Disable version check and publish

This PR completely drops usage of the builder action in favor of new actions
introduced in home-assistant/builder#273. This results in faster builds with
better caching options and simple local builds using Docker BuildKit.

The image dependency chain currently still uses per-arch builds but once
docker-base and docker repositories start publishing multi-arch images, we can
simplify the action a bit further.

The idea to use composite actions comes from #162245 and this PR fully predates
it. There is minor difference that the files generated twice in per-arch builds
are now generated and archived by the init job.

.gitattributes

@@ -16,6 +16,7 @@ Dockerfile.dev linguist-language=Dockerfile
 CODEOWNERS linguist-generated=true
 Dockerfile linguist-generated=true
 homeassistant/generated/*.py linguist-generated=true
+machine/* linguist-generated=true
 mypy.ini linguist-generated=true
 requirements.txt linguist-generated=true
 requirements_all.txt linguist-generated=true

.github/workflows/builder.yml

@@ -35,6 +35,7 @@ jobs:
       channel: ${{ steps.version.outputs.channel }}
       publish: ${{ steps.version.outputs.publish }}
       architectures: ${{ env.ARCHITECTURES }}
+      base_image_version: ${{ env.BASE_IMAGE_VERSION }}
     steps:
       - name: Checkout the repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -56,10 +57,10 @@ jobs:
         with:
           type: ${{ env.BUILD_TYPE }}
 
-      - name: Verify version
-        uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
-        with:
-          ignore-dev: true
+      # - name: Verify version
+      #   uses: home-assistant/actions/helpers/verify-version@master # zizmor: ignore[unpinned-uses]
+      #   with:
+      #     ignore-dev: true
 
       - name: Fail if translations files are checked in
         run: |
@@ -100,7 +101,7 @@ jobs:
         arch: ${{ fromJson(needs.init.outputs.architectures) }}
         include:
           - arch: amd64
-            os: ubuntu-latest
+            os: ubuntu-24.04
           - arch: aarch64
             os: ubuntu-24.04-arm
     steps:
@@ -195,77 +196,20 @@ jobs:
         run: |
           echo "${GITHUB_SHA};${GITHUB_REF};${GITHUB_EVENT_NAME};${GITHUB_ACTOR}" > rootfs/OFFICIAL_IMAGE
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
-        with:
-          cosign-release: "v2.5.3"
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
-
-      - name: Build variables
-        id: vars
-        shell: bash
-        env:
-          ARCH: ${{ matrix.arch }}
-        run: |
-          echo "base_image=ghcr.io/home-assistant/${ARCH}-homeassistant-base:${BASE_IMAGE_VERSION}" >> "$GITHUB_OUTPUT"
-          echo "cache_image=ghcr.io/home-assistant/${ARCH}-homeassistant:latest" >> "$GITHUB_OUTPUT"
-          echo "created=$(date --rfc-3339=seconds --utc)" >> "$GITHUB_OUTPUT"
-
-      - name: Verify base image signature
-        env:
-          BASE_IMAGE: ${{ steps.vars.outputs.base_image }}
-        run: |
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity-regexp "https://github.com/home-assistant/docker/.*" \
-            "${BASE_IMAGE}"
-
-      - name: Verify cache image signature
-        id: cache
-        continue-on-error: true
-        env:
-          CACHE_IMAGE: ${{ steps.vars.outputs.cache_image }}
-        run: |
-          cosign verify \
-            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-            --certificate-identity-regexp "https://github.com/home-assistant/core/.*" \
-            "${CACHE_IMAGE}"
-
       - name: Build base image
-        id: build
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
         with:
-          context: .
-          file: ./Dockerfile
-          platforms: ${{ steps.vars.outputs.platform }}
-          push: true
-          cache-from: ${{ steps.cache.outcome == 'success' && steps.vars.outputs.cache_image || '' }}
+          arch: ${{ matrix.arch }}
           build-args: |
-            BUILD_FROM=${{ steps.vars.outputs.base_image }}
-          tags: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
-          outputs: type=image,push=true,compression=zstd,compression-level=9,force-compression=true,oci-mediatypes=true
-          labels: |
-            io.hass.arch=${{ matrix.arch }}
-            io.hass.version=${{ needs.init.outputs.version }}
-            org.opencontainers.image.created=${{ steps.vars.outputs.created }}
-            org.opencontainers.image.version=${{ needs.init.outputs.version }}
-
-      - name: Sign image
-        env:
-          ARCH: ${{ matrix.arch }}
-          VERSION: ${{ needs.init.outputs.version }}
-          DIGEST: ${{ steps.build.outputs.digest }}
-        run: |
-          cosign sign --yes "ghcr.io/home-assistant/${ARCH}-homeassistant:${VERSION}@${DIGEST}"
+            BUILD_FROM=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant-base:${{ needs.init.outputs.base_image_version }}
+          cache-gha: false
+          container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+          cosign-base-identity: "https://github.com/home-assistant/docker/.*"
+          cosign-base-verify: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant-base:${{ needs.init.outputs.base_image_version }}
+          image: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant
+          image-tags: ${{ needs.init.outputs.version }}
+          push: true
+          version: ${{ needs.init.outputs.version }}
 
