Disable unnecessary parts to test image build

Use native ARM runner for builder action, update to builder 2026.02.1
Since 2026.02.0 the builder has sha-pinning fixed, so we can also get rid of the Zizmor error suppression. Builder changes: * https://github.com/home-assistant/builder/releases/tag/2026.02.0 * https://github.com/home-assistant/builder/releases/tag/2026.02.1
2026-02-26 07:40:21 +00:00 · 2026-02-24 17:18:39 +01:00 · 2026-02-24 16:15:30 +01:00
1 changed files with 298 additions and 281 deletions
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -57,10 +57,10 @@ jobs:
        with:
          type: ${{ env.BUILD_TYPE }}

-      - name: Verify version
-        uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
-        with:
-          ignore-dev: true
+      # - name: Verify version
+      #   uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
+      #   with:
+      #     ignore-dev: true

      - name: Fail if translations files are checked in
        run: |
@@ -272,7 +272,7 @@ jobs:
    name: Build ${{ matrix.machine }} machine core image
    if: github.repository_owner == 'home-assistant'
    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.runs-on }}
    permissions:
      contents: read # To check out the repository
      packages: write # To push to GHCR
@@ -294,6 +294,21 @@ jobs:
          - raspberrypi5-64
          - yellow
          - green
+        include:
+          # Default: aarch64 on native ARM runner
+          - arch: aarch64
+            runs-on: ubuntu-24.04-arm
+          # Overrides for amd64 machines
+          - machine: generic-x86-64
+            arch: amd64
+            runs-on: ubuntu-24.04
+          - machine: qemux86-64
+            arch: amd64
+            runs-on: ubuntu-24.04
+          # TODO: remove, intel-nuc is a legacy name for x86-64, renamed in 2021
+          - machine: intel-nuc
+            arch: amd64
+            runs-on: ubuntu-24.04
    steps:
      - name: Checkout the repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -321,286 +336,288 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}

      - name: Build base image
-        uses: home-assistant/builder@2025.11.0 # zizmor: ignore[unpinned-uses]
+        uses: home-assistant/builder@6cb4fd3d1338b6e22d0958a4bcb53e0965ea63b4 # 2026.02.1
        with:
+          image: ${{ matrix.arch }}
          args: |
            $BUILD_ARGS \
+            --test \
            --target /data/machine \
            --cosign \
            --machine "${{ needs.init.outputs.version }}=${{ matrix.machine }}"

-  publish_ha:
-    name: Publish version files
-    environment: ${{ needs.init.outputs.channel }}
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_machine"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Initialize git
-        uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
-        with:
-          name: ${{ secrets.GIT_NAME }}
-          email: ${{ secrets.GIT_EMAIL }}
-          token: ${{ secrets.GIT_TOKEN }}
-
-      - name: Update version file
-        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
-        with:
-          key: "homeassistant[]"
-          key-description: "Home Assistant Core"
-          version: ${{ needs.init.outputs.version }}
-          channel: ${{ needs.init.outputs.channel }}
-          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
-
-      - name: Update version file (stable -> beta)
-        if: needs.init.outputs.channel == 'stable'
-        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
-        with:
-          key: "homeassistant[]"
-          key-description: "Home Assistant Core"
-          version: ${{ needs.init.outputs.version }}
-          channel: beta
-          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
-
-  publish_container:
-    name: Publish meta container for ${{ matrix.registry }}
-    environment: ${{ needs.init.outputs.channel }}
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      id-token: write # For cosign signing
-    strategy:
-      fail-fast: false
-      matrix:
-        registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
-    steps:
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-        with:
-          cosign-release: "v2.5.3"
-
-      - name: Login to DockerHub
-        if: matrix.registry == 'docker.io/homeassistant'
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Verify architecture image signatures
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          VERSION: ${{ needs.init.outputs.version }}
-        run: |
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          for arch in $ARCHS; do
-            echo "Verifying ${arch} image signature..."
