@@ -64,20 +64,28 @@ jobs:
6464 matrix :
6565 architecture : ${{ fromJson(needs.information.outputs.architectures) }}
6666 steps :
67+ - name : 🔂 Wait for other runs to complete
68+ uses : softprops/turnstyle@v1
69+ env :
70+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
6771 - name : ⤵️ Check out code from GitHub
6872 uses : actions/checkout@v2.3.4
6973 - name : 🏗 Set up build cache
7074 id : cache
7175 uses : actions/cache@v2.1.5
7276 with :
7377 path : /tmp/.docker-cache
74- key : docker-${{ github.ref }}-${{ matrix.architecture }}-${{ github.sha }}
78+ key :
79+ docker-${{ github.ref }}-${{ matrix.architecture }}-${{ github.sha
80+ }}
7581 restore-keys : |
7682 docker-${{ github.ref }}-${{ matrix.architecture }}
7783name : 🏗 Set up QEMU
7884 uses : docker/setup-qemu-action@v1.1.0
7985 - name : 🏗 Set up Docker Buildx
8086 uses : docker/setup-buildx-action@v1.3.0
87+ - name : 🏗 Set up CodeNotary
88+ run : bash <(curl https://getvcn.codenotary.com -L)
8189 - name : ℹ️ Compose build flags
8290 id : flags
8391 run : |
@@ -103,12 +111,25 @@ jobs:
103111 uses : docker/login-action@v1.9.0
104112 with :
105113 registry : ghcr.io
106- username : ${{ secrets.GHCR_USERNAME }}
107- password : ${{ secrets.GHCR_PASSWORD }}
108- - name : 🚀 Build and push
114+ username : ${{ github.repository_owner }}
115+ password : ${{ secrets.GITHUB_TOKEN }}
116+ - name : ⤵️ Download base image
117+ run : docker pull "${{ steps.flags.outputs.from }}"
118+ - name : ✅ Verify authenticity of base image
119+ run : |
120+ vcn authenticate \
121+ "docker://${{ steps.flags.outputs.from }}"
122+ vcn authenticate \
123+ --output json \
124+ --signerID 0x03e406879fd89e52f38f4aab0061266d1183980a \
125+ "docker://${{ steps.flags.outputs.from }}" \
126+ | jq \
127+ --exit-status \
128+ '.verification.status == 0'
129+ name : 🚀 Build
109130 uses : docker/build-push-action@v2.4.0
110131 with :
111- push : true
132+ load : true
112133 # yamllint disable rule:line-length
113134 tags : |
114135 ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.environment }}
@@ -130,6 +151,33 @@ jobs:
130151 BUILD_REF=${{ github.sha }}
131152 BUILD_REPOSITORY=${{ github.repository }}
132153 BUILD_VERSION=${{ needs.information.outputs.version }}
154+ name : 🔏 Notarize
155+ # yamllint disable rule:line-length
156+ run : |
157+ if vcn authenticate \
158+ --output json \
159+ "docker://ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}" \
160+ | jq \
161+ --exit-status \
162+ '.verification.status != 0';
163+ then
164+ vcn login
165+ vcn notarize \
166+ --public \
167+ "docker://ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}"
168+ fi
169+ env :
170+ VCN_USER : ${{ secrets.VCN_USER }}
171+ VCN_PASSWORD : ${{ secrets.VCN_PASSWORD }}
172+ VCN_NOTARIZATION_PASSWORD : ${{ secrets.VCN_NOTARIZATION_PASSWORD }}
173+ VCN_OTP_EMPTY : true
174+ - name : 🚀 Push
175+ # yamllint disable rule:line-length
176+ run : |
177+ docker push \
178+ "ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.environment }}"
179+ docker push \
180+ "ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}"
133181
134182publish-edge :
135183 name : 📢 Publish to edge repository
0 commit comments