   build_machine:
     name: Build ${{ matrix.machine }} machine core image
@@ -314,308 +258,310 @@ jobs:
         with:
           persist-credentials: false
 
-      - name: Set build additional args
+      - name: Compute extra tags
+        id: tags
+        shell: bash
         env:
           VERSION: ${{ needs.init.outputs.version }}
         run: |
-          # Create general tags
           if [[ "${VERSION}" =~ d ]]; then
-            echo "BUILD_ARGS=--additional-tag dev" >> $GITHUB_ENV
+            echo "extra_tags=dev" >> "$GITHUB_OUTPUT"
           elif [[ "${VERSION}" =~ b ]]; then
-            echo "BUILD_ARGS=--additional-tag beta" >> $GITHUB_ENV
+            echo "extra_tags=beta" >> "$GITHUB_OUTPUT"
           else
-            echo "BUILD_ARGS=--additional-tag stable" >> $GITHUB_ENV
+            echo "extra_tags=stable" >> "$GITHUB_OUTPUT"
           fi
 
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+      - name: Build machine image
+        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
         with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build base image
-        uses: home-assistant/builder@6cb4fd3d1338b6e22d0958a4bcb53e0965ea63b4 # 2026.02.1
-        with:
-          image: ${{ matrix.arch }}
-          args: |
-            $BUILD_ARGS \
-            --target /data/machine \
-            --cosign \
-            --machine "${{ needs.init.outputs.version }}=${{ matrix.machine }}"
-
-  publish_ha:
-    name: Publish version files
-    environment: ${{ needs.init.outputs.channel }}
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_machine"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Initialize git
-        uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
-        with:
-          name: ${{ secrets.GIT_NAME }}
-          email: ${{ secrets.GIT_EMAIL }}
-          token: ${{ secrets.GIT_TOKEN }}
-
-      - name: Update version file
-        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
-        with:
-          key: "homeassistant[]"
-          key-description: "Home Assistant Core"
-          version: ${{ needs.init.outputs.version }}
-          channel: ${{ needs.init.outputs.channel }}
-          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
-
-      - name: Update version file (stable -> beta)
-        if: needs.init.outputs.channel == 'stable'
-        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
-        with:
-          key: "homeassistant[]"
-          key-description: "Home Assistant Core"
-          version: ${{ needs.init.outputs.version }}
-          channel: beta
-          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
-
-  publish_container:
-    name: Publish meta container for ${{ matrix.registry }}
-    environment: ${{ needs.init.outputs.channel }}
-    if: github.repository_owner == 'home-assistant'
-    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      id-token: write # For cosign signing
-    strategy:
-      fail-fast: false
-      matrix:
-        registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
-    steps:
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
-        with:
-          cosign-release: "v2.5.3"
-
-      - name: Login to DockerHub
-        if: matrix.registry == 'docker.io/homeassistant'
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Verify architecture image signatures
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          VERSION: ${{ needs.init.outputs.version }}
-        run: |
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          for arch in $ARCHS; do
-            echo "Verifying ${arch} image signature..."
-            cosign verify \
-              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
-              --certificate-identity-regexp https://github.com/home-assistant/core/.* \
-              "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"
-          done
-          echo "✓ All images verified successfully"
-
-      # Generate all Docker tags based on version string
-      # Version format: YYYY.MM.PATCH, YYYY.MM.PATCHbN (beta), or YYYY.MM.PATCH.devYYYYMMDDHHMM (dev)
