diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index fce25f3fd75..965b7d912d9 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -48,18 +48,6 @@ jobs: with: ignore-dev: true - - name: Generate meta info - shell: bash - run: | - echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > OFFICIAL_IMAGE - - - name: Signing meta info file - uses: home-assistant/actions/helpers/codenotary@master - with: - source: file://${{ github.workspace }}/OFFICIAL_IMAGE - asset: OFFICIAL_IMAGE-${{ steps.version.outputs.version }} - token: ${{ secrets.CAS_TOKEN }} - build_python: name: Build PyPi package environment: ${{ needs.init.outputs.channel }} @@ -101,6 +89,10 @@ jobs: if: github.repository_owner == 'home-assistant' needs: init runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write strategy: matrix: arch: ${{ fromJson(needs.init.outputs.architectures) }} @@ -197,12 +189,6 @@ jobs: run: | echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > rootfs/OFFICIAL_IMAGE - - name: Login to DockerHub - uses: docker/login-action@v2.2.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GitHub Container Registry uses: docker/login-action@v2.2.0 with: @@ -216,6 +202,7 @@ jobs: args: | $BUILD_ARGS \ --${{ matrix.arch }} \ + --cosign \ --target /data \ --generic ${{ needs.init.outputs.version }} env: @@ -237,6 +224,10 @@ jobs: if: github.repository_owner == 'home-assistant' needs: ["init", "build_base"] runs-on: ubuntu-latest + permissions: + contents: read + packages: write + id-token: write strategy: matrix: machine: @@ -275,12 +266,6 @@ jobs: echo "BUILD_ARGS=--additional-tag stable" >> $GITHUB_ENV fi - - name: Login to DockerHub - uses: docker/login-action@v2.2.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GitHub Container Registry uses: docker/login-action@v2.2.0 with: @@ -294,6 +279,7 @@ jobs: args: | $BUILD_ARGS \ --target /data/machine \ + --cosign \ --machine "${{ needs.init.outputs.version }}=${{ matrix.machine }}" env: CAS_API_KEY: ${{ secrets.CAS_TOKEN }} @@ -338,34 +324,28 @@ jobs: if: github.repository_owner == 'home-assistant' needs: ["init", "build_base"] runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - registry: - - "ghcr.io/home-assistant" - - "homeassistant" steps: - name: Checkout the repository uses: actions/checkout@v3.5.3 + - name: Install Cosign + uses: sigstore/cosign-installer@v3.0.5 + with: + cosign-release: "v2.0.2" + - name: Login to DockerHub - if: matrix.registry == 'homeassistant' uses: docker/login-action@v2.2.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Login to GitHub Container Registry - if: matrix.registry == 'ghcr.io/home-assistant' uses: docker/login-action@v2.2.0 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - - name: Install CAS tools - uses: home-assistant/actions/helpers/cas@master - - name: Build Meta Image shell: bash run: | @@ -375,55 +355,78 @@ jobs: local tag_l=${1} local tag_r=${2} - docker manifest create "${{ matrix.registry }}/home-assistant:${tag_l}" \ - "${{ matrix.registry }}/amd64-homeassistant:${tag_r}" \ - "${{ matrix.registry }}/i386-homeassistant:${tag_r}" \ - "${{ matrix.registry }}/armhf-homeassistant:${tag_r}" \ - "${{ matrix.registry }}/armv7-homeassistant:${tag_r}" \ - "${{ matrix.registry }}/aarch64-homeassistant:${tag_r}" + for registry in "ghcr.io/home-assistant" "docker.io/homeassistant" + do - docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ - "${{ matrix.registry }}/amd64-homeassistant:${tag_r}" \ - --os linux --arch amd64 + docker manifest create "${registry}/home-assistant:${tag_l}" \ + "${registry}/amd64-homeassistant:${tag_r}" \ + "${registry}/i386-homeassistant:${tag_r}" \ + "${registry}/armhf-homeassistant:${tag_r}" \ + "${registry}/armv7-homeassistant:${tag_r}" \ + "${registry}/aarch64-homeassistant:${tag_r}" - docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ - "${{ matrix.registry }}/i386-homeassistant:${tag_r}" \ - --os linux --arch 386 + docker manifest annotate "${registry}/home-assistant:${tag_l}" \ + "${registry}/amd64-homeassistant:${tag_r}" \ + --os linux --arch amd64 - docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ - "${{ matrix.registry }}/armhf-homeassistant:${tag_r}" \ - --os linux --arch arm --variant=v6 + docker manifest annotate "${registry}/home-assistant:${tag_l}" \ + "${registry}/i386-homeassistant:${tag_r}" \ + --os linux --arch 386 - docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ - "${{ matrix.registry }}/armv7-homeassistant:${tag_r}" \ - --os linux --arch arm --variant=v7 + docker manifest annotate "${registry}/home-assistant:${tag_l}" \ + "${registry}/armhf-homeassistant:${tag_r}" \ + --os linux --arch arm --variant=v6 - docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ - "${{ matrix.registry }}/aarch64-homeassistant:${tag_r}" \ - --os linux --arch arm64 --variant=v8 + docker manifest annotate "${registry}/home-assistant:${tag_l}" \ + "${registry}/armv7-homeassistant:${tag_r}" \ + --os linux --arch arm --variant=v7 - docker manifest push --purge "${{ matrix.registry }}/home-assistant:${tag_l}" + docker manifest annotate "${registry}/home-assistant:${tag_l}" \ + "${registry}/aarch64-homeassistant:${tag_r}" \ + --os linux --arch arm64 --variant=v8 + + docker manifest push --purge "${registry}/home-assistant:${tag_l}" + cosign sign --yes "${registry}/home-assistant:${tag_l}" + + done } function validate_image() { local image=${1} - if ! cas authenticate --signerID notary@home-assistant.io "docker://${image}"; then + if ! cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp https://github.com/home-assistant/core/.* "${image}"; then echo "Invalid signature!" exit 1 fi } - docker pull "${{ matrix.registry }}/amd64-homeassistant:${{ needs.init.outputs.version }}" - docker pull "${{ matrix.registry }}/i386-homeassistant:${{ needs.init.outputs.version }}" - docker pull "${{ matrix.registry }}/armhf-homeassistant:${{ needs.init.outputs.version }}" - docker pull "${{ matrix.registry }}/armv7-homeassistant:${{ needs.init.outputs.version }}" - docker pull "${{ matrix.registry }}/aarch64-homeassistant:${{ needs.init.outputs.version }}" + function push_dockerhub() { + local image=${1} + local tag=${2} - validate_image "${{ matrix.registry }}/amd64-homeassistant:${{ needs.init.outputs.version }}" - validate_image "${{ matrix.registry }}/i386-homeassistant:${{ needs.init.outputs.version }}" - validate_image "${{ matrix.registry }}/armhf-homeassistant:${{ needs.init.outputs.version }}" - validate_image "${{ matrix.registry }}/armv7-homeassistant:${{ needs.init.outputs.version }}" - validate_image "${{ matrix.registry }}/aarch64-homeassistant:${{ needs.init.outputs.version }}" + docker tag "ghcr.io/home-assistant/${image}:${tag}" "docker.io/homeassistant/${image}:${tag}" + docker push "docker.io/homeassistant/${image}:${tag}" + cosign sign --yes "docker.io/homeassistant/${image}:${tag}" + } + + # Pull images from github container registry and verify