Support cosign / limit build (#223)

home-assistant · Jun 10, 2023 · aa1a2f4 · aa1a2f4
1 parent 25a4cef
commit aa1a2f4
Show file tree

Hide file tree

Showing 8 changed files with 52 additions and 69 deletions.
diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
@@ -64,6 +64,10 @@ jobs:
     name: Build ${{ matrix.arch }} alpine ${{ matrix.version }} base image
     needs: init
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
     strategy:
       matrix:
         arch: ${{ fromJson(needs.init.outputs.architectures_alpine) }}
@@ -72,13 +76,6 @@ jobs:
     - name: Checkout the repository
       uses: actions/checkout@v3
 
-    - name: Login to DockerHub
-      if: github.event_name == 'release'
-      uses: docker/login-action@v2
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
     - name: Login to GitHub Container Registry
       if: github.event_name == 'release'
       uses: docker/login-action@v2
@@ -97,12 +94,13 @@ jobs:
         fi
     
     - name: Build base image
-      uses: home-assistant/builder@2023.03.0
+      uses: home-assistant/builder@2023.06.0
       with:
         args: |
           $BUILD_ARGS \
           --${{ matrix.arch }} \
           --target /data/alpine \
+          --cosign \
           --release ${{ needs.init.outputs.release }} \
           --base ${{ matrix.version }}
       env:
@@ -112,6 +110,10 @@ jobs:
     name: Build ${{ matrix.arch }} debian ${{ matrix.version }} base image
     needs: init
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
     strategy:
       matrix:
         arch: ${{ fromJson(needs.init.outputs.architectures_debian) }}
@@ -120,13 +122,6 @@ jobs:
     - name: Checkout the repository
       uses: actions/checkout@v3
 
-    - name: Login to DockerHub
-      if: github.event_name == 'release'
-      uses: docker/login-action@v2
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
     - name: Login to GitHub Container Registry
       if: github.event_name == 'release'
       uses: docker/login-action@v2
@@ -145,12 +140,13 @@ jobs:
         fi
     
     - name: Build base image
-      uses: home-assistant/builder@2023.03.0
+      uses: home-assistant/builder@2023.06.0
       with:
         args: |
           $BUILD_ARGS \
           --${{ matrix.arch }} \
           --target /data/debian \
+          --cosign \
           --release ${{ needs.init.outputs.release }} \
           --version-from ${{ matrix.version }}-slim \
           --base ${{ matrix.version }}
@@ -161,6 +157,10 @@ jobs:
     name: Build ${{ matrix.arch }} ubuntu ${{ matrix.version }} base image
     needs: init
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
     strategy:
       matrix:
         arch: ${{ fromJson(needs.init.outputs.architectures_ubuntu) }}
@@ -169,13 +169,6 @@ jobs:
     - name: Checkout the repository
       uses: actions/checkout@v3
 
-    - name: Login to DockerHub
-      if: github.event_name == 'release'
-      uses: docker/login-action@v2
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
     - name: Login to GitHub Container Registry
       if: github.event_name == 'release'
       uses: docker/login-action@v2
@@ -194,12 +187,13 @@ jobs:
         fi
     
     - name: Build base image
-      uses: home-assistant/builder@2023.03.0
+      uses: home-assistant/builder@2023.06.0
       with:
         args: |
           $BUILD_ARGS \
           --${{ matrix.arch }} \
           --target /data/ubuntu \
+          --cosign \
           --release ${{ needs.init.outputs.release }} \
           --base ${{ matrix.version }}
       env:
@@ -209,6 +203,10 @@ jobs:
     name: Build ${{ matrix.arch }} raspbian ${{ matrix.version }} base image
     needs: init
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
     strategy:
       matrix:
         arch: ${{ fromJson(needs.init.outputs.architectures_raspbian) }}
@@ -217,13 +215,6 @@ jobs:
     - name: Checkout the repository
       uses: actions/checkout@v3
 
-    - name: Login to DockerHub
-      if: github.event_name == 'release'
-      uses: docker/login-action@v2
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
     - name: Login to GitHub Container Registry
       if: github.event_name == 'release'
       uses: docker/login-action@v2
@@ -242,12 +233,13 @@ jobs:
         fi
     
     - name: Build base image
-      uses: home-assistant/builder@2023.03.0
+      uses: home-assistant/builder@2023.06.0
       with:
         args: |
           $BUILD_ARGS \
           --${{ matrix.arch }} \
           --target /data/raspbian \
+          --cosign \
           --release ${{ needs.init.outputs.release }} \
           --version-from ${{ matrix.version }}-slim \
           --base ${{ matrix.version }}
@@ -258,6 +250,10 @@ jobs:
     name: Build ${{ matrix.arch }} alpine ${{ matrix.version }} - python ${{ matrix.python }} base image
     needs: [init, build_alpine]
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
     strategy:
       matrix:
         arch: ${{ fromJson(needs.init.outputs.architectures_alpine) }}
@@ -267,13 +263,6 @@ jobs:
     - name: Checkout the repository
       uses: actions/checkout@v3
 