-      # Examples:
-      #   2025.12.1     (stable)    -> tags: 2025.12.1, 2025.12, stable, latest, beta, rc
-      #   2025.12.0b3   (beta)      -> tags: 2025.12.0b3, beta, rc
-      #   2025.12.0.dev202511250240 -> tags: 2025.12.0.dev202511250240, dev
-      - name: Generate Docker metadata
-        id: meta
-        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
-        with:
-          images: ${{ matrix.registry }}/home-assistant
-          sep-tags: ","
-          tags: |
-            type=raw,value=${{ needs.init.outputs.version }},priority=9999
-            type=raw,value=dev,enable=${{ contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=beta,enable=${{ !contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=rc,enable=${{ !contains(needs.init.outputs.version, 'd') }}
-            type=raw,value=stable,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-            type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-            type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v3.7.1
-
-      - name: Copy architecture images to DockerHub
-        if: matrix.registry == 'docker.io/homeassistant'
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          VERSION: ${{ needs.init.outputs.version }}
-        run: |
-          # Use imagetools to copy image blobs directly between registries
-          # This preserves provenance/attestations and seems to be much faster than pull/push
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          for arch in $ARCHS; do
-            echo "Copying ${arch} image to DockerHub..."
-            for attempt in 1 2 3; do
-              if docker buildx imagetools create \
-                --tag "docker.io/homeassistant/${arch}-homeassistant:${VERSION}" \
-                "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"; then
-                break
-              fi
-              echo "Attempt ${attempt} failed, retrying in 10 seconds..."
-              sleep 10
-              if [ "${attempt}" -eq 3 ]; then
-                echo "Failed after 3 attempts"
-                exit 1
-              fi
-            done
-            cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${VERSION}"
-          done
-
-      - name: Create and push multi-arch manifests
-        shell: bash
-        env:
-          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
-          REGISTRY: ${{ matrix.registry }}
-          VERSION: ${{ needs.init.outputs.version }}
-          META_TAGS: ${{ steps.meta.outputs.tags }}
-        run: |
-          # Build list of architecture images dynamically
-          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
-          ARCH_IMAGES=()
-          for arch in $ARCHS; do
-            ARCH_IMAGES+=("${REGISTRY}/${arch}-homeassistant:${VERSION}")
-          done
-
-          # Build list of all tags for single manifest creation
-          # Note: Using sep-tags=',' in metadata-action for easier parsing
-          TAG_ARGS=()
-          IFS=',' read -ra TAGS <<< "${META_TAGS}"
-          for tag in "${TAGS[@]}"; do
-            TAG_ARGS+=("--tag" "${tag}")
-          done
-
-          # Create manifest with ALL tags in a single operation (much faster!)
-          echo "Creating multi-arch manifest with tags: ${TAGS[*]}"
-          docker buildx imagetools create "${TAG_ARGS[@]}" "${ARCH_IMAGES[@]}"
-
-          # Sign each tag separately (signing requires individual tag names)
-          echo "Signing all tags..."
-          for tag in "${TAGS[@]}"; do
-            echo "Signing ${tag}"
-            cosign sign --yes "${tag}"
-          done
-
-          echo "All manifests created and signed successfully"
-
-  build_python:
-    name: Build PyPi package
-    environment: ${{ needs.init.outputs.channel }}
-    needs: ["init", "build_base"]
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      id-token: write # For PyPI trusted publishing
-    if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
-    steps:
-      - name: Checkout the repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Set up Python