-            cosign verify \
-              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-              --certificate-identity-regexp https://github.com/home-assistant/core/.* \
-              "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"
-          done
-          echo "✓ All images verified successfully"
-
-      # Generate all Docker tags based on version string
-      # Version format: YYYY.MM.PATCH, YYYY.MM.PATCHbN (beta), or YYYY.MM.PATCH.devYYYYMMDDHHMM (dev)
-      # Examples:
-      #   2025.12.1     (stable)    -> tags: 2025.12.1, 2025.12, stable, latest, beta, rc
-      #   2025.12.0b3   (beta)      -> tags: 2025.12.0b3, beta, rc
-      #   2025.12.0.dev202511250240 -> tags: 2025.12.0.dev202511250240, dev
-      - name: Generate Docker metadata
-        id: meta
-        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
-        with:
-          images: ${{ matrix.registry }}/home-assistant
-          sep-tags: ","
-          tags: |
-            type=raw,value=${{ needs.init.outputs.version }},priority=9999
-            type=raw,value=dev,enable=${{ contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=beta,enable=${{ !contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=rc,enable=${{ !contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=stable,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-            type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.7.1
-
-      - name: Copy architecture images to DockerHub
-        if: matrix.registry == 'docker.io/homeassistant'
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          VERSION: ${{ needs.init.outputs.version }}
-        run: |
-          # Use imagetools to copy image blobs directly between registries
-          # This preserves provenance/attestations and seems to be much faster than pull/push
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          for arch in $ARCHS; do
-            echo "Copying ${arch} image to DockerHub..."
-            for attempt in 1 2 3; do
-              if docker buildx imagetools create \
-                --tag "docker.io/homeassistant/${arch}-homeassistant:${VERSION}" \
-                "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"; then
-                break
-              fi
-              echo "Attempt ${attempt} failed, retrying in 10 seconds..."
-              sleep 10
-              if [ "${attempt}" -eq 3 ]; then
-                echo "Failed after 3 attempts"
-                exit 1
-              fi
-            done
-            cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${VERSION}"
-          done
-
-      - name: Create and push multi-arch manifests
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          REGISTRY: ${{ matrix.registry }}
-          VERSION: ${{ needs.init.outputs.version }}
-          META_TAGS: ${{ steps.meta.outputs.tags }}
-        run: |
-          # Build list of architecture images dynamically
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          ARCH_IMAGES=()
-          for arch in $ARCHS; do
-            ARCH_IMAGES+=("${REGISTRY}/${arch}-homeassistant:${VERSION}")
-          done
-
-          # Build list of all tags for single manifest creation
-          # Note: Using sep-tags=',' in metadata-action for easier parsing
-          TAG_ARGS=()
-          IFS=',' read -ra TAGS <<< "${META_TAGS}"
-          for tag in "${TAGS[@]}"; do
-            TAG_ARGS+=("--tag" "${tag}")
-          done
-
-          # Create manifest with ALL tags in a single operation (much faster!)
-          echo "Creating multi-arch manifest with tags: ${TAGS[*]}"
-          docker buildx imagetools create "${TAG_ARGS[@]}" "${ARCH_IMAGES[@]}"
-
-          # Sign each tag separately (signing requires individual tag names)
-          echo "Signing all tags..."
-          for tag in "${TAGS[@]}"; do
-            echo "Signing ${tag}"
-            cosign sign --yes "${tag}"
-          done
-
-          echo "All manifests created and signed successfully"
-
-  build_python:
-    name: Build PyPi package
-    environment: ${{ needs.init.outputs.channel }}
-    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      id-token: write # For PyPI trusted publishing
-    if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-
-      - name: Download translations
-        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-        with:
-          name: translations
-
-      - name: Extract translations
-        run: |
-          tar xvf translations.tar.gz
-          rm translations.tar.gz
-
-      - name: Build package
-        shell: bash
-        run: |
-          # Remove dist, build, and homeassistant.egg-info
-          # when build locally for testing!
-          pip install build
-          python -m build
-
-      - name: Upload package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          skip-existing: true
-
-  hassfest-image:
-    name: Build and test hassfest image
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      attestations: write # For build provenance attestation
-      id-token: write # For build provenance attestation
-    needs: ["init"]
-    if: github.repository_owner == 'home-assistant'
-    env:
-      HASSFEST_IMAGE_NAME: ghcr.io/home-assistant/hassfest
-      HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build Docker image
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
-        with:
-          context: . # So action will not pull the repository again
-          file: ./script/hassfest/docker/Dockerfile
-          load: true
-          tags: ${{ env.HASSFEST_IMAGE_TAG }}
-
-      - name: Run hassfest against core
-        run: docker run --rm -v "${GITHUB_WORKSPACE}":/github/workspace "${HASSFEST_IMAGE_TAG}" --core-path=/github/workspace
-
-      - name: Push Docker image
-        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
-        id: push
-        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
-        with:
-          context: . # So action will not pull the repository again
-          file: ./script/hassfest/docker/Dockerfile
