evlli/hass-core
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Cosign support (#95236)

Browse source
This commit is contained in:
Pascal Vizeli 2023-06-26 14:32:02 +02:00 committed by GitHub
parent 45ff9d8f63
commit c75e831b65
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 84 additions and 77 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

139
.github/workflows/builder.yml vendored
View file

@ -48,18 +48,6 @@ jobs:
with: with:
ignore-dev: true ignore-dev: true
- name: Generate meta info
shell: bash
run: |
echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > OFFICIAL_IMAGE
- name: Signing meta info file
uses: home-assistant/actions/helpers/codenotary@master
with:
source: file://${{ github.workspace }}/OFFICIAL_IMAGE
asset: OFFICIAL_IMAGE-${{ steps.version.outputs.version }}
token: ${{ secrets.CAS_TOKEN }}
build_python: build_python:
name: Build PyPi package name: Build PyPi package
environment: ${{ needs.init.outputs.channel }} environment: ${{ needs.init.outputs.channel }}
@ -101,6 +89,10 @@ jobs:
if: github.repository_owner == 'home-assistant' if: github.repository_owner == 'home-assistant'
needs: init needs: init
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
strategy: strategy:
matrix: matrix:
arch: ${{ fromJson(needs.init.outputs.architectures) }} arch: ${{ fromJson(needs.init.outputs.architectures) }}
@ -197,12 +189,6 @@ jobs:
run: | run: |
echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > rootfs/OFFICIAL_IMAGE echo "${{ github.sha }};${{ github.ref }};${{ github.event_name }};${{ github.actor }}" > rootfs/OFFICIAL_IMAGE
- name: Login to DockerHub
uses: docker/login-action@v2.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v2.2.0 uses: docker/login-action@v2.2.0
with: with:
@ -216,6 +202,7 @@ jobs:
args: | args: |
$BUILD_ARGS \ $BUILD_ARGS \
--${{ matrix.arch }} \ --${{ matrix.arch }} \
--cosign \
--target /data \ --target /data \
--generic ${{ needs.init.outputs.version }} --generic ${{ needs.init.outputs.version }}
env: env:
@ -237,6 +224,10 @@ jobs:
if: github.repository_owner == 'home-assistant' if: github.repository_owner == 'home-assistant'
needs: ["init", "build_base"] needs: ["init", "build_base"]
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
strategy: strategy:
matrix: matrix:
machine: machine:
@ -275,12 +266,6 @@ jobs:
echo "BUILD_ARGS=--additional-tag stable" >> $GITHUB_ENV echo "BUILD_ARGS=--additional-tag stable" >> $GITHUB_ENV
fi fi
- name: Login to DockerHub
uses: docker/login-action@v2.2.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
uses: docker/login-action@v2.2.0 uses: docker/login-action@v2.2.0
with: with:
@ -294,6 +279,7 @@ jobs:
args: | args: |
$BUILD_ARGS \ $BUILD_ARGS \
--target /data/machine \ --target /data/machine \
--cosign \
--machine "${{ needs.init.outputs.version }}=${{ matrix.machine }}" --machine "${{ needs.init.outputs.version }}=${{ matrix.machine }}"
env: env:
CAS_API_KEY: ${{ secrets.CAS_TOKEN }} CAS_API_KEY: ${{ secrets.CAS_TOKEN }}
@ -338,34 +324,28 @@ jobs:
if: github.repository_owner == 'home-assistant' if: github.repository_owner == 'home-assistant'
needs: ["init", "build_base"] needs: ["init", "build_base"]
runs-on: ubuntu-latest runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
registry:
- "ghcr.io/home-assistant"
- "homeassistant"
steps: steps:
- name: Checkout the repository - name: Checkout the repository
uses: actions/checkout@v3.5.3 uses: actions/checkout@v3.5.3
- name: Install Cosign
uses: sigstore/cosign-installer@v3.0.5
with:
cosign-release: "v2.0.2"
- name: Login to DockerHub - name: Login to DockerHub
if: matrix.registry == 'homeassistant'
uses: docker/login-action@v2.2.0 uses: docker/login-action@v2.2.0
with: with:
username: ${{ secrets.DOCKERHUB_USERNAME }} username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }} password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry - name: Login to GitHub Container Registry
if: matrix.registry == 'ghcr.io/home-assistant'
uses: docker/login-action@v2.2.0 uses: docker/login-action@v2.2.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.repository_owner }} username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }} password: ${{ secrets.GITHUB_TOKEN }}
- name: Install CAS tools
uses: home-assistant/actions/helpers/cas@master
- name: Build Meta Image - name: Build Meta Image
shell: bash shell: bash
run: | run: |
@ -375,55 +355,78 @@ jobs:
local tag_l=${1} local tag_l=${1}
local tag_r=${2} local tag_r=${2}
docker manifest create "${{ matrix.registry }}/home-assistant:${tag_l}" \ for registry in "ghcr.io/home-assistant" "docker.io/homeassistant"
"${{ matrix.registry }}/amd64-homeassistant:${tag_r}" \ do
"${{ matrix.registry }}/i386-homeassistant:${tag_r}" \
"${{ matrix.registry }}/armhf-homeassistant:${tag_r}" \
"${{ matrix.registry }}/armv7-homeassistant:${tag_r}" \
"${{ matrix.registry }}/aarch64-homeassistant:${tag_r}"
docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ docker manifest create "${registry}/home-assistant:${tag_l}" \
"${{ matrix.registry }}/amd64-homeassistant:${tag_r}" \ "${registry}/amd64-homeassistant:${tag_r}" \
--os linux --arch amd64 "${registry}/i386-homeassistant:${tag_r}" \
"${registry}/armhf-homeassistant:${tag_r}" \
"${registry}/armv7-homeassistant:${tag_r}" \
"${registry}/aarch64-homeassistant:${tag_r}"
docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
"${{ matrix.registry }}/i386-homeassistant:${tag_r}" \ "${registry}/amd64-homeassistant:${tag_r}" \
--os linux --arch 386 --os linux --arch amd64
docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
"${{ matrix.registry }}/armhf-homeassistant:${tag_r}" \ "${registry}/i386-homeassistant:${tag_r}" \
--os linux --arch arm --variant=v6 --os linux --arch 386
docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
"${{ matrix.registry }}/armv7-homeassistant:${tag_r}" \ "${registry}/armhf-homeassistant:${tag_r}" \
--os linux --arch arm --variant=v7 --os linux --arch arm --variant=v6
docker manifest annotate "${{ matrix.registry }}/home-assistant:${tag_l}" \ docker manifest annotate "${registry}/home-assistant:${tag_l}" \
"${{ matrix.registry }}/aarch64-homeassistant:${tag_r}" \ "${registry}/armv7-homeassistant:${tag_r}" \
--os linux --arch arm64 --variant=v8 --os linux --arch arm --variant=v7
docker manifest push --purge "${{ matrix.registry }}/home-assistant:${tag_l}" docker manifest annotate "${registry}/home-assistant:${tag_l}" \
"${registry}/aarch64-homeassistant:${tag_r}" \
--os linux --arch arm64 --variant=v8
docker manifest push --purge "${registry}/home-assistant:${tag_l}"
cosign sign --yes "${registry}/home-assistant:${tag_l}"
done
} }
function validate_image() { function validate_image() {
local image=${1} local image=${1}
if ! cas authenticate --signerID notary@home-assistant.io "docker://${image}"; then if ! cosign verify --certificate-oidc-issuer https://token.actions.githubusercontent.com --certificate-identity-regexp https://github.com/home-assistant/core/.* "${image}"; then
echo "Invalid signature!" echo "Invalid signature!"
exit 1 exit 1
fi fi
} }
docker pull "${{ matrix.registry }}/amd64-homeassistant:${{ needs.init.outputs.version }}" function push_dockerhub() {
docker pull "${{ matrix.registry }}/i386-homeassistant:${{ needs.init.outputs.version }}" local image=${1}
docker pull "${{ matrix.registry }}/armhf-homeassistant:${{ needs.init.outputs.version }}" local tag=${2}
docker pull "${{ matrix.registry }}/armv7-homeassistant:${{ needs.init.outputs.version }}"
docker pull "${{ matrix.registry }}/aarch64-homeassistant:${{ needs.init.outputs.version }}"
validate_image "${{ matrix.registry }}/amd64-homeassistant:${{ needs.init.outputs.version }}" docker tag "ghcr.io/home-assistant/${image}:${tag}" "docker.io/homeassistant/${image}:${tag}"
validate_image "${{ matrix.registry }}/i386-homeassistant:${{ needs.init.outputs.version }}" docker push "docker.io/homeassistant/${image}:${tag}"
validate_image "${{ matrix.registry }}/armhf-homeassistant:${{ needs.init.outputs.version }}" cosign sign --yes "docker.io/homeassistant/${image}:${tag}"
validate_image "${{ matrix.registry }}/armv7-homeassistant:${{ needs.init.outputs.version }}" }
validate_image "${{ matrix.registry }}/aarch64-homeassistant:${{ needs.init.outputs.version }}"
# Pull images from github container registry and verify signature
docker pull "ghcr.io/home-assistant/amd64-homeassistant:${{ needs.init.outputs.version }}"
docker pull "ghcr.io/home-assistant/i386-homeassistant:${{ needs.init.outputs.version }}"
docker pull "ghcr.io/home-assistant/armhf-homeassistant:${{ needs.init.outputs.version }}"
docker pull "ghcr.io/home-assistant/armv7-homeassistant:${{ needs.init.outputs.version }}"
docker pull "ghcr.io/home-assistant/aarch64-homeassistant:${{ needs.init.outputs.version }}"
validate_image "ghcr.io/home-assistant/amd64-homeassistant:${{ needs.init.outputs.version }}"
validate_image "ghcr.io/home-assistant/i386-homeassistant:${{ needs.init.outputs.version }}"
validate_image "ghcr.io/home-assistant/armhf-homeassistant:${{ needs.init.outputs.version }}"
validate_image "ghcr.io/home-assistant/armv7-homeassistant:${{ needs.init.outputs.version }}"
validate_image "ghcr.io/home-assistant/aarch64-homeassistant:${{ needs.init.outputs.version }}"
# Upload images to dockerhub
push_dockerhub "amd64-homeassistant" "${{ needs.init.outputs.version }}"
push_dockerhub "i386-homeassistant" "${{ needs.init.outputs.version }}"
push_dockerhub "armhf-homeassistant" "${{ needs.init.outputs.version }}"
push_dockerhub "armv7-homeassistant" "${{ needs.init.outputs.version }}"
push_dockerhub "aarch64-homeassistant" "${{ needs.init.outputs.version }}"
# Create version tag # Create version tag
create_manifest "${{ needs.init.outputs.version }}" "${{ needs.init.outputs.version }}" create_manifest "${{ needs.init.outputs.version }}" "${{ needs.init.outputs.version }}"