-        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
-        with:
-          python-version-file: ".python-version"
-
-      - name: Download translations
-        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
-        with:
-          name: translations
-
-      - name: Extract translations
-        run: |
-          tar xvf translations.tar.gz
-          rm translations.tar.gz
-
-      - name: Build package
-        shell: bash
-        run: |
-          # Remove dist, build, and homeassistant.egg-info
-          # when build locally for testing!
-          pip install build
-          python -m build
-
-      - name: Upload package to PyPI
-        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
-        with:
-          skip-existing: true
-
-  hassfest-image:
-    name: Build and test hassfest image
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read # To check out the repository
-      packages: write # To push to GHCR
-      attestations: write # For build provenance attestation
-      id-token: write # For build provenance attestation
-    needs: ["init"]
-    if: github.repository_owner == 'home-assistant'
-    env:
-      HASSFEST_IMAGE_NAME: ghcr.io/home-assistant/hassfest
-      HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-        with:
-          persist-credentials: false
-
-      - name: Login to GitHub Container Registry
-        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - name: Build Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
-        with:
-          context: . # So action will not pull the repository again
-          file: ./script/hassfest/docker/Dockerfile
-          load: true
-          tags: ${{ env.HASSFEST_IMAGE_TAG }}
-
-      - name: Run hassfest against core
-        run: docker run --rm -v "${GITHUB_WORKSPACE}":/github/workspace "${HASSFEST_IMAGE_TAG}" --core-path=/github/workspace
-
-      - name: Push Docker image
-        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
-        id: push
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
-        with:
-          context: . # So action will not pull the repository again
-          file: ./script/hassfest/docker/Dockerfile
+          arch: ${{ matrix.arch }}
+          build-args: |
+            BUILD_FROM=ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
+          cache-gha: false
+          container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+          context: machine/
+          cosign-base-identity: "https://github.com/home-assistant/core/.*"
+          cosign-base-verify: ghcr.io/home-assistant/${{ matrix.arch }}-homeassistant:${{ needs.init.outputs.version }}
+          file: machine/${{ matrix.machine }}
+          image: ghcr.io/home-assistant/${{ matrix.machine }}-homeassistant
+          image-tags: |
+            ${{ needs.init.outputs.version }}
+            ${{ steps.tags.outputs.extra_tags }}
           push: true
-          tags: ${{ env.HASSFEST_IMAGE_TAG }},${{ env.HASSFEST_IMAGE_NAME }}:latest
-
-      - name: Generate artifact attestation
-        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
-        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
-        with:
-          subject-name: ${{ env.HASSFEST_IMAGE_NAME }}
-          subject-digest: ${{ steps.push.outputs.digest }}
-          push-to-registry: true
+          version: ${{ needs.init.outputs.version }}
+#  publish_ha:
+#    name: Publish version files
+#    environment: ${{ needs.init.outputs.channel }}
+#    if: github.repository_owner == 'home-assistant'
+#    needs: ["init", "build_machine"]
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read
+#    steps:
+#      - name: Checkout the repository
+#        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+#        with:
+#          persist-credentials: false
+#
+#      - name: Initialize git
+#        uses: home-assistant/actions/helpers/git-init@master # zizmor: ignore[unpinned-uses]
+#        with:
+#          name: ${{ secrets.GIT_NAME }}
+#          email: ${{ secrets.GIT_EMAIL }}
+#          token: ${{ secrets.GIT_TOKEN }}
