diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml index 9dc6822..11e0d11 100644 --- a/.github/workflows/hadolint.yml +++ b/.github/workflows/hadolint.yml @@ -11,5 +11,5 @@ jobs: name: lint runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - uses: brpaz/hadolint-action@v1.5.0 diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 1eea209..3133fae 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -18,7 +18,7 @@ jobs: architectures: ${{ steps.info.outputs.architectures }} steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get information id: info @@ -38,14 +38,14 @@ jobs: architecture: ${{ fromJson(needs.init.outputs.architectures) }} steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - uses: olegtarasov/get-tag@v2.1 if: github.event_name == 'release' name: Set tag envronment variable - name: Login to GitHub Container Registry - uses: docker/login-action@v2.2.0 + uses: docker/login-action@v3.0.0 with: registry: ghcr.io username: ${{ github.repository_owner }} @@ -59,5 +59,3 @@ jobs: --target /data \ --cosign \ --generic $GIT_TAG_NAME - env: - CAS_API_KEY: ${{ secrets.CAS_TOKEN }} diff --git a/.github/workflows/release-drafter.yml b/.github/workflows/release-drafter.yml index 6bd0d98..5188fec 100644 --- a/.github/workflows/release-drafter.yml +++ b/.github/workflows/release-drafter.yml @@ -11,7 +11,7 @@ jobs: name: Release Drafter steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 with: fetch-depth: 0 diff --git a/.github/workflows/shellcheck.yml b/.github/workflows/shellcheck.yml index bd73d6f..d868881 100644 --- a/.github/workflows/shellcheck.yml +++ b/.github/workflows/shellcheck.yml @@ -11,6 +11,6 @@ jobs: name: Shellcheck runs-on: ubuntu-latest steps: - - uses: actions/checkout@v3 + - uses: actions/checkout@v4 - name: Run ShellCheck uses: ludeeus/action-shellcheck@master diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index f8379ba..3dcdcce 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -11,7 +11,7 @@ jobs: architectures: ${{ steps.info.outputs.architectures }} steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get information id: info @@ -27,7 +27,7 @@ jobs: architecture: ${{ fromJson(needs.init.outputs.architectures) }} steps: - name: Checkout the repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Build the builder uses: home-assistant/builder@master diff --git a/Dockerfile b/Dockerfile index 444c8ba..1736a2a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,6 @@ FROM $BUILD_FROM ARG \ BUILD_ARCH \ - CAS_VERSION \ YQ_VERSION \ COSIGN_VERSION @@ -14,15 +13,7 @@ RUN \ docker \ docker-cli-buildx \ coreutils \ - && apk add --no-cache --virtual .build-dependencies \ - build-base \ - go \ \ - && git clone -b v${CAS_VERSION} --depth 1 \ - https://github.com/codenotary/cas \ - && cd cas \ - && make cas \ - && mv cas /usr/bin/cas \ && if [ "${BUILD_ARCH}" = "armhf" ] || [ "${BUILD_ARCH}" = "armv7" ]; then \ wget -q -O /usr/bin/yq "https://github.com/mikefarah/yq/releases/download/${YQ_VERSION}/yq_linux_arm"; \ wget -q -O /usr/bin/cosign "https://github.com/home-assistant/cosign/releases/download/${COSIGN_VERSION}/cosign_armhf"; \ @@ -39,11 +30,7 @@ RUN \ exit 1; \ fi \ && chmod +x /usr/bin/yq \ - && chmod +x /usr/bin/cosign \ - \ - && apk del .build-dependencies \ - && rm -rf /root/go /root/.cache \ - && rm -rf /usr/src/cas + && chmod +x /usr/bin/cosign COPY builder.sh /usr/bin/ diff --git a/README.md b/README.md index 82b106b..8267e86 100644 --- a/README.md +++ b/README.md @@ -165,19 +165,19 @@ Options: amd64: ```bash -docker pull homeassistant/amd64-builder +docker pull ghcr.io/home-assistant/amd64-builder:latest ``` -armv7/armhf: +armv7: ```bash -docker pull homeassistant/armv7-builder +docker pull ghcr.io/home-assistant/armv7-builder:latest ``` aarch64: ```bash -docker pull homeassistant/aarch64-builder +docker pull ghcr.io/home-assistant/aarch64-builder:latest ``` ## Run @@ -189,7 +189,7 @@ docker run \ --rm \ --privileged \ -v ~/.docker:/root/.docker \ - homeassistant/amd64-builder \ + ghcr.io/home-assistant/amd64-builder:latest \ --all \ -t addon-folder \ -r https://github.com/xy/addons \ @@ -204,7 +204,7 @@ docker run \ --privileged \ -v ~/.docker:/root/.docker \ -v /my_addon:/data \ - homeassistant/amd64-builder \ + ghcr.io/home-assistant/amd64-builder:latest \ --all \ -t /data ``` @@ -220,13 +220,36 @@ docker run \ -v ~/.docker:/root/.docker \ -v /var/run/docker.sock:/var/run/docker.sock:ro \ -v /my_addon:/data \ - homeassistant/amd64-builder \ + ghcr.io/home-assistant/amd64-builder:latest \ --all \ -t /data ``` +### Using shell alias + +On Linux, it can be helpful to use a shell alias to run the builder from the +current directory. E.g. by adding the following function to your `~/.bashrc`: + +``` +function builder() { + docker run \ + --rm \ + -it \ + --privileged \ + -v ${PWD}:/data \ + -v /var/run/docker.sock:/var/run/docker.sock:ro \ + ghcr.io/home-assistant/amd64-builder:latest --target /data $@ +} +``` + +This allows to build add-ons e.g. for a single architecture as follow: +``` +$ cd /path/to/your/add-on +$ builder --amd64 --docker-hub agners +``` + ## Help ```bash -docker run --rm --privileged homeassistant/amd64-builder --help +docker run --rm --privileged ghcr.io/home-assistant/amd64-builder:latest --help ``` diff --git a/action.yml b/action.yml index 8afbb71..27f5d04 100644 --- a/action.yml +++ b/action.yml @@ -9,7 +9,7 @@ runs: using: "composite" steps: - name: Install Cosign - uses: sigstore/cosign-installer@v3.1.1 + uses: sigstore/cosign-installer@v3.2.0 with: cosign-release: "v2.0.2" diff --git a/build.yaml b/build.yaml index 594cb11..cb94b3a 100644 --- a/build.yaml +++ b/build.yaml @@ -5,14 +5,10 @@ build_from: armhf: "ghcr.io/home-assistant/armhf-base:3.18" amd64: "ghcr.io/home-assistant/amd64-base:3.18" i386: "ghcr.io/home-assistant/i386-base:3.18" -codenotary: - signer: notary@home-assistant.io - base_image: notary@home-assistant.io cosign: base_identity: https://github.com/home-assistant/docker-base/.* identity: https://github.com/home-assistant/builder/.* args: - CAS_VERSION: "1.0.1" YQ_VERSION: "v4.13.2" COSIGN_VERSION: "2.0.2" labels: diff --git a/builder.sh b/builder.sh index de02c42..33ab45b 100755 --- a/builder.sh +++ b/builder.sh @@ -53,6 +53,7 @@ declare -A BUILD_MACHINE=( [raspberrypi3-64]="aarch64" \ [raspberrypi4]="armv7" \ [raspberrypi4-64]="aarch64" \ + [raspberrypi5-64]="aarch64" \ [yellow]="aarch64" \ [green]="aarch64" \ [tinker]="armv7" ) @@ -226,7 +227,6 @@ function run_build() { local cosign_base_issuer= local cosign_identity= local cosign_issuer= - local codenotary_sign= # Overwrites if bashio::var.has_value "${DOCKER_HUB}"; then repository="${DOCKER_HUB@L}"; fi @@ -253,9 +253,6 @@ function run_build() { cosign_base_issuer="$(jq --raw-output '.cosign.base_issuer // "https://token.actions.githubusercontent.com"' "/tmp/build_config/build.json")" cosign_identity="$(jq --raw-output '.cosign.identity // empty' "/tmp/build_config/build.json")" cosign_issuer="$(jq --raw-output '.cosign.issuer // "https://token.actions.githubusercontent.com"' "/tmp/build_config/build.json")" - - # remove later - codenotary_sign="$(jq --raw-output '.codenotary.signer // empty' "/tmp/build_config/build.json")" fi # Adjust Qemu CPU @@ -365,9 +362,6 @@ function run_build() { push_images+=("${shadow_repository}/${image}:${version}") fi - # Singing image (cas) - codenotary_sign "${codenotary_sign}" "${repository}/${image}:${version}" - # Push images if bashio::var.true "${DOCKER_PUSH}"; then for i in "${push_images[@]}"; do @@ -581,7 +575,6 @@ function build_generic() { local shadow_repository= local raw_image= local args= - local codenotary_sign= local docker_cli=() local docker_tags=() @@ -592,7 +585,6 @@ function build_generic() { labels="$(jq --raw-output '.labels // empty | keys[]' "/tmp/build_config/build.json")" raw_image="$(jq --raw-output '.image // empty' "/tmp/build_config/build.json")" shadow_repository="$(jq --raw-output '.shadow_repository // empty' "/tmp/build_config/build.json")" - codenotary_sign="$(jq --raw-output '.codenotary.signer // empty' "/tmp/build_config/build.json")" fi # Set defaults build things @@ -730,48 +722,6 @@ function init_crosscompile() { > /dev/null 2>&1 || bashio::log.warning "Can't enable crosscompiling feature" } -#### Security CodeNotary #### - -function codenotary_setup() { - if bashio::var.false "${DOCKER_PUSH}" || bashio::var.is_empty "${CAS_API_KEY+x}"; then - return 0 - fi - - for j in {1..15}; do - if cas login > /dev/null 2>&1; then - return 0 - fi - sleep $((5 * j)) - done - - bashio::exit.nok "Login to Codenotary fails!" -} - -function codenotary_sign() { - local trust=$1 - local image=$2 - - local success=false - - if bashio::var.false "${DOCKER_PUSH}" || bashio::var.is_empty "${CAS_API_KEY+x}"; then - return 0 - fi - - for j in {1..15}; do - if ! cas authenticate --signerID "${trust}" --silent "docker://${image}"; then - cas notarize --ci-attr "docker://${image}" || true - else - success=true - break - fi - sleep $((5 * j)) - done - - if bashio::var.false "${success}"; then - bashio::exit.nok "Failed to sign the image (cas)" - fi - bashio::log.info "Signed ${image} with ${trust} (cas)" -} #### Security cosign #### @@ -793,9 +743,9 @@ function cosign_sign() { done if bashio::var.false "${success}"; then - bashio::exit.nok "Failed to sign the image (cosign)" + bashio::exit.nok "Failed to sign the image with cosign" fi - bashio::log.info "Signed ${image} with ${trust} (cosign)" + bashio::log.info "Signed ${image} with cosign" } function cosign_verify() { @@ -809,7 +759,7 @@ function cosign_verify() { # Support scratch image if [ "$image" == "scratch" ]; then - bashio::log.info "Scratch image, skiping validation (cosign)" + bashio::log.info "Scratch image, skiping validation with cosign" return 0 fi @@ -834,13 +784,13 @@ function cosign_verify() { done if bashio::var.false "${success}"; then - bashio::log.warning "Validation of ${image} fails (cosign)!" + bashio::log.warning "Validation of ${image} fails with cosign!" if bashio::var.true "${pull}"; then docker rmi "${image}" > /dev/null 2>&1 || true fi return 1 fi - bashio::log.info "Image ${image} is trusted (cosign)" + bashio::log.info "Image ${image} is trusted by cosign" } @@ -1002,11 +952,10 @@ convert_to_json # Copy configuration files to tmp copy_config_tmp -# Login into dockerhub & setup CodeNotary +# Login into dockerhub if [ -n "$DOCKER_USER" ] && [ -n "$DOCKER_PASSWORD" ]; then docker login -u "$DOCKER_USER" -p "$DOCKER_PASSWORD" fi -codenotary_setup # Select arch build if [ "${#BUILD_LIST[@]}" -ne 0 ]; then