--- name: publish on: push: branches: [ master ] workflow_dispatch: inputs: sha: description: Commit SHA to promote (defaults to dispatch SHA) required: false type: string permissions: contents: read env: REGISTRY_SERVER: docker.io RELEASE_IMAGE_NAME: docker.io/genunix/homeassistant KUBERNETES_NAMESPACE: hass jobs: build-and-publish: if: github.event_name == 'push' runs-on: docker container: image: quay.io/podman/stable:v5.4 options: >- --privileged --security-opt seccomp=unconfined --device /dev/fuse --user root env: CONTAINERS_STORAGE_DRIVER: vfs BUILDAH_FORMAT: docker XDG_RUNTIME_DIR: /tmp/run steps: - name: Checkout env: SERVER_URL: ${{ github.server_url }} REPOSITORY: ${{ github.repository }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} working-directory: ${{ github.workspace }} run: | set -euo pipefail # Install git and ca-certs if missing (works across base distros) if ! command -v git >/dev/null 2>&1; then (command -v microdnf >/dev/null 2>&1 && microdnf -y install git ca-certificates tar gzip) \ || (command -v dnf >/dev/null 2>&1 && dnf -y install git ca-certificates tar gzip) \ || (command -v apk >/dev/null 2>&1 && apk add --no-cache git ca-certificates tar gzip) \ || (command -v apt-get >/dev/null 2>&1 && apt-get update && apt-get install -y git ca-certificates tar gzip) fi # Prepare auth if provided HOST=$(echo "$SERVER_URL" | sed -E 's#https?://([^/]+)/?.*#\1#') # Use token as password with a placeholder username if [ -n "${GITHUB_TOKEN:-}" ]; then printf "machine %s login %s password %s\n" "$HOST" "token" "$GITHUB_TOKEN" > $HOME/.netrc chmod 600 $HOME/.netrc fi # Initialize and fetch exact commit git init git remote add origin "${SERVER_URL}/${REPOSITORY}.git" git fetch --depth=1 origin "${GITHUB_SHA}" git checkout -q FETCH_HEAD - name: Podman login env: REGISTRY_USERNAME: ${{ secrets.dockerhub_username }} REGISTRY_PASSWORD: ${{ secrets.dockerhub_password }} working-directory: ${{ github.workspace }} run: | mkdir -p /var/lib/containers "$XDG_RUNTIME_DIR" echo -n "$REGISTRY_PASSWORD" | podman login --username "$REGISTRY_USERNAME" --password-stdin "$REGISTRY_SERVER" - name: Build image id: build working-directory: ${{ github.workspace }} run: | set -euo pipefail HASS_VERSION=$(grep -E '^FROM ' Dockerfile | head -n1 | cut -d ':' -f 2) echo "HASS_VERSION=$HASS_VERSION" >> "$GITHUB_OUTPUT" echo "== Building ${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" podman build --pull-always --format docker -t "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" . - name: Push images (SHA and HASS_VERSION) working-directory: ${{ github.workspace }} run: | set -euo pipefail echo "== Publishing ${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" podman push "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" "docker://${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" echo "== Publishing ${RELEASE_IMAGE_NAME}:${{ steps.build.outputs.HASS_VERSION }}" podman push "${RELEASE_IMAGE_NAME}:${GITHUB_SHA}" "docker://${RELEASE_IMAGE_NAME}:${{ steps.build.outputs.HASS_VERSION }}" - name: Logout if: always() run: | podman logout "${REGISTRY_SERVER}" - name: Notify via Pushover on failure if: failure() run: | curl -s \ -F "token=${{ secrets.PUSHOVER_TOKEN }}" \ -F "user=${{ secrets.PUSHOVER_USER }}" \ --form-string "title=HomeAssistant Build Failed" \ --form-string "url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ -F "message=Workflow failed on ${{ github.repository }}" \ https://api.pushover.net/1/messages.json promote-and-deploy: if: github.event_name == 'workflow_dispatch' runs-on: docker container: image: quay.io/podman/stable:v5.4 options: >- --privileged --security-opt seccomp=unconfined --device /dev/fuse --user root env: CONTAINERS_STORAGE_DRIVER: vfs BUILDAH_FORMAT: docker XDG_RUNTIME_DIR: /tmp/run SHA_INPUT: ${{ inputs.sha }} steps: - name: Podman login env: REGISTRY_USERNAME: ${{ secrets.dockerhub_username }} REGISTRY_PASSWORD: ${{ secrets.dockerhub_password }} run: | mkdir -p /var/lib/containers "$XDG_RUNTIME_DIR" echo -n "$REGISTRY_PASSWORD" | podman login --username "$REGISTRY_USERNAME" --password-stdin "$REGISTRY_SERVER" - name: Promote latest from SHA run: | set -euo pipefail SHA_TO_PROMOTE=${SHA_INPUT:-${GITHUB_SHA}} echo "== Promoting ${RELEASE_IMAGE_NAME}:${SHA_TO_PROMOTE} into production" podman pull "docker://${RELEASE_IMAGE_NAME}:${SHA_TO_PROMOTE}" podman push "${RELEASE_IMAGE_NAME}:${SHA_TO_PROMOTE}" "docker://${RELEASE_IMAGE_NAME}:latest" - name: Logout if: always() run: | podman logout "${REGISTRY_SERVER}" - name: Notify via Pushover on failure if: failure() run: | curl -s \ -F "token=${{ secrets.PUSHOVER_TOKEN }}" \ -F "user=${{ secrets.PUSHOVER_USER }}" \ --form-string "title=HomeAssistant Promote Failed" \ --form-string "url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ -F "message=Workflow failed on ${{ github.repository }}" \ https://api.pushover.net/1/messages.json deploy: if: github.event_name == 'workflow_dispatch' runs-on: docker needs: promote-and-deploy container: image: bitnami/kubectl:1.32 steps: - name: Write kubeconfig env: KUBECONFIG_CONTENT: ${{ secrets.kubeconfig }} run: | echo "$KUBECONFIG_CONTENT" > kubeconfig - name: Rollout restart run: | kubectl --kubeconfig=kubeconfig -n ${KUBERNETES_NAMESPACE} rollout restart deployment/hass kubectl --kubeconfig=kubeconfig -n ${KUBERNETES_NAMESPACE} rollout status deployment/hass - name: Notify via Pushover on failure if: failure() run: | curl -s \ -F "token=${{ secrets.PUSHOVER_TOKEN }}" \ -F "user=${{ secrets.PUSHOVER_USER }}" \ --form-string "title=HomeAssistant Deploy Failed" \ --form-string "url=${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \ -F "message=Workflow failed on ${{ github.repository }}" \ https://api.pushover.net/1/messages.json