add version back

.github/workflows/builder.yml

@@ -35,6 +35,7 @@ jobs:
       channel: ${{ steps.version.outputs.channel }}
       publish: ${{ steps.version.outputs.publish }}
       architectures: ${{ env.ARCHITECTURES }}
+      translation_download_process: ${{ steps.translations.outputs.translation_download_process }}
       base_image_version: ${{ env.BASE_IMAGE_VERSION }}
     steps:
       - name: Checkout the repository
@@ -47,6 +48,26 @@ jobs:
         with:
           python-version-file: ".python-version"
 
+      - name: Fail if translations files are checked in
+        run: |
+          if [ -n "$(find homeassistant/components/*/translations -type f)" ]; then
+              echo "Translations files are checked in, please remove the following files:"
+              find homeassistant/components/*/translations -type f
+              exit 1
+          fi
+
+      - name: Start translation download
+        id: translations
+        shell: bash
+        env:
+          LOKALISE_TOKEN: ${{ secrets.LOKALISE_TOKEN }} # zizmor: ignore[secrets-outside-env]
+        run: |
+          pip install -r script/translations/requirements.txt
+          PROCESS_OUTPUT=$(python3 -m script.translations download --async-start)
+          echo "$PROCESS_OUTPUT"
+          TRANSLATION_DOWNLOAD_PROCESS=$(echo "$PROCESS_OUTPUT" | sed -n 's/.*Process ID: //p')
+          echo "translation_download_process=$TRANSLATION_DOWNLOAD_PROCESS" >> "$GITHUB_OUTPUT"
+
       - name: Get information
         id: info
         uses: home-assistant/actions/helpers/info@master # zizmor: ignore[unpinned-uses]
@@ -57,34 +78,10 @@ jobs:
         with:
           type: ${{ env.BUILD_TYPE }}
 
-      - name: Verify version
-        uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
-        with:
-          ignore-dev: true
-
-      - name: Fail if translations files are checked in
-        run: |
-          if [ -n "$(find homeassistant/components/*/translations -type f)" ]; then
-              echo "Translations files are checked in, please remove the following files:"
-              find homeassistant/components/*/translations -type f
-              exit 1
-          fi
-
-      - name: Download Translations
-        run: python3 -m script.translations download
-        env:
-          LOKALISE_TOKEN: ${{ secrets.LOKALISE_TOKEN }} # zizmor: ignore[secrets-outside-env]
-
-      - name: Archive translations
-        shell: bash
-        run: find ./homeassistant/components/*/translations -name "*.json" | tar zcvf translations.tar.gz -T -
-
-      - name: Upload translations
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
-        with:
-          name: translations
-          path: translations.tar.gz
-          if-no-files-found: error
+      # - name: Verify version
+      #   uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
+      #   with:
+      #     ignore-dev: true
 
   build_base:
     name: Build ${{ matrix.arch }} base core image
@@ -133,7 +130,6 @@ jobs:
           name: package
 
       - name: Set up Python
-        if: needs.init.outputs.channel == 'dev'
         uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
         with:
           python-version-file: ".python-version"
@@ -181,23 +177,13 @@ jobs:
             sed -i "s|home-assistant-intents==.*||" requirements_all.txt requirements.txt
           fi
 
-      - name: Download translations
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: translations
-
-      - name: Extract translations
-        run: |
-          tar xvf translations.tar.gz
-          rm translations.tar.gz
-
       - name: Write meta info file
         shell: bash
         run: |
           echo "${GITHUB_SHA};${GITHUB_REF};${GITHUB_EVENT_NAME};${GITHUB_ACTOR}" > rootfs/OFFICIAL_IMAGE
 
-      - name: Build base image
-        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+      - name: Build base image (deps stage only)
+        uses: edenhaus/builder/actions/build-image@edenhaus-target-support
         with:
           arch: ${{ matrix.arch }}
           build-args: |
@@ -207,357 +193,382 @@ jobs:
           cosign-base-identity: "https://github.com/home-assistant/docker/.*"
           cosign-base-verify: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant-base:${{ needs.init.outputs.base_image_version }}
           image: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant
-          image-tags: ${{ needs.init.outputs.version }}
-          push: true
+          image-tags: base-intermediate
+          push: false
+          load: true
           version: ${{ needs.init.outputs.version }}
 
