⬆️ Upgrades add-on base image to 10.1.0 (#105 )

⬆️ Upgrades ZeroTier One to 1.6.6 (#106 )
⬆️ Bump docker/setup-buildx-action from 1.5.1 to 1.6.0 (#103 )
2021-09-24 08:22:22 +02:00 · 2021-09-24 08:20:35 +02:00 · 2021-09-23 22:04:48 +02:00 · 2021-09-23 22:04:38 +02:00 · 2021-08-26 10:56:17 +02:00 · 2021-08-23 11:29:07 +02:00
15 changed files with 1980 additions and 61 deletions
--- a/.editorconfig
+++ b/.editorconfig
@@ -1,19 +0,0 @@
-root = true
-
-[*]
-charset = utf-8
-end_of_line = lf
-indent_style = space
-insert_final_newline = true
-trim_trailing_whitespace = true
-ident_size = 4
-
-[*.md]
-ident_size = 2
-trim_trailing_whitespace = false
-
-[*.json]
-ident_size = 2
-
-[{.gitignore,.gitkeep,.editorconfig}]
-ident_size = 2
--- a/.github/CODE_OF_CONDUCT.md
+++ b/.github/CODE_OF_CONDUCT.md
--- a/.github/CONTRIBUTING.md
+++ b/.github/CONTRIBUTING.md
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
--- a/.github/workflows/ci.yaml
+++ b/.github/workflows/ci.yaml
@@ -27,7 +27,7 @@ jobs:
        uses: actions/checkout@v2.3.4
      - name: 🚀 Run add-on information action
        id: information
-        uses: frenck/action-addon-information@v1.0.0
+        uses: frenck/action-addon-information@v1.2.2

  lint-addon:
    name: Lint Add-on
@@ -38,7 +38,7 @@ jobs:
      - name: ⤵️ Check out code from GitHub
        uses: actions/checkout@v2.3.4
      - name: 🚀 Run Add-on Lint
-        uses: frenck/action-addon-linter@v1.4
+        uses: frenck/action-addon-linter@v2.3
        with:
          community: true
          path: "./${{ needs.information.outputs.target }}"
@@ -52,7 +52,7 @@ jobs:
      - name: ⤵️ Check out code from GitHub
        uses: actions/checkout@v2.3.4
      - name: 🚀 Run Hadolint
-        uses: brpaz/hadolint-action@v1.3.1
+        uses: brpaz/hadolint-action@v1.5.0
        with:
          dockerfile: "./${{ needs.information.outputs.target }}/Dockerfile"

@@ -83,7 +83,7 @@ jobs:
      - name: ⤵️ Check out code from GitHub
        uses: actions/checkout@v2.3.4
      - name: 🚀 Run Shellcheck
-        uses: ludeeus/action-shellcheck@1.0.0
+        uses: ludeeus/action-shellcheck@1.1.0
        env:
          SHELLCHECK_OPTS: -s bash

