Bump home-assistant/builder from 2023.06.0 to 2023.06.1 (#4404)

* Bump home-assistant/builder from 2023.06.0 to 2023.06.1

Bumps [home-assistant/builder](https://github.com/home-assistant/builder) from 2023.06.0 to 2023.06.1.
- [Release notes](https://github.com/home-assistant/builder/releases)
- [Commits](https://github.com/home-assistant/builder/compare/2023.06.0...2023.06.1)

---
updated-dependencies:
- dependency-name: home-assistant/builder
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>

* Support cosign & ditch Codenotary

* use curl

* Not using docker.io anymore

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Pascal Vizeli <pvizeli@syshack.ch>

.github/workflows/builder.yml

@@ -83,6 +83,10 @@ jobs:
     name: Build ${{ matrix.arch }} supervisor
     needs: init
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+      packages: write
     strategy:
       matrix:
         arch: ${{ fromJson(needs.init.outputs.architectures) }}
@@ -119,12 +123,29 @@ jobs:
         with:
           type: ${{ env.BUILD_TYPE }}
 
-      - name: Login to DockerHub
+      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
         if: needs.init.outputs.publish == 'true'
-        uses: docker/login-action@v2.2.0
+        uses: actions/setup-python@v4.6.1
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
+          python-version: ${{ env.DEFAULT_PYTHON }}
+
+      - name: Install Cosign
+        if: needs.init.outputs.publish == 'true'
+        uses: sigstore/cosign-installer@v3.0.5
+        with:
+          cosign-release: "v2.0.2"
+
+      - name: Install dirhash and calc hash
+        if: needs.init.outputs.publish == 'true'
+        run: |
+          pip3 install dirhash
+          dir_hash="$(dirhash "${{ github.workspace }}/supervisor" -a sha256 --match "*.py")"
+          echo "${dir_hash}" > rootfs/supervisor.sha256
+
+      - name: Sign supervisor SHA256
+        if: needs.init.outputs.publish == 'true'
+        run: |
+          cosign sign-blob --yes rootfs/supervisor.sha256 --bundle rootfs/supervisor.sha256.sig
 
       - name: Login to GitHub Container Registry
         if: needs.init.outputs.publish == 'true'
@@ -139,55 +160,17 @@ jobs:
         run: echo "BUILD_ARGS=--test" >> $GITHUB_ENV
 
       - name: Build supervisor
-        uses: home-assistant/builder@2023.06.0
+        uses: home-assistant/builder@2023.06.1
         with:
           args: |
             $BUILD_ARGS \
             --${{ matrix.arch }} \
             --target /data \
+            --cosign \
             --generic ${{ needs.init.outputs.version }}
         env:
           CAS_API_KEY: ${{ secrets.CAS_TOKEN }}
 
-  codenotary:
-    name: CAS signature
-    needs: init
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout the repository
-        if: needs.init.outputs.publish == 'true'
-        uses: actions/checkout@v3.5.3
-        with:
-          fetch-depth: 0
-
-      - name: Set up Python ${{ env.DEFAULT_PYTHON }}
-        if: needs.init.outputs.publish == 'true'
-        uses: actions/setup-python@v4.6.1
-        with:
-          python-version: ${{ env.DEFAULT_PYTHON }}
-
-      - name: Set version
-        if: needs.init.outputs.publish == 'true'
-        uses: home-assistant/actions/helpers/version@master
-        with:
-          type: ${{ env.BUILD_TYPE }}
-
-      - name: Install dirhash and calc hash
-        if: needs.init.outputs.publish == 'true'
-        id: dirhash
-        run: |
-          pip3 install dirhash
-          dir_hash="$(dirhash "${{ github.workspace }}/supervisor" -a sha256 --match "*.py")"
-          echo "::set-output name=dirhash::${dir_hash}"
-
-      - name: Signing Source
-        if: needs.init.outputs.publish == 'true'
-        uses: home-assistant/actions/helpers/codenotary@master
-        with:
-          source: hash://${{ steps.dirhash.outputs.dirhash }}
-          asset: supervisor-${{ needs.init.outputs.version }}
-          token: ${{ secrets.CAS_TOKEN }}
-
   version:
     name: Update version
     needs: ["init", "run_supervisor"]
@@ -216,7 +199,7 @@ jobs:
   run_supervisor:
     runs-on: ubuntu-latest
     name: Run the Supervisor
-    needs: ["build", "codenotary", "init"]
+    needs: ["build", "init"]
     timeout-minutes: 60
     steps:
       - name: Checkout the repository
@@ -224,7 +207,7 @@ jobs:
 