-  build_machine:
-    name: Build ${{ matrix.machine }} machine core image
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_base"]
-    runs-on: ${{ matrix.runs-on }}
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      id-token: write # For cosign signing
-    strategy:
-      matrix:
-        machine:
-          - generic-x86-64
-          - khadas-vim3
-          - odroid-c2
-          - odroid-c4
-          - odroid-m1
-          - odroid-n2
-          - qemuarm-64
-          - qemux86-64
-          - raspberrypi3-64
-          - raspberrypi4-64
-          - raspberrypi5-64
-          - yellow
-          - green
-        include:
-          # Default: aarch64 on native ARM runner
-          - arch: aarch64
-            runs-on: ubuntu-24.04-arm
-          # Overrides for amd64 machines
-          - machine: generic-x86-64
-            arch: amd64
-            runs-on: ubuntu-24.04
-          - machine: qemux86-64
-            arch: amd64
-            runs-on: ubuntu-24.04
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Compute extra tags
-        id: tags
+      - name: Download translations
         shell: bash
         env:
-          VERSION: ${{ needs.init.outputs.version }}
+          LOKALISE_TOKEN: ${{ secrets.LOKALISE_TOKEN }} # zizmor: ignore[secrets-outside-env]
+          TRANSLATION_PROCESS_ID: ${{ needs.init.outputs.translation_download_process }}
         run: |
-          if [[ "${VERSION}" =~ d ]]; then
-            echo "extra_tags=dev" >> "$GITHUB_OUTPUT"
-          elif [[ "${VERSION}" =~ b ]]; then
-            echo "extra_tags=beta" >> "$GITHUB_OUTPUT"
-          else
-            echo "extra_tags=stable" >> "$GITHUB_OUTPUT"
-          fi
+          pip install -r script/translations/requirements.txt
+          python3 -u -m script.translations download --process-id "$TRANSLATION_PROCESS_ID" --output-dir build/translations-output
 
-      - name: Build machine image
-        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+      - name: Build translations image
+        uses: edenhaus/builder/actions/build-image@edenhaus-target-support
         with:
           arch: ${{ matrix.arch }}
           build-args: |
-            BUILD_FROM=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
+            BUILD_FROM=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:base-intermediate
           cache-gha: false
           container-registry-password: ${{ secrets.GITHUB_TOKEN }}
-          context: machine/
-          cosign-base-identity: "https://github.com/home-assistant/core/.*"
-          cosign-base-verify: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
-          file: machine/${{ matrix.machine }}
-          image: ghcr.io/home-assistant/${{ matrix.machine }}-homeassistant
-          image-tags: |
-            ${{ needs.init.outputs.version }}
-            ${{ steps.tags.outputs.extra_tags }}
+          context: build/translations-output
+          file: Dockerfile.translations
+          image: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant
+          image-tags: ${{ needs.init.outputs.version }}
           push: true
           version: ${{ needs.init.outputs.version }}
+          setup-buildx: false
 
-  publish_ha:
-    name: Publish version files
-    environment: ${{ needs.init.outputs.channel }}
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_machine"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+  # build_machine:
+  #   name: Build ${{ matrix.machine }} machine core image
+  #   if: github.repository_owner == 'home-assistant'
+  #   needs: ["init", "build_base"]
+  #   runs-on: ${{ matrix.runs-on }}
+  #   permissions:
+  #     contents: read # To check out the repository
+  #     packages: write # To push to GHCR
+  #     id-token: write # For cosign signing
+  #   strategy:
+  #     matrix:
+  #       machine:
+  #         - generic-x86-64
+  #         - khadas-vim3
+  #         - odroid-c2
+  #         - odroid-c4
+  #         - odroid-m1
+  #         - odroid-n2
+  #         - qemuarm-64
+  #         - qemux86-64
+  #         - raspberrypi3-64
+  #         - raspberrypi4-64
+  #         - raspberrypi5-64
+  #         - yellow
+  #         - green
+  #       include:
+  #         # Default: aarch64 on native ARM runner
+  #         - arch: aarch64
+  #           runs-on: ubuntu-24.04-arm
+  #         # Overrides for amd64 machines
+  #         - machine: generic-x86-64
+  #           arch: amd64
+  #           runs-on: ubuntu-24.04
+  #         - machine: qemux86-64
+  #           arch: amd64
+  #           runs-on: ubuntu-24.04
+  #   steps:
+  #     - name: Checkout the repository
+  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #       with:
+  #         persist-credentials: false
 
-      - name: Initialize git
-        uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
-        with:
-          name: ${{ secrets.GIT_NAME }}
-          email: ${{ secrets.GIT_EMAIL }}
-          token: ${{ secrets.GIT_TOKEN }}
+  #     - name: Compute extra tags
+  #       id: tags
+  #       shell: bash
+  #       env:
+  #         VERSION: ${{ needs.init.outputs.version }}
+  #       run: |
+  #         if [[ "${VERSION}" =~ d ]]; then
+  #           echo "extra_tags=dev" >> "$GITHUB_OUTPUT"
+  #         elif [[ "${VERSION}" =~ b ]]; then
+  #           echo "extra_tags=beta" >> "$GITHUB_OUTPUT"
+  #         else
+  #           echo "extra_tags=stable" >> "$GITHUB_OUTPUT"
+  #         fi
 