@@ -103,7 +103,7 @@ jobs:
      - name: ⤵️ Check out code from GitHub
        uses: actions/checkout@v2.3.4
      - name: 🚀 Run Prettier
-        uses: creyD/prettier_action@v3.3
+        uses: creyD/prettier_action@v4.0
        with:
          prettier_options: --write **/*.{json,js,md,yaml}
        env:
@@ -129,16 +129,18 @@ jobs:
        uses: actions/checkout@v2.3.4
      - name: 🏗 Set up build cache
        id: cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.6
        with:
          path: /tmp/.docker-cache
-          key: docker-${{ github.ref }}-${{ matrix.architecture }}-${{ github.sha }}
+          key: docker-${{ matrix.architecture }}-${{ github.sha }}
          restore-keys: |
-            docker-${{ github.ref }}-${{ matrix.architecture }}
+            docker-${{ matrix.architecture }}
      - name: 🏗 Set up QEMU
-        uses: docker/setup-qemu-action@v1.0.1
+        uses: docker/setup-qemu-action@v1.2.0
      - name: 🏗 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1.1.1
+        uses: docker/setup-buildx-action@v1.6.0
+      - name: 🏗 Set up CodeNotary
+        run: bash <(curl https://getvcn.codenotary.com -L)
      - name: ℹ️ Compose build flags
        id: flags
        run: |
@@ -160,8 +162,21 @@ jobs:
            echo "::error ::Could not determine platform for architecture ${{ matrix.architecture }}"
            exit 1
          fi
+      - name: ⤵️ Download base image
+        run: docker pull "${{ steps.flags.outputs.from }}"
+      - name: ✅ Verify authenticity of base image
+        run: |
+          vcn authenticate \
+            "docker://${{ steps.flags.outputs.from }}"
+          vcn authenticate \
+            --output json \
+            --signerID 0x03e406879fd89e52f38f4aab0061266d1183980a \
+            "docker://${{ steps.flags.outputs.from }}" \
+            | jq \
+              --exit-status \
+              '.verification.status == 0'
      - name: 🚀 Build
-        uses: docker/build-push-action@v2.2.2
+        uses: docker/build-push-action@v2.7.0
        with:
          push: false
          context: ${{ needs.information.outputs.target }}
@@ -169,7 +184,7 @@ jobs:
          cache-from: |
            type=local,src=/tmp/.docker-cache
            ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:edge
-          cache-to: type=local,mode=max,dest=/tmp/.docker-cache
+          cache-to: type=local,mode=max,dest=/tmp/.docker-cache-new
          platforms: ${{ steps.flags.outputs.platform }}
          build-args: |
            BUILD_ARCH=${{ matrix.architecture }}
@@ -180,3 +195,11 @@ jobs:
            BUILD_REF=${{ github.sha }}
            BUILD_REPOSITORY=${{ github.repository }}
            BUILD_VERSION=edge
+      # This ugly bit is necessary, or our cache will grow forever...
+      # Well until we hit GitHub's limit of 5GB :)
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: 🚚 Swap build cache
+        run: |
+          rm -rf /tmp/.docker-cache
+          mv /tmp/.docker-cache-new /tmp/.docker-cache
--- a/.github/workflows/deploy.yaml
+++ b/.github/workflows/deploy.yaml
@@ -36,7 +36,7 @@ jobs:
        uses: actions/checkout@v2.3.4
      - name: 🚀 Run add-on information action
        id: information
-        uses: frenck/action-addon-information@v1.0.0
+        uses: frenck/action-addon-information@v1.2.2
      - name: ℹ️ Gather version and environment
        id: release
        run: |
@@ -64,20 +64,26 @@ jobs:
      matrix:
        architecture: ${{ fromJson(needs.information.outputs.architectures) }}
    steps:
+      - name: 🔂 Wait for other runs to complete
+        uses: softprops/turnstyle@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: ⤵️ Check out code from GitHub
        uses: actions/checkout@v2.3.4
      - name: 🏗 Set up build cache
        id: cache
-        uses: actions/cache@v2.1.4
+        uses: actions/cache@v2.1.6
        with:
          path: /tmp/.docker-cache
-          key: docker-${{ github.ref }}-${{ matrix.architecture }}-${{ github.sha }}
+          key: docker-${{ matrix.architecture }}-${{ github.sha }}
          restore-keys: |
-            docker-${{ github.ref }}-${{ matrix.architecture }}
+            docker-${{ matrix.architecture }}
      - name: 🏗 Set up QEMU
-        uses: docker/setup-qemu-action@v1.0.1
+        uses: docker/setup-qemu-action@v1.2.0
      - name: 🏗 Set up Docker Buildx
-        uses: docker/setup-buildx-action@v1.1.1
+        uses: docker/setup-buildx-action@v1.6.0
+      - name: 🏗 Set up CodeNotary
+        run: bash <(curl https://getvcn.codenotary.com -L)
      - name: ℹ️ Compose build flags
        id: flags
        run: |
@@ -100,15 +106,28 @@ jobs:
            exit 1
          fi
      - name: 🏗  Login to GitHub Container Registry
-        uses: docker/login-action@v1.8.0
+        uses: docker/login-action@v1.10.0
        with:
          registry: ghcr.io
-          username: ${{ secrets.GHCR_USERNAME }}
-          password: ${{ secrets.GHCR_PASSWORD }}
-      - name: 🚀 Build and push
-        uses: docker/build-push-action@v2.2.2
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+      - name: ⤵️ Download base image
+        run: docker pull "${{ steps.flags.outputs.from }}"
+      - name: ✅ Verify authenticity of base image
+        run: |
+          vcn authenticate \
+            "docker://${{ steps.flags.outputs.from }}"
+          vcn authenticate \
+            --output json \
+            --signerID 0x03e406879fd89e52f38f4aab0061266d1183980a \
+            "docker://${{ steps.flags.outputs.from }}" \
+            | jq \
+              --exit-status \
+              '.verification.status == 0'
+      - name: 🚀 Build
+        uses: docker/build-push-action@v2.7.0
        with:
-          push: true
+          load: true
          # yamllint disable rule:line-length
          tags: |
            ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.environment }}
@@ -119,7 +138,7 @@ jobs:
          cache-from: |
            type=local,src=/tmp/.docker-cache
            ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:edge
-          cache-to: type=local,mode=max,dest=/tmp/.docker-cache
+          cache-to: type=local,mode=max,dest=/tmp/.docker-cache-new
          platforms: ${{ steps.flags.outputs.platform }}
          build-args: |
            BUILD_ARCH=${{ matrix.architecture }}
@@ -130,6 +149,41 @@ jobs:
            BUILD_REF=${{ github.sha }}
            BUILD_REPOSITORY=${{ github.repository }}
            BUILD_VERSION=${{ needs.information.outputs.version }}
+      # This ugly bit is necessary, or our cache will grow forever...
+      # Well until we hit GitHub's limit of 5GB :)
+      # https://github.com/docker/build-push-action/issues/252
+      # https://github.com/moby/buildkit/issues/1896
+      - name: 🚚 Swap build cache
+        run: |
+          rm -rf /tmp/.docker-cache
+          mv /tmp/.docker-cache-new /tmp/.docker-cache
+      - name: 🔏 Notarize
+        # yamllint disable rule:line-length
+        run: |
+          if vcn authenticate \
+            --output json \
+            "docker://ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}" \
+            | jq \
+              --exit-status \
+              '.verification.status != 0';
+          then
+            vcn login
+            vcn notarize \
+              --public \
+              "docker://ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}"
+          fi
+        env:
+          VCN_USER: ${{ secrets.VCN_USER }}
+          VCN_PASSWORD: ${{ secrets.VCN_PASSWORD }}
+          VCN_NOTARIZATION_PASSWORD: ${{ secrets.VCN_NOTARIZATION_PASSWORD }}
+          VCN_OTP_EMPTY: true
+      - name: 🚀 Push
+        # yamllint disable rule:line-length
+        run: |
+          docker push \
+            "ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.environment }}"
+          docker push \
+            "ghcr.io/hassio-addons/${{ needs.information.outputs.slug }}/${{ matrix.architecture }}:${{ needs.information.outputs.version }}"