-          push: true
-          tags: ${{ env.HASSFEST_IMAGE_TAG }},${{ env.HASSFEST_IMAGE_NAME }}:latest
-
-      - name: Generate artifact attestation
-        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
-        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
-        with:
-          subject-name: ${{ env.HASSFEST_IMAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+#  publish_ha:
+#    name: Publish version files
+#    environment: ${{ needs.init.outputs.channel }}
+#    if: github.repository_owner == 'home-assistant'
+#    needs: ["init", "build_machine"]
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read
+#    steps:
+#      - name: Checkout the repository
+#        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+#        with:
+#          persist-credentials: false
+#
+#      - name: Initialize git
+#        uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
+#        with:
+#          name: ${{ secrets.GIT_NAME }}
+#          email: ${{ secrets.GIT_EMAIL }}
+#          token: ${{ secrets.GIT_TOKEN }}
+#
+#      - name: Update version file
+#        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
+#        with:
+#          key: "homeassistant[]"
+#          key-description: "Home Assistant Core"
+#          version: ${{ needs.init.outputs.version }}
+#          channel: ${{ needs.init.outputs.channel }}
+#          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
+#
+#      - name: Update version file (stable -> beta)
+#        if: needs.init.outputs.channel == 'stable'
+#        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
+#        with:
+#          key: "homeassistant[]"
+#          key-description: "Home Assistant Core"
+#          version: ${{ needs.init.outputs.version }}
+#          channel: beta
+#          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
+#
+#  publish_container:
+#    name: Publish meta container for ${{ matrix.registry }}
+#    environment: ${{ needs.init.outputs.channel }}
+#    if: github.repository_owner == 'home-assistant'
+#    needs: ["init", "build_base"]
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read # To check out the repository
+#      packages: write # To push to GHCR
+#      id-token: write # For cosign signing
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
+#    steps:
+#      - name: Install Cosign
+#        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+#        with:
+#          cosign-release: "v2.5.3"
+#
+#      - name: Login to DockerHub
+#        if: matrix.registry == 'docker.io/homeassistant'
+#        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+#        with:
+#          username: ${{ secrets.DOCKERHUB_USERNAME }}
+#          password: ${{ secrets.DOCKERHUB_TOKEN }}
+#
+#      - name: Login to GitHub Container Registry
+#        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+#        with:
+#          registry: ghcr.io
+#          username: ${{ github.repository_owner }}
+#          password: ${{ secrets.GITHUB_TOKEN }}
+#
+#      - name: Verify architecture image signatures
+#        shell: bash
+#        env:
+#          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+#          VERSION: ${{ needs.init.outputs.version }}
+#        run: |
+#          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+#          for arch in $ARCHS; do
+#            echo "Verifying ${arch} image signature..."
+#            cosign verify \
+#              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+#              --certificate-identity-regexp https://github.com/home-assistant/core/.* \
+#              "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"
+#          done
+#          echo "✓ All images verified successfully"
+#
+#      # Generate all Docker tags based on version string
+#      # Version format: YYYY.MM.PATCH, YYYY.MM.PATCHbN (beta), or YYYY.MM.PATCH.devYYYYMMDDHHMM (dev)
+#      # Examples:
+#      #   2025.12.1     (stable)    -> tags: 2025.12.1, 2025.12, stable, latest, beta, rc
+#      #   2025.12.0b3   (beta)      -> tags: 2025.12.0b3, beta, rc
+#      #   2025.12.0.dev202511250240 -> tags: 2025.12.0.dev202511250240, dev
+#      - name: Generate Docker metadata
+#        id: meta
+#        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
+#        with:
+#          images: ${{ matrix.registry }}/home-assistant
+#          sep-tags: ","
+#          tags: |
+#            type=raw,value=${{ needs.init.outputs.version }},priority=9999
+#            type=raw,value=dev,enable=${{ contains(needs.init.outputs.version, 'd') }}
+#            type=raw,value=beta,enable=${{ !contains(needs.init.outputs.version, 'd') }}
+#            type=raw,value=rc,enable=${{ !contains(needs.init.outputs.version, 'd') }}
+#            type=raw,value=stable,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+#            type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+#            type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+#
+#      - name: Set up Docker Buildx
+#        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.7.1
+#
+#      - name: Copy architecture images to DockerHub
+#        if: matrix.registry == 'docker.io/homeassistant'
+#        shell: bash
+#        env:
+#          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+#          VERSION: ${{ needs.init.outputs.version }}
+#        run: |
+#          # Use imagetools to copy image blobs directly between registries
+#          # This preserves provenance/attestations and seems to be much faster than pull/push
+#          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+#          for arch in $ARCHS; do
+#            echo "Copying ${arch} image to DockerHub..."
+#            for attempt in 1 2 3; do
+#              if docker buildx imagetools create \
+#                --tag "docker.io/homeassistant/${arch}-homeassistant:${VERSION}" \
+#                "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"; then
+#                break
+#              fi
+#              echo "Attempt ${attempt} failed, retrying in 10 seconds..."