-      - name: Update version file
-        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
-        with:
-          key: "homeassistant[]"
-          key-description: "Home Assistant Core"
-          version: ${{ needs.init.outputs.version }}
-          channel: ${{ needs.init.outputs.channel }}
-          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
+  #     - name: Build machine image
+  #       uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+  #       with:
+  #         arch: ${{ matrix.arch }}
+  #         build-args: |
+  #           BUILD_FROM=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
+  #         cache-gha: false
+  #         container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+  #         context: machine/
+  #         cosign-base-identity: "https://github.com/home-assistant/core/.*"
+  #         cosign-base-verify: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
+  #         file: machine/${{ matrix.machine }}
+  #         image: ghcr.io/home-assistant/${{ matrix.machine }}-homeassistant
+  #         image-tags: |
+  #           ${{ needs.init.outputs.version }}
+  #           ${{ steps.tags.outputs.extra_tags }}
+  #         push: true
+  #         version: ${{ needs.init.outputs.version }}
 
-      - name: Update version file (stable -> beta)
-        if: needs.init.outputs.channel == 'stable'
-        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
-        with:
-          key: "homeassistant[]"
-          key-description: "Home Assistant Core"
-          version: ${{ needs.init.outputs.version }}
-          channel: beta
-          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
+  # publish_ha:
+  #   name: Publish version files
+  #   environment: ${{ needs.init.outputs.channel }}
+  #   if: github.repository_owner == 'home-assistant'
+  #   needs: ["init", "build_machine"]
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read
+  #   steps:
+  #     - name: Checkout the repository
+  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #       with:
+  #         persist-credentials: false
 
-  publish_container:
-    name: Publish meta container for ${{ matrix.registry }}
-    environment: ${{ needs.init.outputs.channel }}
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      id-token: write # For cosign signing
-    strategy:
-      fail-fast: false
-      matrix:
-        registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
-    steps:
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
-        with:
-          cosign-release: "v2.5.3"
+  #     - name: Initialize git
+  #       uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
+  #       with:
+  #         name: ${{ secrets.GIT_NAME }}
+  #         email: ${{ secrets.GIT_EMAIL }}
+  #         token: ${{ secrets.GIT_TOKEN }}
 
-      - name: Login to DockerHub
-        if: matrix.registry == 'docker.io/homeassistant'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+  #     - name: Update version file
+  #       uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
+  #       with:
+  #         key: "homeassistant[]"
+  #         key-description: "Home Assistant Core"
+  #         version: ${{ needs.init.outputs.version }}
+  #         channel: ${{ needs.init.outputs.channel }}
+  #         exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+  #     - name: Update version file (stable -> beta)
+  #       if: needs.init.outputs.channel == 'stable'
+  #       uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
+  #       with:
+  #         key: "homeassistant[]"
+  #         key-description: "Home Assistant Core"
+  #         version: ${{ needs.init.outputs.version }}
+  #         channel: beta
+  #         exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
 
-      - name: Verify architecture image signatures
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          VERSION: ${{ needs.init.outputs.version }}
-        run: |
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          for arch in $ARCHS; do
-            echo "Verifying ${arch} image signature..."
-            cosign verify \
-              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-              --certificate-identity-regexp https://github.com/home-assistant/core/.* \
-              "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"
-          done
-          echo "✓ All images verified successfully"
+  # publish_container:
+  #   name: Publish meta container for ${{ matrix.registry }}
+  #   environment: ${{ needs.init.outputs.channel }}
+  #   if: github.repository_owner == 'home-assistant'
+  #   needs: ["init", "build_base"]
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read # To check out the repository
+  #     packages: write # To push to GHCR
+  #     id-token: write # For cosign signing
+  #   strategy:
+  #     fail-fast: false
+  #     matrix:
+  #       registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
+  #   steps:
+  #     - name: Install Cosign
+  #       uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+  #       with:
+  #         cosign-release: "v2.5.3"
 