  publish-edge:
    name: 📢 Publish to edge repository
--- a/.github/workflows/labels.yaml
+++ b/.github/workflows/labels.yaml
@@ -17,6 +17,6 @@ jobs:
      - name: ⤵️ Check out code from GitHub
        uses: actions/checkout@v2.3.4
      - name: 🚀 Run Label Syncer
-        uses: micnncim/action-label-syncer@v1.2.0
+        uses: micnncim/action-label-syncer@v1.3.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/lock.yaml
+++ b/.github/workflows/lock.yaml
@@ -12,7 +12,7 @@ jobs:
    name: 🔒 Lock closed issues and PRs
    runs-on: ubuntu-latest
    steps:
-      - uses: dessant/lock-threads@v2.0.3
+      - uses: dessant/lock-threads@v2.1.2
        with:
          github-token: ${{ github.token }}
          issue-lock-inactive-days: "30"
--- a/.github/workflows/pr-labels.yaml
+++ b/.github/workflows/pr-labels.yaml
@@ -0,0 +1,22 @@
+---
+name: PR Labels
+
+# yamllint disable-line rule:truthy
+on:
+  pull_request_target:
+    types: [opened, labeled, unlabeled, synchronize]
+
+jobs:
+  pr_labels:
+    name: Verify
+    runs-on: ubuntu-latest
+    steps:
+      - name: 🏷 Verify PR has a valid label
+        uses: jesusvasquez333/verify-pr-label-action@v1.4.0
+        with:
+          pull-request-number: "${{ github.event.pull_request.number }}"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"
+          valid-labels: >-
+            breaking-change, bugfix, documentation, enhancement, refactor,
+            performance, new-feature, maintenance, ci, dependencies
+          disable-reviews: true
--- a/.github/workflows/release-drafter.yaml
+++ b/.github/workflows/release-drafter.yaml
@@ -13,6 +13,6 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: 🚀 Run Release Drafter
-        uses: release-drafter/release-drafter@v5.13.0
+        uses: release-drafter/release-drafter@v5.15.0
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
--- a/.github/workflows/stale.yaml
+++ b/.github/workflows/stale.yaml
@@ -13,7 +13,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: 🚀 Run stale
-        uses: actions/stale@v3.0.15
+        uses: actions/stale@v4
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          days-before-stale: 30
--- a/README.md
+++ b/README.md
@@ -58,7 +58,7 @@ This is an active open-source project. We are always open to people who want to
 use the code or contribute to it.

