Fix

Add machine action
Add shell
2026-02-12 17:01:39 +00:00 · 2026-02-04 23:35:53 +01:00 · 2026-02-04 23:09:25 +01:00 · 2026-02-04 21:40:14 +01:00 · 2026-02-04 21:26:55 +01:00
4 changed files with 218 additions and 92 deletions
--- a/.github/actions/builder/generic/action.yml
+++ b/.github/actions/builder/generic/action.yml
@@ -0,0 +1,118 @@
+name: "Image builder"
+description: "Build a Docker image"
+inputs:
+  base-image:
+    description: "Base image to use for the build"
+    required: true
+    # example: 'ghcr.io/home-assistant/amd64-homeassistant-base:2024.6.0'
+  tags:
+    description: "Tag(s) for the built image (can be multiline for multiple tags)"
+    required: true
+    # example: 'ghcr.io/home-assistant/amd64-homeassistant:2026.2.0' or multiline for multiple tags
+  arch:
+    description: "Architecture for the build (used for default labels)"
+    required: true
+    # example: 'amd64'
+  version:
+    description: "Version for the build (used for default labels)"
+    required: true
+    # example: '2026.2.0'
+  dockerfile:
+    description: "Path to the Dockerfile to build"
+    required: true
+    # example: './Dockerfile'
+  cosign-base-identity:
+    description: "Certificate identity regexp for base image verification"
+    required: true
+    # example: 'https://github.com/home-assistant/docker/.*'
+  additional-labels:
+    description: "Additional labels to add to the built image (merged with default labels)"
+    required: false
+    default: ""
+    # example: 'custom.label=value'
+  push:
+    description: "Whether to push the image to the registry"
+    required: false
+    default: "true"
+    # example: 'true' or 'false'
+runs:
+  using: "composite"
+  steps:
+    - name: Install Cosign
+      uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+      with:
+        cosign-release: "v2.5.3"
+
+    - name: Set up Docker Buildx
+      uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
+
+    - name: Verify base image signature
+      shell: bash
+      run: |
+        cosign verify \
+          --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+          --certificate-identity-regexp "${{ inputs.cosign-base-identity }}" \
+          "${{ inputs.base-image }}"
+
+    - name: Verify cache image signature
+      id: cache
+      continue-on-error: true
+      shell: bash
+      run: |
+        cosign verify \
+          --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+          --certificate-identity-regexp "https://github.com/home-assistant/core/.*" \
+          "ghcr.io/home-assistant/${{ inputs.arch }}-homeassistant:latest"
+
+    - name: Prepare labels
+      id: labels
+      shell: bash
+      run: |
+        # Generate creation timestamp
+        CREATED=$(date --rfc-3339=seconds --utc)
+
+        # Build default labels array
+        LABELS=(
+          "io.hass.arch=${{ inputs.arch }}"
+          "io.hass.version=${{ inputs.version }}"
+          "org.opencontainers.image.created=${CREATED}"
+          "org.opencontainers.image.version=${{ inputs.version }}"
+        )
+
+        # Append additional labels if provided
+        if [ -n "${{ inputs.additional-labels }}" ]; then
+          while IFS= read -r label; do
+            [ -n "$label" ] && LABELS+=("$label")
+          done <<< "${{ inputs.additional-labels }}"
+        fi
+
+        # Output the combined labels using EOF delimiter for multiline
+        {
+          echo 'result<<EOF'
+          printf '%s\n' "${LABELS[@]}"
+          echo 'EOF'
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Build base image
+      id: build
+      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+      with:
+        context: .
+        file: ${{ inputs.dockerfile }}
+        platforms: ${{ steps.vars.outputs.platform }}
+        push: ${{ inputs.push }}
+        cache-from: ${{ steps.cache.outcome == 'success' && format('ghcr.io/home-assistant/{0}-homeassistant:latest', inputs.arch) || '' }}
+        build-args: |
+          BUILD_FROM=${{ inputs.base-image }}
+        tags: ${{ inputs.tags }}