-      # Generate all Docker tags based on version string
-      # Version format: YYYY.MM.PATCH, YYYY.MM.PATCHbN (beta), or YYYY.MM.PATCH.devYYYYMMDDHHMM (dev)
-      # Examples:
-      #   2025.12.1     (stable)    -> tags: 2025.12.1, 2025.12, stable, latest, beta, rc
-      #   2025.12.0b3   (beta)      -> tags: 2025.12.0b3, beta, rc
-      #   2025.12.0.dev202511250240 -> tags: 2025.12.0.dev202511250240, dev
-      - name: Generate Docker metadata
-        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
-        with:
-          images: ${{ matrix.registry }}/home-assistant
-          sep-tags: ","
-          tags: |
-            type=raw,value=${{ needs.init.outputs.version }},priority=9999
-            type=raw,value=dev,enable=${{ contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=beta,enable=${{ !contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=rc,enable=${{ !contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=stable,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-            type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+  #     - name: Login to DockerHub
+  #       if: matrix.registry == 'docker.io/homeassistant'
+  #       uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+  #       with:
+  #         username: ${{ secrets.DOCKERHUB_USERNAME }}
+  #         password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v3.7.1
+  #     - name: Login to GitHub Container Registry
+  #       uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+  #       with:
+  #         registry: ghcr.io
+  #         username: ${{ github.repository_owner }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Copy architecture images to DockerHub
-        if: matrix.registry == 'docker.io/homeassistant'
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          VERSION: ${{ needs.init.outputs.version }}
-        run: |
-          # Use imagetools to copy image blobs directly between registries
-          # This preserves provenance/attestations and seems to be much faster than pull/push
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          for arch in $ARCHS; do
-            echo "Copying ${arch} image to DockerHub..."
-            for attempt in 1 2 3; do
-              if docker buildx imagetools create \
-                --tag "docker.io/homeassistant/${arch}-homeassistant:${VERSION}" \
-                "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"; then
-                break
-              fi
-              echo "Attempt ${attempt} failed, retrying in 10 seconds..."
-              sleep 10
-              if [ "${attempt}" -eq 3 ]; then
-                echo "Failed after 3 attempts"
-                exit 1
-              fi
-            done
-            cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${VERSION}"
-          done
+  #     - name: Verify architecture image signatures
+  #       shell: bash
+  #       env:
+  #         ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+  #         VERSION: ${{ needs.init.outputs.version }}
+  #       run: |
+  #         ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+  #         for arch in $ARCHS; do
+  #           echo "Verifying ${arch} image signature..."
+  #           cosign verify \
+  #             --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+  #             --certificate-identity-regexp https://github.com/home-assistant/core/.* \
+  #             "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"
+  #         done
+  #         echo "✓ All images verified successfully"
 
-      - name: Create and push multi-arch manifests
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          REGISTRY: ${{ matrix.registry }}
-          VERSION: ${{ needs.init.outputs.version }}
-          META_TAGS: ${{ steps.meta.outputs.tags }}
-        run: |
-          # Build list of architecture images dynamically
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          ARCH_IMAGES=()
-          for arch in $ARCHS; do
-            ARCH_IMAGES+=("${REGISTRY}/${arch}-homeassistant:${VERSION}")
-          done
+  #     # Generate all Docker tags based on version string
+  #     # Version format: YYYY.MM.PATCH, YYYY.MM.PATCHbN (beta), or YYYY.MM.PATCH.devYYYYMMDDHHMM (dev)
+  #     # Examples:
+  #     #   2025.12.1     (stable)    -> tags: 2025.12.1, 2025.12, stable, latest, beta, rc
+  #     #   2025.12.0b3   (beta)      -> tags: 2025.12.0b3, beta, rc
+  #     #   2025.12.0.dev202511250240 -> tags: 2025.12.0.dev202511250240, dev
+  #     - name: Generate Docker metadata
+  #       id: meta
+  #       uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+  #       with:
+  #         images: ${{ matrix.registry }}/home-assistant
+  #         sep-tags: ","
+  #         tags: |
+  #           type=raw,value=${{ needs.init.outputs.version }},priority=9999
+  #           type=raw,value=dev,enable=${{ contains(needs.init.outputs.version, 'd') }}
+  #           type=raw,value=beta,enable=${{ !contains(needs.init.outputs.version, 'd') }}
+  #           type=raw,value=rc,enable=${{ !contains(needs.init.outputs.version, 'd') }}
+  #           type=raw,value=stable,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+  #           type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+  #           type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
 
-          # Build list of all tags for single manifest creation
-          # Note: Using sep-tags=',' in metadata-action for easier parsing
-          TAG_ARGS=()
-          IFS=',' read -ra TAGS <<< "${META_TAGS}"
-          for tag in "${TAGS[@]}"; do
-            TAG_ARGS+=("--tag" "${tag}")
-          done
+  #     - name: Set up Docker Buildx
+  #       uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v3.7.1
 
