⬆️ Upgrades add-on base image to v10.0.0 (#90)

Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 1.4.1 to 1.5.0.
- [Release notes](https://github.com/docker/setup-buildx-action/releases)
- [Commits](https://github.com/docker/setup-buildx-action/compare/v1.4.1...v1.5.0)

---
updated-dependencies:
- dependency-name: docker/setup-buildx-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.editorconfig

@@ -1,19 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-ident_size = 4
-
-[*.md]
-ident_size = 2
-trim_trailing_whitespace = false
-
-[*.json]
-ident_size = 2
-
-[{.gitignore,.gitkeep,.editorconfig}]
-ident_size = 2

.github/workflows/ci.yaml

@@ -27,7 +27,7 @@ jobs:
         uses: actions/checkout@v2.3.4
       - name: 🚀 Run add-on information action
         id: information
-        uses: frenck/action-addon-information@v1.0.0
+        uses: frenck/action-addon-information@v1.2.2
 
   lint-addon:
     name: Lint Add-on
@@ -38,7 +38,7 @@ jobs:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@v2.3.4
       - name: 🚀 Run Add-on Lint
-        uses: frenck/action-addon-linter@v1.4
+        uses: frenck/action-addon-linter@v2.1
         with:
           community: true
           path: "./${{ needs.information.outputs.target }}"
@@ -52,7 +52,7 @@ jobs:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@v2.3.4
       - name: 🚀 Run Hadolint
-        uses: brpaz/hadolint-action@v1.3.1
+        uses: brpaz/hadolint-action@v1.5.0
         with:
           dockerfile: "./${{ needs.information.outputs.target }}/Dockerfile"
 
@@ -74,7 +74,7 @@ jobs:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@v2.3.4
       - name: 🚀 Run mdl
-        uses: actionshub/markdownlint@2.0.0
+        uses: actionshub/markdownlint@2.0.2
 
   lint-shellcheck:
     name: Shellcheck
@@ -83,7 +83,7 @@ jobs:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@v2.3.4
       - name: 🚀 Run Shellcheck
-        uses: ludeeus/action-shellcheck@1.0.0
+        uses: ludeeus/action-shellcheck@1.1.0
         env:
           SHELLCHECK_OPTS: -s bash
 
@@ -129,16 +129,20 @@ jobs:
         uses: actions/checkout@v2.3.4
       - name: 🏗 Set up build cache
         id: cache
-        uses: actions/cache@v2.1.3
+        uses: actions/cache@v2.1.6
         with:
           path: /tmp/.docker-cache
-          key: docker-${{ github.ref }}-${{ matrix.architecture }}-${{ github.sha }}
+          key:
+            docker-${{ github.ref }}-${{ matrix.architecture }}-${{ github.sha
+            }}
           restore-keys: |
             docker-${{ github.ref }}-${{ matrix.architecture }}
       - name: 🏗 Set up QEMU
-        uses: docker/setup-qemu-action@v1.0.1
+        uses: docker/setup-qemu-action@v1.2.0
       - name: 🏗 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1.1.1
+        uses: docker/setup-buildx-action@v1.5.0
+      - name: 🏗 Set up CodeNotary
+        run: bash <(curl https://getvcn.codenotary.com -L)
       - name: ℹ️ Compose build flags
         id: flags
         run: |
@@ -160,8 +164,21 @@ jobs:
             echo "::error ::Could not determine platform for architecture ${{ matrix.architecture }}"
             exit 1
           fi
+      - name: ⤵️ Download base image
+        run: docker pull "${{ steps.flags.outputs.from }}"
+      - name: ✅ Verify authenticity of base image
+        run: |
+          vcn authenticate \
+            "docker://${{ steps.flags.outputs.from }}"
+          vcn authenticate \
+            --output json \
+            --signerID 0x03e406879fd89e52f38f4aab0061266d1183980a \
+            "docker://${{ steps.flags.outputs.from }}" \
+            | jq \
+              --exit-status \
+              '.verification.status == 0'
       - name: 🚀 Build
-        uses: docker/build-push-action@v2.2.2
+        uses: docker/build-push-action@v2.6.1
         with:
           push: false
           context: ${{ needs.information.outputs.target }}