+#
+#      - name: Update version file
+#        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
+#        with:
+#          key: "homeassistant[]"
+#          key-description: "Home Assistant Core"
+#          version: ${{ needs.init.outputs.version }}
+#          channel: ${{ needs.init.outputs.channel }}
+#          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
+#
+#      - name: Update version file (stable -> beta)
+#        if: needs.init.outputs.channel == 'stable'
+#        uses: home-assistant/actions/helpers/version-push@master # zizmor: ignore[unpinned-uses]
+#        with:
+#          key: "homeassistant[]"
+#          key-description: "Home Assistant Core"
+#          version: ${{ needs.init.outputs.version }}
+#          channel: beta
+#          exclude-list: '["odroid-xu","qemuarm","qemux86","raspberrypi","raspberrypi2","raspberrypi3","raspberrypi4","tinker"]'
+#
+#  publish_container:
+#    name: Publish meta container for ${{ matrix.registry }}
+#    environment: ${{ needs.init.outputs.channel }}
+#    if: github.repository_owner == 'home-assistant'
+#    needs: ["init", "build_base"]
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read # To check out the repository
+#      packages: write # To push to GHCR
+#      id-token: write # For cosign signing
+#    strategy:
+#      fail-fast: false
+#      matrix:
+#        registry: ["ghcr.io/home-assistant", "docker.io/homeassistant"]
+#    steps:
+#      - name: Install Cosign
+#        uses: sigstore/cosign-installer@ba7bc0a3fef59531c69a25acd34668d6d3fe6f22 # v4.1.0
+#        with:
+#          cosign-release: "v2.5.3"
+#
+#      - name: Login to DockerHub
+#        if: matrix.registry == 'docker.io/homeassistant'
+#        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+#        with:
+#          username: ${{ secrets.DOCKERHUB_USERNAME }}
+#          password: ${{ secrets.DOCKERHUB_TOKEN }}
+#
+#      - name: Login to GitHub Container Registry
+#        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+#        with:
+#          registry: ghcr.io
+#          username: ${{ github.repository_owner }}
+#          password: ${{ secrets.GITHUB_TOKEN }}
+#
+#      - name: Verify architecture image signatures
+#        shell: bash
+#        env:
+#          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+#          VERSION: ${{ needs.init.outputs.version }}
+#        run: |
+#          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+#          for arch in $ARCHS; do
+#            echo "Verifying ${arch} image signature..."
+#            cosign verify \
+#              --certificate-oidc-issuer https://token.actions.githubusercontent.com \
+#              --certificate-identity-regexp https://github.com/home-assistant/core/.* \
+#              "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"
+#          done
+#          echo "✓ All images verified successfully"
+#
+#      # Generate all Docker tags based on version string
+#      # Version format: YYYY.MM.PATCH, YYYY.MM.PATCHbN (beta), or YYYY.MM.PATCH.devYYYYMMDDHHMM (dev)
+#      # Examples:
+#      #   2025.12.1     (stable)    -> tags: 2025.12.1, 2025.12, stable, latest, beta, rc
+#      #   2025.12.0b3   (beta)      -> tags: 2025.12.0b3, beta, rc
+#      #   2025.12.0.dev202511250240 -> tags: 2025.12.0.dev202511250240, dev
+#      - name: Generate Docker metadata
+#        id: meta
+#        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
+#        with:
+#          images: ${{ matrix.registry }}/home-assistant
+#          sep-tags: ","
+#          tags: |
+#            type=raw,value=${{ needs.init.outputs.version }},priority=9999
+#            type=raw,value=dev,enable=${{ contains(needs.init.outputs.version, 'd') }}
+#            type=raw,value=beta,enable=${{ !contains(needs.init.outputs.version, 'd') }}
+#            type=raw,value=rc,enable=${{ !contains(needs.init.outputs.version, 'd') }}
