From f69fce68d6fe684bc2dbb516e258023c7a3a617f Mon Sep 17 00:00:00 2001
From: Robert Resch <robert@resch.dev>
Date: Wed, 26 Nov 2025 15:12:32 +0100
Subject: [PATCH] Use buildx imagetools to copy base image to docker.io and
 enable provenance (#157341)

Co-authored-by: Stefan Agner <stefan@agner.ch>
---
 .github/workflows/builder.yml | 21 ++++++++++-----------
 1 file changed, 10 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml
index 9100f1bb976..6f3074a0b97 100644
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -229,7 +229,6 @@ jobs:
           file: ./Dockerfile
           platforms: ${{ steps.vars.outputs.platform }}
           push: true
-          provenance: false
           cache-from: ${{ steps.cache.outcome == 'success' && steps.vars.outputs.cache_image || '' }}
           build-args: |
             BUILD_FROM=${{ steps.vars.outputs.base_image }}
@@ -366,7 +365,6 @@ jobs:
           password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Login to GitHub Container Registry
-        if: matrix.registry == 'ghcr.io/home-assistant'
         uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
         with:
           registry: ghcr.io
@@ -407,23 +405,24 @@ jobs:
             type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
             type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
 
-      - name: Push architecture images to DockerHub
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.7.1
+
+      - name: Copy architecture images to DockerHub
         if: matrix.registry == 'docker.io/homeassistant'
         shell: bash
         run: |
+          # Use imagetools to copy image blobs directly between registries
+          # This preserves provenance/attestations and seems to be much faster than pull/push
           ARCHS=$(echo '${{ needs.init.outputs.architectures }}' | jq -r '.[]')
           for arch in $ARCHS; do
-            echo "Pushing ${arch} to DockerHub..."
-            docker pull "ghcr.io/home-assistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
-            docker tag "ghcr.io/home-assistant/${arch}-homeassistant:${{ needs.init.outputs.version }}" \
-              "docker.io/homeassistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
-            docker push "docker.io/homeassistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
+            echo "Copying ${arch} image to DockerHub..."
+            docker buildx imagetools create \
+              --tag "docker.io/homeassistant/${arch}-homeassistant:${{ needs.init.outputs.version }}" \
+              "ghcr.io/home-assistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
             cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
           done
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.7.1
-
       - name: Create and push multi-arch manifests
         shell: bash
         run: |