+#              sleep 10
+#              if [ "${attempt}" -eq 3 ]; then
+#                echo "Failed after 3 attempts"
+#                exit 1
+#              fi
+#            done
+#            cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${VERSION}"
+#          done
+#
+#      - name: Create and push multi-arch manifests
+#        shell: bash
+#        env:
+#          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+#          REGISTRY: ${{ matrix.registry }}
+#          VERSION: ${{ needs.init.outputs.version }}
+#          META_TAGS: ${{ steps.meta.outputs.tags }}
+#        run: |
+#          # Build list of architecture images dynamically
+#          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+#          ARCH_IMAGES=()
+#          for arch in $ARCHS; do
+#            ARCH_IMAGES+=("${REGISTRY}/${arch}-homeassistant:${VERSION}")
+#          done
+#
+#          # Build list of all tags for single manifest creation
+#          # Note: Using sep-tags=',' in metadata-action for easier parsing
+#          TAG_ARGS=()
+#          IFS=',' read -ra TAGS <<< "${META_TAGS}"
+#          for tag in "${TAGS[@]}"; do
+#            TAG_ARGS+=("--tag" "${tag}")
+#          done
+#
+#          # Create manifest with ALL tags in a single operation (much faster!)
+#          echo "Creating multi-arch manifest with tags: ${TAGS[*]}"
+#          docker buildx imagetools create "${TAG_ARGS[@]}" "${ARCH_IMAGES[@]}"
+#
+#          # Sign each tag separately (signing requires individual tag names)
+#          echo "Signing all tags..."
+#          for tag in "${TAGS[@]}"; do
+#            echo "Signing ${tag}"
+#            cosign sign --yes "${tag}"
+#          done
+#
+#          echo "All manifests created and signed successfully"
+#
+#  build_python:
+#    name: Build PyPi package
+#    environment: ${{ needs.init.outputs.channel }}
+#    needs: ["init", "build_base"]
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read # To check out the repository
+#      id-token: write # For PyPI trusted publishing
+#    if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
+#    steps:
+#      - name: Checkout the repository
+#        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+#        with:
+#          persist-credentials: false
+#
+#      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
+#        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+#        with:
+#          python-version: ${{ env.DEFAULT_PYTHON }}
+#
+#      - name: Download translations
+#        uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+#        with:
+#          name: translations
+#
+#      - name: Extract translations
+#        run: |
+#          tar xvf translations.tar.gz
+#          rm translations.tar.gz
+#
+#      - name: Build package
+#        shell: bash
+#        run: |
+#          # Remove dist, build, and homeassistant.egg-info
+#          # when build locally for testing!
+#          pip install build
+#          python -m build
+#
+#      - name: Upload package to PyPI
+#        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+#        with:
+#          skip-existing: true
+#
+#  hassfest-image:
+#    name: Build and test hassfest image
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read # To check out the repository
+#      packages: write # To push to GHCR
+#      attestations: write # For build provenance attestation
+#      id-token: write # For build provenance attestation
+#    needs: ["init"]
+#    if: github.repository_owner == 'home-assistant'
+#    env:
+#      HASSFEST_IMAGE_NAME: ghcr.io/home-assistant/hassfest
+#      HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
+#    steps:
+#      - name: Checkout repository
+#        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+#        with:
+#          persist-credentials: false
+#
+#      - name: Login to GitHub Container Registry
+#        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
+#        with:
+#          registry: ghcr.io
+#          username: ${{ github.repository_owner }}
+#          password: ${{ secrets.GITHUB_TOKEN }}
+#
+#      - name: Build Docker image
+#        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+#        with:
+#          context: . # So action will not pull the repository again
+#          file: ./script/hassfest/docker/Dockerfile
+#          load: true
+#          tags: ${{ env.HASSFEST_IMAGE_TAG }}
+#
+#      - name: Run hassfest against core
+#        run: docker run --rm -v "${GITHUB_WORKSPACE}":/github/workspace "${HASSFEST_IMAGE_TAG}" --core-path=/github/workspace
+#
+#      - name: Push Docker image
+#        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
+#        id: push
+#        uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
+#        with:
+#          context: . # So action will not pull the repository again
+#          file: ./script/hassfest/docker/Dockerfile
+#          push: true
+#          tags: ${{ env.HASSFEST_IMAGE_TAG }},${{ env.HASSFEST_IMAGE_NAME }}:latest
+#
+#      - name: Generate artifact attestation
+#        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
+#        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+#        with:
+#          subject-name: ${{ env.HASSFEST_IMAGE_NAME }}
+#          subject-digest: ${{ steps.push.outputs.digest }}
+#          push-to-registry: true