-          # Create manifest with ALL tags in a single operation (much faster!)
-          echo "Creating multi-arch manifest with tags: ${TAGS[*]}"
-          docker buildx imagetools create "${TAG_ARGS[@]}" "${ARCH_IMAGES[@]}"
+  #     - name: Copy architecture images to DockerHub
+  #       if: matrix.registry == 'docker.io/homeassistant'
+  #       shell: bash
+  #       env:
+  #         ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+  #         VERSION: ${{ needs.init.outputs.version }}
+  #       run: |
+  #         # Use imagetools to copy image blobs directly between registries
+  #         # This preserves provenance/attestations and seems to be much faster than pull/push
+  #         ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+  #         for arch in $ARCHS; do
+  #           echo "Copying ${arch} image to DockerHub..."
+  #           for attempt in 1 2 3; do
+  #             if docker buildx imagetools create \
+  #               --tag "docker.io/homeassistant/${arch}-homeassistant:${VERSION}" \
+  #               "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"; then
+  #               break
+  #             fi
+  #             echo "Attempt ${attempt} failed, retrying in 10 seconds..."
+  #             sleep 10
+  #             if [ "${attempt}" -eq 3 ]; then
+  #               echo "Failed after 3 attempts"
+  #               exit 1
+  #             fi
+  #           done
+  #           cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${VERSION}"
+  #         done
 
-          # Sign each tag separately (signing requires individual tag names)
-          echo "Signing all tags..."
-          for tag in "${TAGS[@]}"; do
-            echo "Signing ${tag}"
-            cosign sign --yes "${tag}"
-          done
+  #     - name: Create and push multi-arch manifests
+  #       shell: bash
+  #       env:
+  #         ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+  #         REGISTRY: ${{ matrix.registry }}
+  #         VERSION: ${{ needs.init.outputs.version }}
+  #         META_TAGS: ${{ steps.meta.outputs.tags }}
+  #       run: |
+  #         # Build list of architecture images dynamically
+  #         ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+  #         ARCH_IMAGES=()
+  #         for arch in $ARCHS; do
+  #           ARCH_IMAGES+=("${REGISTRY}/${arch}-homeassistant:${VERSION}")
+  #         done
 
-          echo "All manifests created and signed successfully"
+  #         # Build list of all tags for single manifest creation
+  #         # Note: Using sep-tags=',' in metadata-action for easier parsing
+  #         TAG_ARGS=()
+  #         IFS=',' read -ra TAGS <<< "${META_TAGS}"
+  #         for tag in "${TAGS[@]}"; do
+  #           TAG_ARGS+=("--tag" "${tag}")
+  #         done
 
-  build_python:
-    name: Build PyPi package
-    environment: ${{ needs.init.outputs.channel }}
-    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      id-token: write # For PyPI trusted publishing
-    if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+  #         # Create manifest with ALL tags in a single operation (much faster!)
+  #         echo "Creating multi-arch manifest with tags: ${TAGS[*]}"
+  #         docker buildx imagetools create "${TAG_ARGS[@]}" "${ARCH_IMAGES[@]}"
 
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version-file: ".python-version"
+  #         # Sign each tag separately (signing requires individual tag names)
+  #         echo "Signing all tags..."
+  #         for tag in "${TAGS[@]}"; do
+  #           echo "Signing ${tag}"
+  #           cosign sign --yes "${tag}"
+  #         done
 
-      - name: Download translations
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: translations
+  #         echo "All manifests created and signed successfully"
 
-      - name: Extract translations
-        run: |
-          tar xvf translations.tar.gz
-          rm translations.tar.gz
+  # build_python:
+  #   name: Build PyPi package
+  #   environment: ${{ needs.init.outputs.channel }}
+  #   needs: ["init", "build_base"]
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read # To check out the repository
+  #     id-token: write # For PyPI trusted publishing
+  #   if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
+  #   steps:
+  #     - name: Checkout the repository
+  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #       with:
+  #         persist-credentials: false
 
-      - name: Build package
-        shell: bash
-        run: |
-          # Remove dist, build, and homeassistant.egg-info
-          # when build locally for testing!
-          pip install build
-          python -m build
+  #     - name: Set up Python
+  #       uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+  #       with:
+  #         python-version-file: ".python-version"
 
-      - name: Upload package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          skip-existing: true
+  #     - name: Download translations
+  #       shell: bash
+  #       env:
+  #         LOKALISE_TOKEN: ${{ secrets.LOKALISE_TOKEN }} # zizmor: ignore[secrets-outside-env]
+  #         TRANSLATION_PROCESS_ID: ${{ needs.init.outputs.translation_download_process }}
+  #       run: |
+  #         pip install -r script/translations/requirements.txt
+  #         python3 -u -m script.translations download --process-id "$TRANSLATION_PROCESS_ID"
 
-  hassfest-image:
-    name: Build and test hassfest image
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      attestations: write # For build provenance attestation
-      id-token: write # For build provenance attestation
-    needs: ["init"]
-    if: github.repository_owner == 'home-assistant'
-    env:
-      HASSFEST_IMAGE_NAME: ghcr.io/home-assistant/hassfest
-      HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
+  #     - name: Build package
+  #       shell: bash
+  #       run: |
+  #         # Remove dist, build, and homeassistant.egg-info
+  #         # when build locally for testing!
+  #         pip install build
+  #         python -m build
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
+  #     - name: Upload package to PyPI
+  #       uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+  #       with:
+  #         skip-existing: true
 