-    - name: Login to DockerHub
-      if: github.event_name == 'release'
-      uses: docker/login-action@v2
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-
     - name: Login to GitHub Container Registry
       if: github.event_name == 'release'
       uses: docker/login-action@v2
@@ -292,12 +281,13 @@ jobs:
         fi
     
     - name: Build base image
-      uses: home-assistant/builder@2023.03.0
+      uses: home-assistant/builder@2023.06.0
       with:
         args: |
           $BUILD_ARGS \
           --${{ matrix.arch }} \
           --target "/data/python/${{ matrix.python }}" \
+          --cosign \
           --release ${{ needs.init.outputs.release }} \
           --version-from ${{ matrix.version }} \
           --version ${{ matrix.python }} \

diff --git a/alpine/build.yaml b/alpine/build.yaml
@@ -1,5 +1,4 @@
-image: homeassistant/{arch}-base
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-base
 build_from:
   aarch64: "arm64v8/alpine:"
   armv7: "arm32v7/alpine:"

diff --git a/debian/build.yaml b/debian/build.yaml
@@ -1,5 +1,4 @@
-image: homeassistant/{arch}-base-debian
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-base-debian
 build_from:
   aarch64: "arm64v8/debian:"
   armv7: "arm32v7/debian:"

diff --git a/python/3.10/build.yaml b/python/3.10/build.yaml
@@ -1,11 +1,10 @@
-image: homeassistant/{arch}-base-python
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-base-python
 build_from:
-  aarch64: "homeassistant/aarch64-base:"
-  armv7: "homeassistant/armv7-base:"
-  armhf: "homeassistant/armhf-base:"
-  amd64: "homeassistant/amd64-base:"
-  i386: "homeassistant/i386-base:"
+  aarch64: "ghcr.io/home-assistant/aarch64-base:"
+  armv7: "ghcr.io/home-assistant/armv7-base:"
+  armhf: "ghcr.io/home-assistant/armhf-base:"
+  amd64: "ghcr.io/home-assistant/amd64-base:"
+  i386: "ghcr.io/home-assistant/i386-base:"
 codenotary:
   signer: [email protected]
   base_image: [email protected]

diff --git a/python/3.11/build.yaml b/python/3.11/build.yaml
@@ -1,11 +1,10 @@
-image: homeassistant/{arch}-base-python
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-base-python
 build_from:
-  aarch64: "homeassistant/aarch64-base:"
-  armv7: "homeassistant/armv7-base:"
-  armhf: "homeassistant/armhf-base:"
-  amd64: "homeassistant/amd64-base:"
-  i386: "homeassistant/i386-base:"
+  aarch64: "ghcr.io/home-assistant/aarch64-base:"
+  armv7: "ghcr.io/home-assistant/armv7-base:"
+  armhf: "ghcr.io/home-assistant/armhf-base:"
+  amd64: "ghcr.io/home-assistant/amd64-base:"
+  i386: "ghcr.io/home-assistant/i386-base:"
 codenotary:
   signer: [email protected]
   base_image: [email protected]

diff --git a/python/3.9/build.yaml b/python/3.9/build.yaml
@@ -1,11 +1,10 @@
-image: homeassistant/{arch}-base-python
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-base-python
 build_from:
-  aarch64: "homeassistant/aarch64-base:"
-  armv7: "homeassistant/armv7-base:"
-  armhf: "homeassistant/armhf-base:"
-  amd64: "homeassistant/amd64-base:"
-  i386: "homeassistant/i386-base:"
+  aarch64: "ghcr.io/home-assistant/aarch64-base:"
+  armv7: "ghcr.io/home-assistant/armv7-base:"
+  armhf: "ghcr.io/home-assistant/armhf-base:"
+  amd64: "ghcr.io/home-assistant/amd64-base:"
+  i386: "ghcr.io/home-assistant/i386-base:"
 codenotary:
   signer: [email protected]
   base_image: [email protected]

diff --git a/raspbian/build.yaml b/raspbian/build.yaml
@@ -1,5 +1,4 @@
-image: homeassistant/{arch}-base-raspbian
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-base-raspbian
 build_from:
   armhf: "tianon/raspbian:"
 codenotary:

diff --git a/ubuntu/build.yaml b/ubuntu/build.yaml
@@ -1,5 +1,4 @@
-image: homeassistant/{arch}-base-ubuntu
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-base-ubuntu
 build_from:
   aarch64: "arm64v8/ubuntu:"
   armv7: "arm32v7/ubuntu:"