Optimize build_base build job (#157231)

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

.github/workflows/builder.yml

@@ -14,6 +14,7 @@ env:
   PIP_TIMEOUT: 60
   UV_HTTP_TIMEOUT: 60
   UV_SYSTEM_PYTHON: "true"
+  BASE_IMAGE_VERSION: "2025.11.0"
 
 jobs:
   init:
@@ -21,7 +22,6 @@ jobs:
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
     outputs:
-      architectures: ${{ steps.info.outputs.architectures }}
       version: ${{ steps.version.outputs.version }}
       channel: ${{ steps.version.outputs.channel }}
       publish: ${{ steps.version.outputs.publish }}
@@ -77,7 +77,7 @@ jobs:
     name: Build ${{ matrix.arch }} base core image
     if: github.repository_owner == 'home-assistant'
     needs: init
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     permissions:
       contents: read
       packages: write
@@ -85,7 +85,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        arch: ${{ fromJson(needs.init.outputs.architectures) }}
+        arch: ["amd64", "aarch64"]
+        include:
+          - arch: amd64
+            os: ubuntu-latest
+          - arch: aarch64
+            os: ubuntu-24.04-arm
     steps:
       - name: Checkout the repository
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -182,16 +187,59 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # home-assistant/builder doesn't support sha pinning
-      - name: Build base image
-        uses: home-assistant/builder@2025.09.0
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
         with:
-          args: |
-            $BUILD_ARGS \
-            --${{ matrix.arch }} \
-            --cosign \
-            --target /data \
-            --generic ${{ needs.init.outputs.version }}
+          cosign-release: "v2.5.3"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build variables
+        id: vars
+        shell: bash
+        run: |
+          echo "base_image=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant-base:${{ env.BASE_IMAGE_VERSION }}" >> "$GITHUB_OUTPUT"
+          echo "cache_image=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:latest" >> "$GITHUB_OUTPUT"
+          echo "created=$(date --rfc-3339=seconds --utc)" >> "$GITHUB_OUTPUT"
+
+      - name: Verify base image signature
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp "https://github.com/home-assistant/docker/.*" \
+            "${{ steps.vars.outputs.base_image }}"
+
+      - name: Verify cache image signature
+        id: cache
+        continue-on-error: true
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp "https://github.com/home-assistant/core/.*" \
+            "${{ steps.vars.outputs.cache_image }}"
+
+      - name: Build base image
+        id: build
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: ${{ steps.vars.outputs.platform }}
+          push: true
+          cache-from: ${{ steps.cache.outcome == 'success' && steps.vars.outputs.cache_image || '' }}
+          build-args: |
+            BUILD_FROM=${{ steps.vars.outputs.base_image }}
+          tags: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
+          labels: |
+            io.hass.arch=${{ matrix.arch }}
+            io.hass.version=${{ needs.init.outputs.version }}
+            org.opencontainers.image.created=${{ steps.vars.outputs.created }}
+            org.opencontainers.image.version=${{ needs.init.outputs.version }}
+
+      - name: Sign image
+        run: |
+          cosign sign --yes "ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}@${{ steps.build.outputs.digest }}"
 
   build_machine:
     name: Build ${{ matrix.machine }} machine core image

.github/workflows/wheels.yml

@@ -28,8 +28,6 @@ jobs:
     name: Initialize wheels builder
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
-    outputs:
-      architectures: ${{ steps.info.outputs.architectures }}
     steps:
       - &checkout
         name: Checkout the repository
@@ -50,10 +48,6 @@ jobs:
           pip install "$(grep '^uv' < requirements.txt)"
           uv pip install -r requirements.txt
 
-      - name: Get information
-        id: info
-        uses: home-assistant/actions/helpers/info@master
-
       - name: Create requirements_diff file
         run: |
           if [[ ${{ github.event_name }} =~ (schedule|workflow_dispatch) ]]; then
@@ -114,9 +108,10 @@ jobs:
       fail-fast: false
       matrix: &matrix-build
         abi: ["cp313", "cp314"]
-        arch: ${{ fromJson(needs.init.outputs.architectures) }}
+        arch: ["amd64", "aarch64"]
         include:
-          - os: ubuntu-latest
+          - arch: amd64
+            os: ubuntu-latest
           - arch: aarch64
             os: ubuntu-24.04-arm
     steps: