Use buildx imagetools to copy base image to docker.io and enable provenance (#157341)

Co-authored-by: Stefan Agner <stefan@agner.ch>
2025-12-19 18:38:58 +00:00 · 2025-11-26 15:12:32 +01:00
parent f758cfa82f
commit f69fce68d6
1 changed files with 10 additions and 11 deletions
--- a/.github/workflows/builder.yml
+++ b/.github/workflows/builder.yml
@@ -229,7 +229,6 @@ jobs:
          file: ./Dockerfile
          platforms: ${{ steps.vars.outputs.platform }}
          push: true
-          provenance: false
          cache-from: ${{ steps.cache.outcome == 'success' && steps.vars.outputs.cache_image || '' }}
          build-args: |
            BUILD_FROM=${{ steps.vars.outputs.base_image }}
@@ -366,7 +365,6 @@ jobs:
          password: ${{ secrets.DOCKERHUB_TOKEN }}

      - name: Login to GitHub Container Registry
-        if: matrix.registry == 'ghcr.io/home-assistant'
        uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
        with:
          registry: ghcr.io
@@ -407,23 +405,24 @@ jobs:
            type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
            type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}

-      - name: Push architecture images to DockerHub
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.7.1
+
+      - name: Copy architecture images to DockerHub
        if: matrix.registry == 'docker.io/homeassistant'
        shell: bash
        run: |
+          # Use imagetools to copy image blobs directly between registries
+          # This preserves provenance/attestations and seems to be much faster than pull/push
          ARCHS=$(echo '${{ needs.init.outputs.architectures }}' | jq -r '.[]')
          for arch in $ARCHS; do
-            echo "Pushing ${arch} to DockerHub..."
-            docker pull "ghcr.io/home-assistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
-            docker tag "ghcr.io/home-assistant/${arch}-homeassistant:${{ needs.init.outputs.version }}" \
-              "docker.io/homeassistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
-            docker push "docker.io/homeassistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
+            echo "Copying ${arch} image to DockerHub..."
+            docker buildx imagetools create \
+              --tag "docker.io/homeassistant/${arch}-homeassistant:${{ needs.init.outputs.version }}" \
+              "ghcr.io/home-assistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
            cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${{ needs.init.outputs.version }}"
          done

-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@aa33708b10e362ff993539393ff100fa93ed6a27 # v3.7.1
-
      - name: Create and push multi-arch manifests
        shell: bash
        run: |