-      - name: Build Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
-        with:
-          context: . # So action will not pull the repository again
-          file: ./script/hassfest/docker/Dockerfile
-          load: true
-          tags: ${{ env.HASSFEST_IMAGE_TAG }}
+  # hassfest-image:
+  #   name: Build and test hassfest image
+  #   runs-on: ubuntu-latest
+  #   permissions:
+  #     contents: read # To check out the repository
+  #     packages: write # To push to GHCR
+  #     attestations: write # For build provenance attestation
+  #     id-token: write # For build provenance attestation
+  #   needs: ["init"]
+  #   if: github.repository_owner == 'home-assistant'
+  #   env:
+  #     HASSFEST_IMAGE_NAME: ghcr.io/home-assistant/hassfest
+  #     HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
+  #   steps:
+  #     - name: Checkout repository
+  #       uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+  #       with:
+  #         persist-credentials: false
 
-      - name: Run hassfest against core
-        run: docker run --rm -v "${GITHUB_WORKSPACE}":/github/workspace "${HASSFEST_IMAGE_TAG}" --core-path=/github/workspace
+  #     - name: Login to GitHub Container Registry
+  #       uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+  #       with:
+  #         registry: ghcr.io
+  #         username: ${{ github.repository_owner }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Push Docker image
-        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
-        id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
-        with:
-          context: . # So action will not pull the repository again
-          file: ./script/hassfest/docker/Dockerfile
-          push: true
-          tags: ${{ env.HASSFEST_IMAGE_TAG }},${{ env.HASSFEST_IMAGE_NAME }}:latest
+  #     - name: Build Docker image
+  #       uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+  #       with:
+  #         context: . # So action will not pull the repository again
+  #         file: ./script/hassfest/docker/Dockerfile
+  #         load: true
+  #         tags: ${{ env.HASSFEST_IMAGE_TAG }}
 
-      - name: Generate artifact attestation
-        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
-        with:
-          subject-name: ${{ env.HASSFEST_IMAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+  #     - name: Run hassfest against core
+  #       run: docker run --rm -v "${GITHUB_WORKSPACE}":/github/workspace "${HASSFEST_IMAGE_TAG}" --core-path=/github/workspace
+
+  #     - name: Push Docker image
+  #       if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
+  #       id: push
+  #       uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+  #       with:
+  #         context: . # So action will not pull the repository again
+  #         file: ./script/hassfest/docker/Dockerfile
+  #         push: true
+  #         tags: ${{ env.HASSFEST_IMAGE_TAG }},${{ env.HASSFEST_IMAGE_NAME }}:latest
+
+  #     - name: Generate artifact attestation
+  #       if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
+  #       uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+  #       with:
+  #         subject-name: ${{ env.HASSFEST_IMAGE_NAME }}
+  #         subject-digest: ${{ steps.push.outputs.digest }}
+  #         push-to-registry: true

.github/workflows/ci.yaml

@@ -321,6 +321,7 @@ jobs:
         file:
           - Dockerfile
           - Dockerfile.dev
+          - Dockerfile.translations
           - script/hassfest/docker/Dockerfile
     steps:
       - name: Check out code from GitHub

Dockerfile.translations

@@ -0,0 +1,7 @@
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM
+FROM ${BUILD_FROM}
+
+COPY homeassistant/ /usr/src/homeassistant/homeassistant/

script/hassfest/docker.py

@@ -76,6 +76,15 @@ RUN \
 WORKDIR /config
 """
 
+DOCKERFILE_TRANSLATIONS_TEMPLATE = r"""# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM
+FROM ${{BUILD_FROM}}
+
+COPY homeassistant/ /usr/src/homeassistant/homeassistant/
+"""
+
 
 @dataclass(frozen=True)
 class _MachineConfig:
@@ -234,6 +243,10 @@ def _generate_files(config: Config) -> list[File]:
             ),
             config.root / "Dockerfile",
         ),
+        File(
+            DOCKERFILE_TRANSLATIONS_TEMPLATE.format(),
+            config.root / "Dockerfile.translations",
+        ),
         File(
             _HASSFEST_TEMPLATE.format(
                 timeout=timeout,

script/translations/download.py

@@ -3,61 +3,139 @@
 
 from __future__ import annotations
 
+import argparse
+import io
 import json
 from pathlib import Path
-import subprocess
+import time
 from typing import Any
+from zipfile import ZipFile
 
