diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 62edd69..b4b0116 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,4 +1,4 @@ -name: 'Publish' +name: "Publish" on: release: @@ -17,12 +17,12 @@ jobs: outputs: architectures: ${{ steps.info.outputs.architectures }} steps: - - name: Checkout the repository - uses: actions/checkout@v2.3.4 + - name: Checkout the repository + uses: actions/checkout@v2.3.4 - - name: Get information - id: info - uses: home-assistant/actions/helpers/info@master + - name: Get information + id: info + uses: home-assistant/actions/helpers/info@master publish: name: Publish builder @@ -33,34 +33,32 @@ jobs: matrix: architecture: ${{ fromJson(needs.init.outputs.architectures) }} steps: - - name: Checkout the repository - uses: actions/checkout@v2.3.4 + - name: Checkout the repository + uses: actions/checkout@v2.3.4 - - uses: olegtarasov/get-tag@v2.1 - if: github.event_name == 'release' - name: Set tag envronment variable + - uses: olegtarasov/get-tag@v2.1 + if: github.event_name == 'release' + name: Set tag envronment variable - - name: Login to DockerHub - uses: docker/login-action@v1.9.0 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Login to DockerHub + uses: docker/login-action@v1.9.0 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v1.9.0 - with: - registry: ghcr.io - username: ${{ secrets.GIT_USER }} - password: ${{ secrets.GIT_TOKEN }} - - - name: Publish ${{ matrix.architecture }} builder - uses: home-assistant/builder@master - with: - args: | - --${{ matrix.architecture }} \ - --target /data \ - --with-codenotary "${{ secrets.VCN_USER }}" "${{ secrets.VCN_PASSWORD }}" "${{ secrets.VCN_ORG }}" \ - --validate-from "${{ secrets.VCN_ORG }}" \ - --validate-cache "${{ secrets.VCN_ORG }}" \ - --generic $GIT_TAG_NAME + - name: Login to GitHub Container Registry + uses: docker/login-action@v1.9.0 + with: + registry: ghcr.io + username: ${{ secrets.GIT_USER }} + password: ${{ secrets.GIT_TOKEN }} + - name: Publish ${{ matrix.architecture }} builder + uses: ./ + with: + args: | + --${{ matrix.architecture }} \ + --target /data \ + --with-codenotary "${{ secrets.VCN_USER }}" "${{ secrets.VCN_PASSWORD }}" "${{ secrets.VCN_ORG }}" \ + --validate-from "${{ secrets.VCN_ORG }}" \ + --generic $GIT_TAG_NAME diff --git a/README.md b/README.md index 1750130..ee82a8d 100644 --- a/README.md +++ b/README.md @@ -11,7 +11,7 @@ Use the `with.args` key to pass in arguments to the builder, to see what argumen ### Test action example ```yaml -name: 'Test' +name: "Test" on: [push, pull_request] @@ -20,22 +20,22 @@ jobs: name: Test build runs-on: ubuntu-latest steps: - - name: Checkout the repository - uses: actions/checkout@v2 - - name: Test build - uses: home-assistant/builder@master - with: - args: | - --test \ - --all \ - --target addon-folder \ - --docker-hub user-name-or-space-name + - name: Checkout the repository + uses: actions/checkout@v2 + - name: Test build + uses: home-assistant/builder@master + with: + args: | + --test \ + --all \ + --target addon-folder \ + --docker-hub user-name-or-space-name ``` ### Publish action example ```yaml -name: 'Publish' +name: "Publish" on: release: @@ -46,20 +46,20 @@ jobs: name: Publish runs-on: ubuntu-latest steps: - - name: Checkout the repository - uses: actions/checkout@v2 - - name: Login to DockerHub - uses: docker/login-action@v1 - with: - username: ${{ secrets.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_TOKEN }} - - name: Publish - uses: home-assistant/builder@master - with: - args: | - --all \ - --target addon-folder \ - --docker-hub user-name-or-space-name + - name: Checkout the repository + uses: actions/checkout@v2 + - name: Login to DockerHub + uses: docker/login-action@v1 + with: + username: ${{ secrets.DOCKERHUB_USERNAME }} + password: ${{ secrets.DOCKERHUB_TOKEN }} + - name: Publish + uses: home-assistant/builder@master + with: + args: | + --all \ + --target addon-folder \ + --docker-hub user-name-or-space-name ``` ## Arguments @@ -68,7 +68,7 @@ jobs: Options: -h, --help Display this help and exit. - + Repository / Data -r, --repository Set git repository to load data from. @@ -76,7 +76,7 @@ jobs: Set git branch for repository. -t, --target Set local folder or path inside repository for build. - + Version/Image handling -v, --version Overwrite version/tag of build. @@ -88,7 +88,7 @@ jobs: Use this as main tag. --version-from Use this to set build_from tag if not specified. - + Architecture --armhf Build for arm v6. @@ -102,7 +102,7 @@ jobs: Build for intel/amd 32bit. --all Build all architecture. - + Build handling --test Disable push to dockerhub. @@ -124,7 +124,7 @@ jobs: Password to login into docker with Use the host docker socket if mapped into container: /var/run/docker.sock - + Internals: --addon Default on. Run all things for an addon build. @@ -134,12 +134,10 @@ jobs: Build our base images. --machine Build the machine based image for a release/landingpage. - + Security: --with-codenotary Enable signing images with CodeNotary. Need set follow env: - --validate-from - Validate the FROM image which is used to build the image. --validate-cache Validate the cache image which is used to build the image. ``` @@ -147,16 +145,19 @@ jobs: ## Local installation amd64: + ```bash docker pull homeassistant/amd64-builder ``` armv7/armhf: + ```bash docker pull homeassistant/armv7-builder ``` aarch64: + ```bash docker pull homeassistant/aarch64-builder ``` diff --git a/builder.sh b/builder.sh index bd53982..e64d17c 100755 --- a/builder.sh +++ b/builder.sh @@ -19,7 +19,6 @@ DOCKER_PASSWORD= DOCKER_LOCAL=false VCN_NOTARY=false VCN_FROM= -VCN_CACHE= CODENOTARY_USER= CODENOTARY_PASSWORD= CODENOTARY_OWNER= @@ -141,8 +140,6 @@ Options: Enable signing images with CodeNotary. Need set follow env: --validate-from Validate the FROM image which is used to build the image. - --validate-cache - Validate the cache image which is used to build the image. EOF bashio::exit.nok @@ -254,9 +251,7 @@ function run_build() { fi bashio::log.info "Init cache for ${repository}/${image}:${version} with tag ${cache_tag}" - if docker pull "${repository}/${image}:${cache_tag}" > /dev/null 2>&1; then - # Validate the cache image - codenotary_validate "${VCN_CACHE}" "${repository}/${image}:${cache_tag}" "false" + if docker pull "${repository}/${image}:${cache_tag}" > /dev/null 2>&1 && codenotary_validate "${CODENOTARY_OWNER}" "${repository}/${image}:${cache_tag}" "false"; then docker_cli+=("--cache-from" "${repository}/${image}:${cache_tag}") else docker_cli+=("--no-cache") @@ -273,7 +268,9 @@ function run_build() { docker_cli+=("--label" "org.opencontainers.image.version=${release}") # Validate the base image - codenotary_validate "${VCN_FROM}" "${build_from}" "true" + if ! codenotary_validate "${VCN_FROM}" "${build_from}" "true"; then + bashio::exit.nok "Invalid base image ${build_from}" + fi # Build image bashio::log.info "Run build for ${repository}/${image}:${version}" @@ -740,8 +737,10 @@ function codenotary_validate() { state="$(vcn authenticate "${vcn_cli[@]}" --output json "docker://${image}" | jq '.verification.status // 2')" if [[ "${state}" != "0" ]]; then - bashio::exit.nok "Validation of ${image} fails!" + bashio::log.warning "Validation of ${image} fails!" + return 1 fi + bashio::log.info "Image ${image} is trusted" } @@ -876,10 +875,6 @@ while [[ $# -gt 0 ]]; do VCN_FROM=$2 shift ;; - --validate-cache) - VCN_CACHE=$2 - shift - ;; *) bashio::exit.nok "$0 : Argument '$1' unknown" ;;