Optimize build_base build job (home-assistant#157231)

Co-authored-by: Copilot <[email protected]>

Author: edenhaus

.github/workflows/builder.yml

@@ -14,14 +14,14 @@ env:
   PIP_TIMEOUT: 60
   UV_HTTP_TIMEOUT: 60
   UV_SYSTEM_PYTHON: "true"
+  BASE_IMAGE_VERSION: "2025.11.0"
 
 jobs:
   init:
     name: Initialize build
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
     outputs:
-      architectures: ${{ steps.info.outputs.architectures }}
       version: ${{ steps.version.outputs.version }}
       channel: ${{ steps.version.outputs.channel }}
       publish: ${{ steps.version.outputs.publish }}
@@ -77,15 +77,20 @@ jobs:
     name: Build ${{ matrix.arch }} base core image
     if: github.repository_owner == 'home-assistant'
     needs: init
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     permissions:
       contents: read
       packages: write
       id-token: write
     strategy:
       fail-fast: false
       matrix:
-        arch: ${{ fromJson(needs.init.outputs.architectures) }}
+        arch: ["amd64", "aarch64"]
+        include:
+          - arch: amd64
+            os: ubuntu-latest
+          - arch: aarch64
+            os: ubuntu-24.04-arm
     steps:
       - name: Checkout the repository
         uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
@@ -182,16 +187,59 @@ jobs:
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
-      # home-assistant/builder doesn't support sha pinning
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0
+        with:
+          cosign-release: "v2.5.3"
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
+
+      - name: Build variables
+        id: vars
+        shell: bash
+        run: |
+          echo "base_image=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant-base:${{ env.BASE_IMAGE_VERSION }}" >> "$GITHUB_OUTPUT"
+          echo "cache_image=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:latest" >> "$GITHUB_OUTPUT"
+          echo "created=$(date --rfc-3339=seconds --utc)" >> "$GITHUB_OUTPUT"
+
+      - name: Verify base image signature
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp "https://github.com/home-assistant/docker/.*" \
+            "${{ steps.vars.outputs.base_image }}"
+
+      - name: Verify cache image signature
+        id: cache
+        continue-on-error: true
+        run: |
+          cosign verify \
+            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+            --certificate-identity-regexp "https://github.com/home-assistant/core/.*" \
+            "${{ steps.vars.outputs.cache_image }}"
+
       - name: Build base image
-        uses: home-assistant/[email protected]
+        id: build
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
-          args: |
-            $BUILD_ARGS \
-            --${{ matrix.arch }} \
-            --cosign \
-            --target /data \
-            --generic ${{ needs.init.outputs.version }}
+          context: .
+          file: ./Dockerfile
+          platforms: ${{ steps.vars.outputs.platform }}
+          push: true
+          cache-from: ${{ steps.cache.outcome == 'success' && steps.vars.outputs.cache_image || '' }}
+          build-args: |
+            BUILD_FROM=${{ steps.vars.outputs.base_image }}
+          tags: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
+          labels: |
+            io.hass.arch=${{ matrix.arch }}
+            io.hass.version=${{ needs.init.outputs.version }}
+            org.opencontainers.image.created=${{ steps.vars.outputs.created }}
+            org.opencontainers.image.version=${{ needs.init.outputs.version }}
+
+      - name: Sign image
+        run: |
+          cosign sign --yes "ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}@${{ steps.build.outputs.digest }}"
 
   build_machine:
     name: Build ${{ matrix.machine }} machine core image

.github/workflows/wheels.yml

@@ -28,8 +28,6 @@ jobs:
     name: Initialize wheels builder
     if: github.repository_owner == 'home-assistant'
     runs-on: ubuntu-latest
-    outputs:
-      architectures: ${{ steps.info.outputs.architectures }}
     steps:
       - &checkout
         name: Checkout the repository
@@ -50,10 +48,6 @@ jobs:
           pip install "$(grep '^uv' < requirements.txt)"
           uv pip install -r requirements.txt
 
-      - name: Get information
-        id: info
-        uses: home-assistant/actions/helpers/info@master
-
       - name: Create requirements_diff file
         run: |
           if [[ ${{ github.event_name }} =~ (schedule|workflow_dispatch) ]]; then
@@ -114,9 +108,10 @@ jobs:
       fail-fast: false
       matrix: &matrix-build
         abi: ["cp313", "cp314"]
-        arch: ${{ fromJson(needs.init.outputs.architectures) }}
+        arch: ["amd64", "aarch64"]
         include:
-          - os: ubuntu-latest
+          - arch: amd64
+            os: ubuntu-latest
           - arch: aarch64
             os: ubuntu-24.04-arm
     steps:

Dockerfile

@@ -21,14 +21,22 @@
 ARG BUILD_FROM
 FROM ${{BUILD_FROM}}
 
+LABEL \
+    io.hass.type="core" \
+    org.opencontainers.image.authors="The Home Assistant Authors" \
+    org.opencontainers.image.description="Open-source home automation platform running on Python 3" \
+    org.opencontainers.image.documentation="https://www.home-assistant.io/docs/" \
+    org.opencontainers.image.licenses="Apache-2.0" \
+    org.opencontainers.image.source="https://github.com/home-assistant/core" \
+    org.opencontainers.image.title="Home Assistant" \
+    org.opencontainers.image.url="https://www.home-assistant.io/"
+
 # Synchronize with homeassistant/core.py:async_stop
 ENV \
     S6_SERVICES_GRACETIME={timeout} \
     UV_SYSTEM_PYTHON=true \
     UV_NO_CACHE=true
 
-ARG QEMU_CPU
-
 # Home Assistant S6-Overlay
 COPY rootfs /