+        outputs: type=image,compression=zstd,compression-level=9,force-compression=true,oci-mediatypes=true
+        labels: ${{ steps.labels.outputs.result }}
+
+    - name: Sign image
+      if: ${{ inputs.push == 'true' }}
+      shell: bash
+      run: |
+        # Sign each tag
+        while IFS= read -r tag; do
+          [ -n "$tag" ] && cosign sign --yes "${tag}@${{ steps.build.outputs.digest }}"
+        done <<< "${{ inputs.tags }}"
--- a/.github/actions/builder/machine/action.yml
+++ b/.github/actions/builder/machine/action.yml
@@ -0,0 +1,68 @@
+name: "Machine image builder"
+description: "Build or copy a machine-specific Docker image"
+inputs:
+  machine:
+    description: "Machine name"
+    required: true
+    # example: 'raspberrypi4-64'
+  version:
+    description: "Version for the build"
+    required: true
+    # example: '2026.2.0'
+  arch:
+    description: "Architecture for the build"
+    required: true
+    # example: 'aarch64'
+runs:
+  using: "composite"
+  steps:
+    - name: Prepare build variables
+      id: vars
+      shell: bash
+      run: |
+        echo "base_image=ghcr.io/home-assistant/${{ inputs.arch }}-homeassistant:${{ inputs.version }}" >> "$GITHUB_OUTPUT"
+
+        # Build tags array with version-specific tag
+        TAGS=(
+          "ghcr.io/home-assistant/${{ inputs.machine }}-homeassistant:${{ inputs.version }}"
+        )
+
+        # Add general tag based on version
+        if [[ "${{ inputs.version }}" =~ d ]]; then
+          TAGS+=("ghcr.io/home-assistant/${{ inputs.machine }}-homeassistant:dev")
+        elif [[ "${{ inputs.version }}" =~ b ]]; then
+          TAGS+=("ghcr.io/home-assistant/${{ inputs.machine }}-homeassistant:beta")
+        else
+          TAGS+=("ghcr.io/home-assistant/${{ inputs.machine }}-homeassistant:stable")
+        fi
+
+        # Output tags using EOF delimiter for multiline
+        {
+          echo 'tags<<EOF'
+          printf '%s\n' "${TAGS[@]}"
+          echo 'EOF'
+        } >> "$GITHUB_OUTPUT"
+
+        LABELS=(
+          "io.hass.type=core"
+          "io.hass.machine=${{ inputs.machine }}"
+          "org.opencontainers.image.source=https://github.com/home-assistant/core"
+        )
+
+        # Output the labels using EOF delimiter for multiline
+        {
+          echo 'labels<<EOF'
+          printf '%s\n' "${LABELS[@]}"
+          echo 'EOF'
+        } >> "$GITHUB_OUTPUT"
+
+    - name: Build machine image
+      uses: ./.github/actions/builder/generic
+      with:
+        base-image: ${{ steps.vars.outputs.base_image }}
+        tags: ${{ steps.vars.outputs.tags }}
+        arch: ${{ inputs.arch }}
+        version: ${{ inputs.version }}
+        dockerfile: machine/${{ inputs.machine }}
+        cosign-base-identity: "https://github.com/home-assistant/core/.*"
+        additional-labels: ${{ steps.vars.outputs.labels }}
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -190,103 +190,53 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      - &install_cosign
-        name: Install Cosign
-        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
-        with:
-          cosign-release: "v2.5.3"
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
-
      - name: Build variables
        id: vars
        shell: bash
        run: |
          echo "base_image=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant-base:${{ env.BASE_IMAGE_VERSION }}" >> "$GITHUB_OUTPUT"
-          echo "cache_image=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:latest" >> "$GITHUB_OUTPUT"
-          echo "created=$(date --rfc-3339=seconds --utc)" >> "$GITHUB_OUTPUT"
-
-      - name: Verify base image signature
-        run: |
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity-regexp "https://github.com/home-assistant/docker/.*" \
-            "${{ steps.vars.outputs.base_image }}"
-
-      - name: Verify cache image signature
-        id: cache
-        continue-on-error: true
-        run: |
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity-regexp "https://github.com/home-assistant/core/.*" \
-            "${{ steps.vars.outputs.cache_image }}"

