Better cache validation (#97)

* Better cache validation * fixes * new handling * use local source * revert * test itself
home-assistant · May 14, 2021 · aeb80df · aeb80df
1 parent f751485
commit aeb80df
Show file tree

Hide file tree

Showing 3 changed files with 73 additions and 79 deletions.
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -1,4 +1,4 @@
-name: 'Publish'
+name: "Publish"
 
 on:
   release:
@@ -17,12 +17,12 @@ jobs:
     outputs:
       architectures: ${{ steps.info.outputs.architectures }}
     steps:
-    - name: Checkout the repository
-      uses: actions/[email protected]
+      - name: Checkout the repository
+        uses: actions/[email protected]
 
-    - name: Get information
-      id: info
-      uses: home-assistant/actions/helpers/info@master
+      - name: Get information
+        id: info
+        uses: home-assistant/actions/helpers/info@master
 
   publish:
     name: Publish builder
@@ -33,34 +33,32 @@ jobs:
       matrix:
         architecture: ${{ fromJson(needs.init.outputs.architectures) }}
     steps:
-    - name: Checkout the repository
-      uses: actions/[email protected]
+      - name: Checkout the repository
+        uses: actions/[email protected]
 
-    - uses: olegtarasov/[email protected]
-      if: github.event_name == 'release'
-      name: Set tag envronment variable
+      - uses: olegtarasov/[email protected]
+        if: github.event_name == 'release'
+        name: Set tag envronment variable
 
-    - name: Login to DockerHub
-      uses: docker/[email protected]
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Login to DockerHub
+        uses: docker/[email protected]
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
-    - name: Login to GitHub Container Registry
-      uses: docker/[email protected]
-      with:
-        registry: ghcr.io
-        username: ${{ secrets.GIT_USER }}
-        password: ${{ secrets.GIT_TOKEN }}
-
-    - name: Publish ${{ matrix.architecture }} builder
-      uses: home-assistant/builder@master
-      with:
-        args: |
-          --${{ matrix.architecture }} \
-          --target /data \
-          --with-codenotary "${{ secrets.VCN_USER }}" "${{ secrets.VCN_PASSWORD }}" "${{ secrets.VCN_ORG }}" \
-          --validate-from "${{ secrets.VCN_ORG }}" \
-          --validate-cache "${{ secrets.VCN_ORG }}" \
-          --generic $GIT_TAG_NAME
+      - name: Login to GitHub Container Registry
+        uses: docker/[email protected]
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.GIT_USER }}
+          password: ${{ secrets.GIT_TOKEN }}
 
+      - name: Publish ${{ matrix.architecture }} builder
+        uses: ./
+        with:
+          args: |
+            --${{ matrix.architecture }} \
+            --target /data \
+            --with-codenotary "${{ secrets.VCN_USER }}" "${{ secrets.VCN_PASSWORD }}" "${{ secrets.VCN_ORG }}" \
+            --validate-from "${{ secrets.VCN_ORG }}" \
+            --generic $GIT_TAG_NAME
diff --git a/README.md b/README.md
@@ -11,7 +11,7 @@ Use the `with.args` key to pass in arguments to the builder, to see what argumen
 ### Test action example
 
 ```yaml
-name: 'Test'
+name: "Test"
 
 on: [push, pull_request]
 
@@ -20,22 +20,22 @@ jobs:
     name: Test build
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout the repository
-      uses: actions/checkout@v2
-    - name: Test build
-      uses: home-assistant/builder@master
-      with:
-        args: |
-          --test \
-          --all \
-          --target addon-folder \
-          --docker-hub user-name-or-space-name
+      - name: Checkout the repository
+        uses: actions/checkout@v2
+      - name: Test build
+        uses: home-assistant/builder@master
+        with:
+          args: |
+            --test \
+            --all \
+            --target addon-folder \
+            --docker-hub user-name-or-space-name
 ```
 
 ### Publish action example
 
 ```yaml
-name: 'Publish'
+name: "Publish"
 
 on:
   release:
@@ -46,20 +46,20 @@ jobs:
     name: Publish
     runs-on: ubuntu-latest
     steps:
-    - name: Checkout the repository
-      uses: actions/checkout@v2
-    - name: Login to DockerHub
-      uses: docker/login-action@v1
-      with:
-        username: ${{ secrets.DOCKERHUB_USERNAME }}
-        password: ${{ secrets.DOCKERHUB_TOKEN }}
-    - name: Publish
-      uses: home-assistant/builder@master
-      with:
-        args: |
-          --all \
-          --target addon-folder \
-          --docker-hub user-name-or-space-name
+      - name: Checkout the repository
+        uses: actions/checkout@v2
+      - name: Login to DockerHub
+        uses: docker/login-action@v1
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Publish
+        uses: home-assistant/builder@master
+        with:
+          args: |
+            --all \
+            --target addon-folder \
+            --docker-hub user-name-or-space-name
 ```
 