.github/workflows/deploy.yaml

@@ -36,7 +36,7 @@ jobs:
         uses: actions/checkout@v2.3.4
       - name: 🚀 Run add-on information action
         id: information
-        uses: frenck/action-addon-information@v1.0.0
+        uses: frenck/action-addon-information@v1.2.2
       - name: ℹ️ Gather version and environment
         id: release
         run: |
@@ -64,20 +64,28 @@ jobs:
       matrix:
         architecture: ${{ fromJson(needs.information.outputs.architectures) }}
     steps:
+      - name: 🔂 Wait for other runs to complete
+        uses: softprops/turnstyle@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@v2.3.4
       - name: 🏗 Set up build cache
         id: cache
-        uses: actions/cache@v2.1.3
+        uses: actions/cache@v2.1.6
         with:
           path: /tmp/.docker-cache
-          key: docker-${{ github.ref }}-${{ matrix.architecture }}-${{ github.sha }}
+          key:
+            docker-${{ github.ref }}-${{ matrix.architecture }}-${{ github.sha
+            }}
           restore-keys: |
             docker-${{ github.ref }}-${{ matrix.architecture }}
       - name: 🏗 Set up QEMU
-        uses: docker/setup-qemu-action@v1.0.1
+        uses: docker/setup-qemu-action@v1.2.0
       - name: 🏗 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1.1.1
+        uses: docker/setup-buildx-action@v1.5.0
+      - name: 🏗 Set up CodeNotary
+        run: bash <(curl https://getvcn.codenotary.com -L)
       - name: ℹ️ Compose build flags
         id: flags
         run: |
@@ -100,15 +108,28 @@ jobs:
             exit 1
           fi
       - name: 🏗  Login to GitHub Container Registry
-        uses: docker/login-action@v1.8.0
+        uses: docker/login-action@v1.10.0
         with:
           registry: ghcr.io
-          username: ${{ secrets.GHCR_USERNAME }}
-          password: ${{ secrets.GHCR_PASSWORD }}
-      - name: 🚀 Build and push
-        uses: docker/build-push-action@v2.2.2
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: ⤵️ Download base image
+        run: docker pull "${{ steps.flags.outputs.from }}"
+      - name: ✅ Verify authenticity of base image
+        run: |
+          vcn authenticate \
+            "docker://${{ steps.flags.outputs.from }}"
+          vcn authenticate \
+            --output json \
+            --signerID 0x03e406879fd89e52f38f4aab0061266d1183980a \
+            "docker://${{ steps.flags.outputs.from }}" \
+            | jq \
+              --exit-status \
+              '.verification.status == 0'
+      - name: 🚀 Build
+        uses: docker/build-push-action@v2.6.1
         with:
-          push: true
+          load: true
           # yamllint disable rule:line-length
           tags: |
             ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.environment }}
@@ -130,6 +151,33 @@ jobs:
             BUILD_REF=${{ github.sha }}
             BUILD_REPOSITORY=${{ github.repository }}
             BUILD_VERSION=${{ needs.information.outputs.version }}
+      - name: 🔏 Notarize
+        # yamllint disable rule:line-length
+        run: |
+          if vcn authenticate \
+            --output json \
+            "docker://ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}" \
+            | jq \
+              --exit-status \
+              '.verification.status != 0';
+          then
+            vcn login
+            vcn notarize \
+              --public \
+              "docker://ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}"
+          fi
+        env:
+          VCN_USER: ${{ secrets.VCN_USER }}
+          VCN_PASSWORD: ${{ secrets.VCN_PASSWORD }}
+          VCN_NOTARIZATION_PASSWORD: ${{ secrets.VCN_NOTARIZATION_PASSWORD }}
+          VCN_OTP_EMPTY: true
+      - name: 🚀 Push
+        # yamllint disable rule:line-length
+        run: |
+          docker push \
+            "ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.environment }}"
+          docker push \
+            "ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}"
 
   publish-edge:
     name: 📢 Publish to edge repository

.github/workflows/labels.yaml

@@ -17,6 +17,6 @@ jobs:
       - name: ⤵️ Check out code from GitHub
         uses: actions/checkout@v2.3.4
       - name: 🚀 Run Label Syncer
-        uses: micnncim/action-label-syncer@v1.2.0
+        uses: micnncim/action-label-syncer@v1.3.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/pr-labels.yaml