      - name: Build base image
-        id: build
-        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        uses: ./.github/actions/builder/generic
        with:
-          context: .
-          file: ./Dockerfile
-          platforms: ${{ steps.vars.outputs.platform }}
-          push: true
-          cache-from: ${{ steps.cache.outcome == 'success' && steps.vars.outputs.cache_image || '' }}
-          build-args: |
-            BUILD_FROM=${{ steps.vars.outputs.base_image }}
+          base-image: ${{ steps.vars.outputs.base_image }}
          tags: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
-          outputs: type=image,push=true,compression=zstd,compression-level=9,force-compression=true,oci-mediatypes=true
-          labels: |
-            io.hass.arch=${{ matrix.arch }}
-            io.hass.version=${{ needs.init.outputs.version }}
-            org.opencontainers.image.created=${{ steps.vars.outputs.created }}
-            org.opencontainers.image.version=${{ needs.init.outputs.version }}
-
-      - name: Sign image
-        run: |
-          cosign sign --yes "ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}@${{ steps.build.outputs.digest }}"
+          arch: ${{ matrix.arch }}
+          version: ${{ needs.init.outputs.version }}
+          dockerfile: ./Dockerfile
+          cosign-base-identity: "https://github.com/home-assistant/docker/.*"

  build_machine:
-    name: Build ${{ matrix.machine }} machine core image
+    name: Build ${{ matrix.machine.name }} machine core image
    if: github.repository_owner == 'home-assistant'
    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.machine.arch == 'amd64' && 'ubuntu-latest' || 'ubuntu-24.04-arm' }}
    permissions:
      contents: read
      packages: write
      id-token: write
    strategy:
+      fail-fast: false
      matrix:
        machine:
-          - generic-x86-64
-          - intel-nuc
-          - khadas-vim3
-          - odroid-c2
-          - odroid-c4
-          - odroid-m1
-          - odroid-n2
-          - qemuarm-64
-          - qemux86-64
-          - raspberrypi3-64
-          - raspberrypi4-64
-          - raspberrypi5-64
-          - yellow
-          - green
+          - { name: generic-x86-64, arch: amd64 }
+          - { name: intel-nuc, arch: amd64 }
+          - { name: qemux86-64, arch: amd64 }
+          - { name: khadas-vim3, arch: aarch64 }
+          - { name: odroid-c2, arch: aarch64 }
+          - { name: odroid-c4, arch: aarch64 }
+          - { name: odroid-m1, arch: aarch64 }
+          - { name: odroid-n2, arch: aarch64 }
+          - { name: qemuarm-64, arch: aarch64 }
+          - { name: raspberrypi3-64, arch: aarch64 }
+          - { name: raspberrypi4-64, arch: aarch64 }
+          - { name: raspberrypi5-64, arch: aarch64 }
+          - { name: yellow, arch: aarch64 }
+          - { name: green, arch: aarch64 }
    steps:
      - name: Checkout the repository
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

-      - name: Set build additional args
-        run: |
-          # Create general tags
-          if [[ "${{ needs.init.outputs.version }}" =~ d ]]; then
-            echo "BUILD_ARGS=--additional-tag dev" >> $GITHUB_ENV
-          elif [[ "${{ needs.init.outputs.version }}" =~ b ]]; then
-            echo "BUILD_ARGS=--additional-tag beta" >> $GITHUB_ENV
-          else
-            echo "BUILD_ARGS=--additional-tag stable" >> $GITHUB_ENV
-          fi
-
      - name: Login to GitHub Container Registry
        uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
        with:
@@ -294,15 +244,12 @@ jobs:
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}

-      # home-assistant/builder doesn't support sha pinning
-      - name: Build base image
-        uses: home-assistant/builder@2025.11.0
+      - name: Build machine image
+        uses: ./.github/actions/builder/machine
        with:
-          args: |
-            $BUILD_ARGS \
-            --target /data/machine \
-            --cosign \
-            --machine "${{ needs.init.outputs.version }}=${{ matrix.machine }}"
+          machine: ${{ matrix.machine.name }}
+          version: ${{ needs.init.outputs.version }}
+          arch: ${{ matrix.machine.arch }}

  publish_ha:
    name: Publish version files
@@ -355,7 +302,10 @@ jobs:
      matrix:
        registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
    steps:
-      - *install_cosign
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: "v2.5.3"

      - name: Login to DockerHub
        if: matrix.registry == 'docker.io/homeassistant'
--- a/machine/build.yaml
+++ b/machine/build.yaml
@@ -1,10 +0,0 @@
-image: ghcr.io/home-assistant/{machine}-homeassistant
-build_from:
-  aarch64: "ghcr.io/home-assistant/aarch64-homeassistant:"
-  amd64: "ghcr.io/home-assistant/amd64-homeassistant:"
-cosign:
-  base_identity: https://github.com/home-assistant/core/.*
-  identity: https://github.com/home-assistant/core/.*
-labels:
-  io.hass.type: core
-  org.opencontainers.image.source: https://github.com/home-assistant/core
Author	SHA1	Message	Date
Robert Resch	d2867d9e0f	Fix	2026-02-04 23:35:53 +01:00
Robert Resch	368eae89b1	Add machine action	2026-02-04 23:09:25 +01:00
Robert Resch	1f4656fa3e	Add shell	2026-02-04 21:40:14 +01:00
Robert Resch	19d8dab6fd	Use composite builder action	2026-02-04 21:26:55 +01:00