 ## Arguments
@@ -68,15 +68,15 @@ jobs:
   Options:
     -h, --help
         Display this help and exit.
-  
+
   Repository / Data
     -r, --repository <REPOSITORY>
         Set git repository to load data from.
     -b, --branch <BRANCH>
         Set git branch for repository.
     -t, --target <PATH_TO_BUILD>
         Set local folder or path inside repository for build.
-  
+
   Version/Image handling
     -v, --version <VERSION>
         Overwrite version/tag of build.
@@ -88,7 +88,7 @@ jobs:
         Use this as main tag.
     --version-from <VERSION>
         Use this to set build_from tag if not specified.
-  
+
   Architecture
     --armhf
         Build for arm v6.
@@ -102,7 +102,7 @@ jobs:
         Build for intel/amd 32bit.
     --all
         Build all architecture.
-  
+
   Build handling
     --test
        Disable push to dockerhub.
@@ -124,7 +124,7 @@ jobs:
        Password to login into docker with
     Use the host docker socket if mapped into container:
        /var/run/docker.sock
-  
+
   Internals:
     --addon
         Default on. Run all things for an addon build.
@@ -134,29 +134,30 @@ jobs:
         Build our base images.
     --machine <VERSION=ALL,X,Y>
         Build the machine based image for a release/landingpage.
-  
+
   Security:
     --with-codenotary <USER> <PASSWORD> <OWNER>
         Enable signing images with CodeNotary. Need set follow env:
-    --validate-from <ORG|signer>
-        Validate the FROM image which is used to build the image.
     --validate-cache <ORG|signer>
         Validate the cache image which is used to build the image.
 ```
 
 ## Local installation
 
 amd64:
+
 ```bash
 docker pull homeassistant/amd64-builder
 ```
 
 armv7/armhf:
+
 ```bash
 docker pull homeassistant/armv7-builder
 ```
 
 aarch64:
+
 ```bash
 docker pull homeassistant/aarch64-builder
 ```

diff --git a/builder.sh b/builder.sh
@@ -19,7 +19,6 @@ DOCKER_PASSWORD=
 DOCKER_LOCAL=false
 VCN_NOTARY=false
 VCN_FROM=
-VCN_CACHE=
 CODENOTARY_USER=
 CODENOTARY_PASSWORD=
 CODENOTARY_OWNER=
@@ -141,8 +140,6 @@ Options:
         Enable signing images with CodeNotary. Need set follow env:
     --validate-from <ORG|signer>
         Validate the FROM image which is used to build the image.
-    --validate-cache <ORG|signer>
-        Validate the cache image which is used to build the image.
 EOF
 
     bashio::exit.nok
@@ -254,9 +251,7 @@ function run_build() {
         fi
 
         bashio::log.info "Init cache for ${repository}/${image}:${version} with tag ${cache_tag}"
-        if docker pull "${repository}/${image}:${cache_tag}" > /dev/null 2>&1; then
-            # Validate the cache image
-            codenotary_validate "${VCN_CACHE}" "${repository}/${image}:${cache_tag}" "false"
+        if docker pull "${repository}/${image}:${cache_tag}" > /dev/null 2>&1 && codenotary_validate "${CODENOTARY_OWNER}" "${repository}/${image}:${cache_tag}" "false"; then
             docker_cli+=("--cache-from" "${repository}/${image}:${cache_tag}")
         else
             docker_cli+=("--no-cache")
@@ -273,7 +268,9 @@ function run_build() {
     docker_cli+=("--label" "org.opencontainers.image.version=${release}")
 
     # Validate the base image
-    codenotary_validate "${VCN_FROM}" "${build_from}" "true"
+    if ! codenotary_validate "${VCN_FROM}" "${build_from}" "true"; then
+        bashio::exit.nok "Invalid base image ${build_from}"
+    fi
 
     # Build image
     bashio::log.info "Run build for ${repository}/${image}:${version}"
@@ -740,8 +737,10 @@ function codenotary_validate() {
 
     state="$(vcn authenticate "${vcn_cli[@]}" --output json "docker://${image}" | jq '.verification.status // 2')"
     if [[ "${state}" != "0" ]]; then
-        bashio::exit.nok "Validation of ${image} fails!"
+        bashio::log.warning "Validation of ${image} fails!"
+        return 1
     fi
+
     bashio::log.info "Image ${image} is trusted"
 }
 
@@ -876,10 +875,6 @@ while [[ $# -gt 0 ]]; do
             VCN_FROM=$2
             shift
             ;;
-        --validate-cache)
-            VCN_CACHE=$2
-            shift
-            ;;
         *)
             bashio::exit.nok "$0 : Argument '$1' unknown"
             ;;