diff --git a/.github/workflows/builder.yml b/.github/workflows/builder.yml index 7f1eea69a..217cc28aa 100644 --- a/.github/workflows/builder.yml +++ b/.github/workflows/builder.yml @@ -34,6 +34,9 @@ on: env: DEFAULT_PYTHON: "3.13" + COSIGN_VERSION: "v2.5.3" + CRANE_VERSION: "v0.20.7" + CRANE_SHA256: "8ef3564d264e6b5ca93f7b7f5652704c4dd29d33935aff6947dd5adefd05953e" BUILD_NAME: supervisor BUILD_TYPE: supervisor @@ -134,7 +137,7 @@ jobs: if: needs.init.outputs.publish == 'true' uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 with: - cosign-release: "v2.5.3" + cosign-release: ${{ env.COSIGN_VERSION }} - name: Install dirhash and calc hash if: needs.init.outputs.publish == 'true' @@ -173,7 +176,7 @@ jobs: version: name: Update version - needs: ["init", "run_supervisor"] + needs: ["init", "run_supervisor", "retag_deprecated"] runs-on: ubuntu-latest steps: - name: Checkout the repository @@ -352,3 +355,50 @@ jobs: - name: Get supervisor logs on failiure if: ${{ cancelled() || failure() }} run: docker logs hassio_supervisor + + retag_deprecated: + needs: ["build", "init"] + name: Re-tag deprecated ${{ matrix.arch }} images + if: needs.init.outputs.publish == 'true' + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + packages: write + strategy: + matrix: + arch: ["armhf", "armv7", "i386"] + env: + # Last available release for deprecated architectures + FROZEN_VERSION: "2025.11.5" + steps: + - name: Login to GitHub Container Registry + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Install Cosign + uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 + with: + cosign-release: ${{ env.COSIGN_VERSION }} + + - name: Install crane + run: | + curl -sLO https://github.com/google/go-containerregistry/releases/download/${{ env.CRANE_VERSION }}/go-containerregistry_Linux_x86_64.tar.gz + echo "${{ env.CRANE_SHA256 }} go-containerregistry_Linux_x86_64.tar.gz" | sha256sum -c - + tar xzf go-containerregistry_Linux_x86_64.tar.gz crane + sudo mv crane /usr/local/bin/ + + - name: Re-tag deprecated image with updated version label + run: | + crane auth login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }} + crane mutate \ + --label io.hass.version=${{ needs.init.outputs.version }} \ + --tag ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ needs.init.outputs.version }} \ + ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ env.FROZEN_VERSION }} + + - name: Sign image with Cosign + run: | + cosign sign --yes ghcr.io/home-assistant/${{ matrix.arch }}-hassio-supervisor:${{ needs.init.outputs.version }} diff --git a/build.yaml b/build.yaml index 29f67883d..cf30ac2e1 100644 --- a/build.yaml +++ b/build.yaml @@ -1,10 +1,7 @@ image: ghcr.io/home-assistant/{arch}-hassio-supervisor build_from: aarch64: ghcr.io/home-assistant/aarch64-base-python:3.13-alpine3.22-2025.11.1 - armhf: ghcr.io/home-assistant/armhf-base-python:3.13-alpine3.22-2025.11.1 - armv7: ghcr.io/home-assistant/armv7-base-python:3.13-alpine3.22-2025.11.1 amd64: ghcr.io/home-assistant/amd64-base-python:3.13-alpine3.22-2025.11.1 - i386: ghcr.io/home-assistant/i386-base-python:3.13-alpine3.22-2025.11.1 cosign: base_identity: https://github.com/home-assistant/docker-base/.* identity: https://github.com/home-assistant/supervisor/.*