signature + docker pull "ghcr.io/home-assistant/amd64-homeassistant:${{ needs.init.outputs.version }}" + docker pull "ghcr.io/home-assistant/i386-homeassistant:${{ needs.init.outputs.version }}" + docker pull "ghcr.io/home-assistant/armhf-homeassistant:${{ needs.init.outputs.version }}" + docker pull "ghcr.io/home-assistant/armv7-homeassistant:${{ needs.init.outputs.version }}" + docker pull "ghcr.io/home-assistant/aarch64-homeassistant:${{ needs.init.outputs.version }}" + + validate_image "ghcr.io/home-assistant/amd64-homeassistant:${{ needs.init.outputs.version }}" + validate_image "ghcr.io/home-assistant/i386-homeassistant:${{ needs.init.outputs.version }}" + validate_image "ghcr.io/home-assistant/armhf-homeassistant:${{ needs.init.outputs.version }}" + validate_image "ghcr.io/home-assistant/armv7-homeassistant:${{ needs.init.outputs.version }}" + validate_image "ghcr.io/home-assistant/aarch64-homeassistant:${{ needs.init.outputs.version }}" + + # Upload images to dockerhub + push_dockerhub "amd64-homeassistant" "${{ needs.init.outputs.version }}" + push_dockerhub "i386-homeassistant" "${{ needs.init.outputs.version }}" + push_dockerhub "armhf-homeassistant" "${{ needs.init.outputs.version }}" + push_dockerhub "armv7-homeassistant" "${{ needs.init.outputs.version }}" + push_dockerhub "aarch64-homeassistant" "${{ needs.init.outputs.version }}" # Create version tag create_manifest "${{ needs.init.outputs.version }}" "${{ needs.init.outputs.version }}" diff --git a/build.yaml b/build.yaml index b32aa38dff6..a181e9d1548 100644 --- a/build.yaml +++ b/build.yaml @@ -1,14 +1,16 @@ -image: homeassistant/{arch}-homeassistant -shadow_repository: ghcr.io/home-assistant +image: ghcr.io/home-assistant/{arch}-homeassistant build_from: - aarch64: ghcr.io/home-assistant/aarch64-homeassistant-base:2023.06.0 - armhf: ghcr.io/home-assistant/armhf-homeassistant-base:2023.06.0 - armv7: ghcr.io/home-assistant/armv7-homeassistant-base:2023.06.0 - amd64: ghcr.io/home-assistant/amd64-homeassistant-base:2023.06.0 - i386: ghcr.io/home-assistant/i386-homeassistant-base:2023.06.0 + aarch64: ghcr.io/home-assistant/aarch64-homeassistant-base:2023.06.1 + armhf: ghcr.io/home-assistant/armhf-homeassistant-base:2023.06.1 + armv7: ghcr.io/home-assistant/armv7-homeassistant-base:2023.06.1 + amd64: ghcr.io/home-assistant/amd64-homeassistant-base:2023.06.1 + i386: ghcr.io/home-assistant/i386-homeassistant-base:2023.06.1 codenotary: signer: notary@home-assistant.io base_image: notary@home-assistant.io +cosign: + base_identity: https://github.com/home-assistant/docker/.* + identity: https://github.com/home-assistant/core/.* labels: io.hass.type: core org.opencontainers.image.title: Home Assistant diff --git a/machine/build.yaml b/machine/build.yaml index 340b8079b9f..2f8aa3fe5c3 100644 --- a/machine/build.yaml +++ b/machine/build.yaml @@ -1,5 +1,4 @@ -image: homeassistant/{machine}-homeassistant -shadow_repository: ghcr.io/home-assistant +image: ghcr.io/home-assistant/{machine}-homeassistant build_from: aarch64: "ghcr.io/home-assistant/aarch64-homeassistant:" armv7: "ghcr.io/home-assistant/armv7-homeassistant:" @@ -9,6 +8,9 @@ build_from: codenotary: signer: notary@home-assistant.io base_image: notary@home-assistant.io +cosign: + base_identity: https://github.com/home-assistant/core/.* + identity: https://github.com/home-assistant/core/.* labels: io.hass.type: core org.opencontainers.image.source: https://github.com/home-assistant/core