 We have set up a separate document containing our
-[contribution guidelines](CONTRIBUTING.md).
+[contribution guidelines](.github/CONTRIBUTING.md).

 Thank you for being involved! :heart_eyes:

--- a/zerotier/Dockerfile
+++ b/zerotier/Dockerfile
@@ -1,4 +1,4 @@
-ARG BUILD_FROM=ghcr.io/hassio-addons/base/amd64:9.1.2
+ARG BUILD_FROM=ghcr.io/hassio-addons/base/amd64:10.1.0
 # hadolint ignore=DL3006
 FROM ${BUILD_FROM}

@@ -10,14 +10,14 @@ SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN \
    apk add --no-cache --virtual .build-dependencies \
        build-base=0.5-r2 \
-        linux-headers=5.7.8-r0 \
-        git=2.30.0-r0 \
+        linux-headers=5.10.41-r0 \
+        git=2.32.0-r0 \
    \
    && apk add --no-cache \
-        libgcc=10.2.1_pre1-r3 \
-        libstdc++=10.2.1_pre1-r3 \
+        libgcc=10.3.1_git20210424-r2 \
+        libstdc++=10.3.1_git20210424-r2 \
    \
-    && git clone --branch "1.6.3" --depth=1 \
+    && git clone --branch "1.6.6" --depth=1 \
        "https://github.com/zerotier/ZeroTierOne.git" /tmp/zerotier \
    \
    && cd /tmp/zerotier \
--- a/zerotier/build.json
+++ b/zerotier/build.json
@@ -1,9 +1,9 @@
 {
  "build_from": {
-    "aarch64": "ghcr.io/hassio-addons/base/aarch64:9.1.2",
-    "amd64": "ghcr.io/hassio-addons/base/amd64:9.1.2",
-    "armhf": "ghcr.io/hassio-addons/base/armhf:9.1.2",
-    "armv7": "ghcr.io/hassio-addons/base/armv7:9.1.2",
-    "i386": "ghcr.io/hassio-addons/base/i386:9.1.2"
+    "aarch64": "ghcr.io/hassio-addons/base/aarch64:10.1.0",
+    "amd64": "ghcr.io/hassio-addons/base/amd64:10.1.0",
+    "armhf": "ghcr.io/hassio-addons/base/armhf:10.1.0",
+    "armv7": "ghcr.io/hassio-addons/base/armv7:10.1.0",
+    "i386": "ghcr.io/hassio-addons/base/i386:10.1.0"
  }
 }
--- a/zerotier/config.json
+++ b/zerotier/config.json
@@ -15,7 +15,7 @@
  },
  "host_network": true,
  "privileged": ["NET_ADMIN", "SYS_ADMIN"],
-  "devices": ["/dev/net/tun:/dev/net/tun:rwm"],
+  "devices": ["/dev/net/tun"],
  "map": ["ssl:rw"],
  "options": {
    "networks": [],