16
build.yaml
View file

@ -1,14 +1,16 @@
image: homeassistant/{arch}-homeassistant image: ghcr.io/home-assistant/{arch}-homeassistant
shadow_repository: ghcr.io/home-assistant
build_from: build_from:
aarch64: ghcr.io/home-assistant/aarch64-homeassistant-base:2023.06.0 aarch64: ghcr.io/home-assistant/aarch64-homeassistant-base:2023.06.1
armhf: ghcr.io/home-assistant/armhf-homeassistant-base:2023.06.0 armhf: ghcr.io/home-assistant/armhf-homeassistant-base:2023.06.1
armv7: ghcr.io/home-assistant/armv7-homeassistant-base:2023.06.0 armv7: ghcr.io/home-assistant/armv7-homeassistant-base:2023.06.1
amd64: ghcr.io/home-assistant/amd64-homeassistant-base:2023.06.0 amd64: ghcr.io/home-assistant/amd64-homeassistant-base:2023.06.1
i386: ghcr.io/home-assistant/i386-homeassistant-base:2023.06.0 i386: ghcr.io/home-assistant/i386-homeassistant-base:2023.06.1
codenotary: codenotary:
signer: notary@home-assistant.io signer: notary@home-assistant.io
base_image: notary@home-assistant.io base_image: notary@home-assistant.io
cosign:
base_identity: https://github.com/home-assistant/docker/.*
identity: https://github.com/home-assistant/core/.*
labels: labels:
io.hass.type: core io.hass.type: core
org.opencontainers.image.title: Home Assistant org.opencontainers.image.title: Home Assistant

6
machine/build.yaml
View file

@ -1,5 +1,4 @@
image: homeassistant/{machine}-homeassistant image: ghcr.io/home-assistant/{machine}-homeassistant
shadow_repository: ghcr.io/home-assistant
build_from: build_from:
aarch64: "ghcr.io/home-assistant/aarch64-homeassistant:" aarch64: "ghcr.io/home-assistant/aarch64-homeassistant:"
armv7: "ghcr.io/home-assistant/armv7-homeassistant:" armv7: "ghcr.io/home-assistant/armv7-homeassistant:"
@ -9,6 +8,9 @@ build_from:
codenotary: codenotary:
signer: notary@home-assistant.io signer: notary@home-assistant.io
base_image: notary@home-assistant.io base_image: notary@home-assistant.io
cosign:
base_identity: https://github.com/home-assistant/core/.*
identity: https://github.com/home-assistant/core/.*
labels: labels:
io.hass.type: core io.hass.type: core
org.opencontainers.image.source: https://github.com/home-assistant/core org.opencontainers.image.source: https://github.com/home-assistant/core