -1,14 +1,16 @@
-image: homeassistant/{arch}-homeassistant
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-homeassistant
build_from:
- aarch64: ghcr.io/home-assistant/aarch64-homeassistant-base:2023.06.0
- armhf: ghcr.io/home-assistant/armhf-homeassistant-base:2023.06.0
- armv7: ghcr.io/home-assistant/armv7-homeassistant-base:2023.06.0
- amd64: ghcr.io/home-assistant/amd64-homeassistant-base:2023.06.0
- i386: ghcr.io/home-assistant/i386-homeassistant-base:2023.06.0
+ aarch64: ghcr.io/home-assistant/aarch64-homeassistant-base:2023.06.1
+ armhf: ghcr.io/home-assistant/armhf-homeassistant-base:2023.06.1
+ armv7: ghcr.io/home-assistant/armv7-homeassistant-base:2023.06.1
+ amd64: ghcr.io/home-assistant/amd64-homeassistant-base:2023.06.1
+ i386: ghcr.io/home-assistant/i386-homeassistant-base:2023.06.1
codenotary:
signer: notary@home-assistant.io
base_image: notary@home-assistant.io
+cosign:
+ base_identity: https://github.com/home-assistant/docker/.*
+ identity: https://github.com/home-assistant/core/.*
labels:
io.hass.type: core
org.opencontainers.image.title: Home Assistant
diff --git a/machine/build.yaml b/machine/build.yaml
index 340b8079b9fb5fe9d8442e34157ca582976b067a..2f8aa3fe5c3e4bb75b75af894dea2b98b0edfa84 100644
--- a/machine/build.yaml
+++ b/machine/build.yaml
@@ -1,5 +1,4 @@
-image: homeassistant/{machine}-homeassistant
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{machine}-homeassistant
build_from:
aarch64: "ghcr.io/home-assistant/aarch64-homeassistant:"
armv7: "ghcr.io/home-assistant/armv7-homeassistant:"
@@ -9,6 +8,9 @@ build_from:
codenotary:
signer: notary@home-assistant.io
base_image: notary@home-assistant.io
+cosign:
+ base_identity: https://github.com/home-assistant/core/.*
+ identity: https://github.com/home-assistant/core/.*
labels:
io.hass.type: core
org.opencontainers.image.source: https://github.com/home-assistant/core