-from .const import CLI_2_DOCKER_IMAGE, CORE_PROJECT_ID, INTEGRATIONS_DIR
+import lokalise
+import requests
+
+from .const import CORE_PROJECT_ID, INTEGRATIONS_DIR
 from .error import ExitApp
 from .util import (
     flatten_translations,
+    get_base_arg_parser,
     get_lokalise_token,
     load_json_from_path,
     substitute_references,
 )
 
 DOWNLOAD_DIR = Path("build/translations-download").absolute()
+POLL_INTERVAL = 5
+MAX_POLL_TIME = 1200  # 20 minutes
 
 
-def run_download_docker() -> None:
-    """Run the Docker image to download the translations."""
-    print("Running Docker to download latest translations.")
-    result = subprocess.run(
-        [
-            "docker",
-            "run",
-            "-v",
-            f"{DOWNLOAD_DIR}:/opt/dest/locale",
-            "--rm",
-            f"lokalise/lokalise-cli-2:{CLI_2_DOCKER_IMAGE}",
-            # Lokalise command
-            "lokalise2",
-            "--token",
-            get_lokalise_token(),
-            "--project-id",
-            CORE_PROJECT_ID,
-            "file",
-            "download",
-            CORE_PROJECT_ID,
-            "--original-filenames=false",
-            "--replace-breaks=false",
-            "--filter-data",
-            "nonfuzzy",
-            "--disable-references",
-            "--export-empty-as",
-            "skip",
-            "--format",
-            "json",
-            "--unzip-to",
-            "/opt/dest",
-        ],
-        check=False,
+def get_arguments() -> argparse.Namespace:
+    """Get parsed passed in arguments."""
+    parser = get_base_arg_parser()
+    parser.add_argument(
+        "--async-start",
+        action="store_true",
+        help="Start an async download and return the process ID.",
     )
-    print()
+    parser.add_argument(
+        "--process-id",
+        type=str,
+        help="Process ID to wait for, then download and unzip the result.",
+    )
+    parser.add_argument(
+        "--output-dir",
+        type=Path,
+        help="Write translations to this directory instead of in-place. "
+        "The directory structure mirrors the source tree.",
+    )
+    return parser.parse_args()
 
-    if result.returncode != 0:
-        raise ExitApp("Failed to download translations")
+
+def get_client() -> lokalise.Client:
+    """Get an authenticated Lokalise client."""
+    return lokalise.Client(get_lokalise_token())
+
+
+def start_async_download(client: lokalise.Client) -> str:
+    """Start an async download and return the process ID."""
+    process = client.download_files_async(
+        CORE_PROJECT_ID,
+        {
+            "format": "json",
+            "original_filenames": False,
+            "replace_breaks": False,
+            "filter_data": "nonfuzzy",
+            "disable_references": True,
+            "export_empty_as": "skip",
+        },
+    )
+    return process.process_id
+
+
+def wait_for_process(client: lokalise.Client, process_id: str) -> str:
+    """Wait for a queued process to complete and return the process download URL."""
+    deadline = time.monotonic() + MAX_POLL_TIME
+    while True:
+        process_info = client.queued_process(CORE_PROJECT_ID, process_id)
+        # Current status of the process. Can be queued, pre_processing, running,
+        # post_processing, cancelled, finished or failed.
+        status = process_info.status
+        additional_info = ""
+        if process_info.details is not None and (details := dict(process_info.details)):
+            if (
+                status == "running"
+                and (done := details.get("items_processed")) is not None
+                and (total := details.get("items_to_process")) is not None
+            ):
+                additional_info = f" ({done}/{total})"
+            elif status == "finished":
+                additional_info = f" total_keys={details.get('total_number_of_keys')}"
+            else:
+                additional_info = f" details={details}"
+        print(f"Process {process_id}: status={status}{additional_info}")
+
+        if status == "finished":
+            return process_info.details["download_url"]
+        if status in ("cancelled", "failed"):
+            raise ExitApp(
+                f"Process {process_id} ended with status: {status}{additional_info}"
+            )
+
+        if time.monotonic() > deadline:
+            raise ExitApp(
+                f"Process {process_id} timed out after {MAX_POLL_TIME} seconds"
+            )
+
+        time.sleep(POLL_INTERVAL)
+
+
+def download_and_unzip(bundle_url: str) -> None:
+    """Download a zip bundle and extract it to the download directory."""
+    print("Downloading translations from lokalise...")
+    response = requests.get(bundle_url, timeout=120)
+    response.raise_for_status()
+
+    DOWNLOAD_DIR.mkdir(parents=True, exist_ok=True)
+
+    with ZipFile(io.BytesIO(response.content)) as zf:
+        zf.extractall(DOWNLOAD_DIR)
+
+    # Lokalise bundles contain a top-level "locale/" directory.
+    # Move JSON files directly under DOWNLOAD_DIR so callers using
+    # DOWNLOAD_DIR.glob("*.json") can find them.
+    locale_dir = DOWNLOAD_DIR / "locale"
+    if locale_dir.is_dir():
+        for json_path in locale_dir.glob("*.json"):
+            json_path.rename(DOWNLOAD_DIR / json_path.name)
+        locale_dir.rmdir()
+
+    print(f"Extracted translations to {DOWNLOAD_DIR}")
+
+
+def fetch_translations(client: lokalise.Client, process_id: str) -> None:
+    """Wait for a process to finish, then download and unzip the bundle."""
+    download_url = wait_for_process(client, process_id)
+    download_and_unzip(download_url)
 