       - name: Build the Supervisor
         if: needs.init.outputs.publish != 'true'
-        uses: home-assistant/builder@2023.06.0
+        uses: home-assistant/builder@2023.06.1
         with:
           args: |
             --test \
@@ -253,7 +236,7 @@ jobs:
             -e SUPERVISOR_NAME=hassio_supervisor \
             -e SUPERVISOR_DEV=1 \
             -e SUPERVISOR_MACHINE="qemux86-64" \
-          homeassistant/amd64-hassio-supervisor:runner
+          ghcr.io/home-assistant/amd64-hassio-supervisor:runner
 
       - name: Start the Supervisor
         run: docker start hassio_supervisor

.github/workflows/ci.yaml

@@ -10,7 +10,6 @@ on:
 env:
   DEFAULT_PYTHON: "3.11"
   PRE_COMMIT_HOME: ~/.cache/pre-commit
-  DEFAULT_CAS: v1.0.2
 
 concurrency:
   group: "${{ github.workflow }}-${{ github.ref }}"
@@ -351,10 +350,10 @@ jobs:
         id: python
         with:
           python-version: ${{ needs.prepare.outputs.python-version }}
-      - name: Install CAS tools
-        uses: home-assistant/actions/helpers/cas@master
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@v3.0.5
         with:
-          version: ${{ env.DEFAULT_CAS }}
+          cosign-release: "v2.0.2"
       - name: Restore Python virtual environment
         id: cache-venv
         uses: actions/cache@v3.3.1

Dockerfile

@@ -7,7 +7,8 @@ ENV \
     CRYPTOGRAPHY_OPENSSL_NO_LEGACY=1
 
 ARG \
-    CAS_VERSION
+    COSIGN_VERSION \
+    BUILD_ARCH
 
 # Install base
 WORKDIR /usr/src
@@ -21,19 +22,9 @@ RUN \
         libpulse \
         musl \
         openssl \
-    && apk add --no-cache --virtual .build-dependencies \
-        build-base \
-        go \
     \
-    && git clone -b "v${CAS_VERSION}" --depth 1 \
-        https://github.com/codenotary/cas \
-    && cd cas \
-    && make cas \
-    && mv cas /usr/bin/cas \
-    \
-    && apk del .build-dependencies \
-    && rm -rf /root/go /root/.cache \
-    && rm -rf /usr/src/cas
+    && curl -Lso /usr/bin/cosign "https://github.com/home-assistant/cosign/releases/download/${COSIGN_VERSION}/cosign_${BUILD_ARCH}" \
+    && chmod a+x /usr/bin/cosign
 
 # Install requirements
 COPY requirements.txt .

build.yaml

@@ -1,5 +1,4 @@
-image: homeassistant/{arch}-hassio-supervisor
-shadow_repository: ghcr.io/home-assistant
+image: ghcr.io/home-assistant/{arch}-hassio-supervisor
 build_from:
   aarch64: ghcr.io/home-assistant/aarch64-base-python:3.11-alpine3.16
   armhf: ghcr.io/home-assistant/armhf-base-python:3.11-alpine3.16
@@ -9,8 +8,11 @@ build_from:
 codenotary:
   signer: notary@home-assistant.io
   base_image: notary@home-assistant.io
+cosign:
+  base_identity: https://github.com/home-assistant/docker-base/.*
+  identity: https://github.com/home-assistant/supervisor/.*
 args:
-  CAS_VERSION: 1.0.2
+  COSIGN_VERSION: 2.0.2
 labels:
   io.hass.type: supervisor
   org.opencontainers.image.title: Home Assistant Supervisor

rootfs/root/.cas-trusted-signing-pub-key

@@ -1,4 +0,0 @@
------BEGIN PUBLIC KEY-----
-MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE03LvYuz79GTJx4uKp3w6NrSe5JZI
-iBtgzzYi0YQYtZO/r+xFpgDJEa0gLHkXtl94fpqrFiN89In83lzaszbZtA==
------END PUBLIC KEY-----

rootfs/root/.cas/config.json

@@ -1,8 +0,0 @@
-{
-  "currentcontext": {
-    "LcHost": "cas.codenotary.com",
-    "LcPort": "443"
-  },
-  "schemaversion": 3,
-  "users": null
-}