@@ -0,0 +1,21 @@
+---
+name: PR Labels
+
+# yamllint disable-line rule:truthy
+on:
+  pull_request:
+    types: [opened, labeled, unlabeled, synchronize]
+
+jobs:
+  pr_labels:
+    name: Verify
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🏷 Verify PR has a valid label
+        uses: jesusvasquez333/verify-pr-label-action@v1.4.0
+        with:
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          valid-labels: >-
+            breaking-change, bugfix, documentation, enhancement, refactor,
+            performance, new-feature, maintenance, ci, dependencies
+          disable-reviews: true

.github/workflows/release-drafter.yaml

@@ -13,6 +13,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 🚀 Run Release Drafter
-        uses: release-drafter/release-drafter@v5.13.0
+        uses: release-drafter/release-drafter@v5.15.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/stale.yaml

@@ -13,7 +13,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 🚀 Run stale
-        uses: actions/stale@v3.0.15
+        uses: actions/stale@v3.0.19
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           days-before-stale: 30

zerotier/Dockerfile

@@ -1,4 +1,4 @@
-ARG BUILD_FROM=ghcr.io/hassio-addons/base/amd64:9.1.2
+ARG BUILD_FROM=ghcr.io/hassio-addons/base/amd64:10.0.0
 # hadolint ignore=DL3006
 FROM ${BUILD_FROM}
 
@@ -10,14 +10,14 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN \
     apk add --no-cache --virtual .build-dependencies \
         build-base=0.5-r2 \
-        linux-headers=5.7.8-r0 \
-        git=2.30.0-r0 \
+        linux-headers=5.10.41-r0 \
+        git=2.32.0-r0 \
     \
     && apk add --no-cache \
-        libgcc=10.2.1_pre1-r3 \
-        libstdc++=10.2.1_pre1-r3 \
+        libgcc=10.3.1_git20210424-r2 \
+        libstdc++=10.3.1_git20210424-r2 \
     \
-    && git clone --branch "1.6.2" --depth=1 \
+    && git clone --branch "1.6.5" --depth=1 \
         "https://github.com/zerotier/ZeroTierOne.git" /tmp/zerotier \
     \
     && cd /tmp/zerotier \

zerotier/build.json

@@ -1,9 +1,9 @@
 {
   "build_from": {
-    "aarch64": "ghcr.io/hassio-addons/base/aarch64:9.1.2",
-    "amd64": "ghcr.io/hassio-addons/base/amd64:9.1.2",
-    "armhf": "ghcr.io/hassio-addons/base/armhf:9.1.2",
-    "armv7": "ghcr.io/hassio-addons/base/armv7:9.1.2",
-    "i386": "ghcr.io/hassio-addons/base/i386:9.1.2"
+    "aarch64": "ghcr.io/hassio-addons/base/aarch64:10.0.0",
+    "amd64": "ghcr.io/hassio-addons/base/amd64:10.0.0",
+    "armhf": "ghcr.io/hassio-addons/base/armhf:10.0.0",
+    "armv7": "ghcr.io/hassio-addons/base/armv7:10.0.0",
+    "i386": "ghcr.io/hassio-addons/base/i386:10.0.0"
   }
 }

zerotier/config.json

@@ -15,7 +15,7 @@
   },
   "host_network": true,
   "privileged": ["NET_ADMIN", "SYS_ADMIN"],
-  "devices": ["/dev/net/tun:/dev/net/tun:rwm"],
+  "devices": ["/dev/net/tun"],
   "map": ["ssl:rw"],
   "options": {
     "networks": [],