 
 def save_json(filename: Path, data: list | dict) -> None:
@@ -82,7 +160,9 @@ def filter_translations(translations: dict[str, Any], strings: dict[str, Any]) -
                 continue
 
 
-def save_language_translations(lang: str, translations: dict[str, Any]) -> None:
+def save_language_translations(
+    lang: str, translations: dict[str, Any], output_dir: Path | None = None
+) -> None:
     """Save translations for a single language."""
     components = translations.get("component", {})
 
@@ -95,7 +175,7 @@ def save_language_translations(lang: str, translations: dict[str, Any]) -> None:
         if not component_translations:
             continue
 
-        component_path = Path("homeassistant") / "components" / component
+        component_path = INTEGRATIONS_DIR / component
         if not component_path.is_dir():
             print(
                 f"Skipping {lang} for {component}, as the integration doesn't seem to exist."
@@ -110,7 +190,12 @@ def save_language_translations(lang: str, translations: dict[str, Any]) -> None:
             continue
         strings = load_json_from_path(strings_path)
 
-        path = component_path / "translations" / f"{lang}.json"
+        if output_dir is not None:
+            out_path = output_dir / INTEGRATIONS_DIR / component
+        else:
+            out_path = component_path
+
+        path = out_path / "translations" / f"{lang}.json"
         path.parent.mkdir(parents=True, exist_ok=True)
 
         component_translations = substitute_references(
@@ -122,28 +207,41 @@ def save_language_translations(lang: str, translations: dict[str, Any]) -> None:
         save_json(path, component_translations)
 
 
-def save_integrations_translations() -> None:
+def save_integrations_translations(output_dir: Path | None = None) -> None:
     """Save integrations translations."""
     for lang_file in DOWNLOAD_DIR.glob("*.json"):
         lang = lang_file.stem
         translations = load_json_from_path(lang_file)
-        save_language_translations(lang, translations)
+        save_language_translations(lang, translations, output_dir)
 
 
-def delete_old_translations() -> None:
+def delete_old_translations(output_dir: Path | None = None) -> None:
     """Delete old translations."""
-    for fil in INTEGRATIONS_DIR.glob("*/translations/*"):
+    base = INTEGRATIONS_DIR if output_dir is None else output_dir / INTEGRATIONS_DIR
+    for fil in base.glob("*/translations/*"):
         fil.unlink()
 
 
-def run() -> None:
+def run() -> int:
     """Run the script."""
-    DOWNLOAD_DIR.mkdir(parents=True, exist_ok=True)
+    args = get_arguments()
+    client = get_client()
 
-    run_download_docker()
+    process_id = args.process_id
 
-    delete_old_translations()
+    if not process_id:
+        # if no process ID provided, start a new async download and print the process ID
+        process_id = start_async_download(client)
+        print(f"Async download started. Process ID: {process_id}")
 
-    save_integrations_translations()
+        if args.async_start:
+            # If --async-start is provided, exit after starting the download
+            return 0
 
+    fetch_translations(client, process_id)
+    if args.output_dir is None:
+        delete_old_translations()
+    else:
+        delete_old_translations(args.output_dir)
+    save_integrations_translations(args.output_dir)
     return 0

script/translations/frontend.py

@@ -4,7 +4,7 @@ import argparse
 import json
 
 from .const import FRONTEND_DIR
-from .download import DOWNLOAD_DIR, run_download_docker
+from .download import DOWNLOAD_DIR, fetch_translations, get_client, start_async_download
 from .util import get_base_arg_parser, load_json_from_path
 
 FRONTEND_BACKEND_TRANSLATIONS = FRONTEND_DIR / "translations/backend"
@@ -27,7 +27,9 @@ def run():
     args = get_arguments()
 
     if not args.skip_download:
-        run_download_docker()
+        client = get_client()
+        process_id = start_async_download(client)
+        fetch_translations(client, process_id)
 
     for lang_file in DOWNLOAD_DIR.glob("*.json"):
         translations = load_json_from_path(lang_file)

script/translations/requirements.txt

@@ -0,0 +1,2 @@
+python-lokalise-api==4.0.4
+requests>=2.32.5,<3.0.0