+#            type=raw,value=stable,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+#            type=raw,value=latest,enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+#            type=semver,pattern={{major}}.{{minor}},value=${{ needs.init.outputs.version }},enable=${{ !contains(needs.init.outputs.version, 'd') && !contains(needs.init.outputs.version, 'b') }}
+#
+#      - name: Set up Docker Buildx
+#        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v3.7.1
+#
+#      - name: Copy architecture images to DockerHub
+#        if: matrix.registry == 'docker.io/homeassistant'
+#        shell: bash
+#        env:
+#          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+#          VERSION: ${{ needs.init.outputs.version }}
+#        run: |
+#          # Use imagetools to copy image blobs directly between registries
+#          # This preserves provenance/attestations and seems to be much faster than pull/push
+#          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+#          for arch in $ARCHS; do
+#            echo "Copying ${arch} image to DockerHub..."
+#            for attempt in 1 2 3; do
+#              if docker buildx imagetools create \
+#                --tag "docker.io/homeassistant/${arch}-homeassistant:${VERSION}" \
+#                "ghcr.io/home-assistant/${arch}-homeassistant:${VERSION}"; then
+#                break
+#              fi
+#              echo "Attempt ${attempt} failed, retrying in 10 seconds..."
+#              sleep 10
+#              if [ "${attempt}" -eq 3 ]; then
+#                echo "Failed after 3 attempts"
+#                exit 1
+#              fi
+#            done
+#            cosign sign --yes "docker.io/homeassistant/${arch}-homeassistant:${VERSION}"
+#          done
+#
+#      - name: Create and push multi-arch manifests
+#        shell: bash
+#        env:
+#          ARCHITECTURES: ${{ needs.init.outputs.architectures }}
+#          REGISTRY: ${{ matrix.registry }}
+#          VERSION: ${{ needs.init.outputs.version }}
+#          META_TAGS: ${{ steps.meta.outputs.tags }}
+#        run: |
+#          # Build list of architecture images dynamically
+#          ARCHS=$(echo "${ARCHITECTURES}" | jq -r '.[]')
+#          ARCH_IMAGES=()
+#          for arch in $ARCHS; do
+#            ARCH_IMAGES+=("${REGISTRY}/${arch}-homeassistant:${VERSION}")
+#          done
+#
+#          # Build list of all tags for single manifest creation
+#          # Note: Using sep-tags=',' in metadata-action for easier parsing
+#          TAG_ARGS=()
+#          IFS=',' read -ra TAGS <<< "${META_TAGS}"
+#          for tag in "${TAGS[@]}"; do
+#            TAG_ARGS+=("--tag" "${tag}")
+#          done
+#
+#          # Create manifest with ALL tags in a single operation (much faster!)
+#          echo "Creating multi-arch manifest with tags: ${TAGS[*]}"
+#          docker buildx imagetools create "${TAG_ARGS[@]}" "${ARCH_IMAGES[@]}"
+#
+#          # Sign each tag separately (signing requires individual tag names)
+#          echo "Signing all tags..."
+#          for tag in "${TAGS[@]}"; do
+#            echo "Signing ${tag}"
+#            cosign sign --yes "${tag}"
+#          done
+#
+#          echo "All manifests created and signed successfully"
+#
+#  build_python:
+#    name: Build PyPi package
+#    environment: ${{ needs.init.outputs.channel }}
+#    needs: ["init", "build_base"]
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read # To check out the repository
+#      id-token: write # For PyPI trusted publishing
+#    if: github.repository_owner == 'home-assistant' && needs.init.outputs.publish == 'true'
+#    steps:
+#      - name: Checkout the repository
+#        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+#        with:
+#          persist-credentials: false
+#
+#      - name: Set up Python
+#        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0
+#        with:
+#          python-version-file: ".python-version"
+#
+#      - name: Download translations
+#        uses: actions/download-artifact@70fc10c6e5e1ce46ad2ea6f2b72d43f7d47b13c3 # v8.0.0
+#        with:
+#          name: translations
+#
+#      - name: Extract translations
+#        run: |
+#          tar xvf translations.tar.gz
+#          rm translations.tar.gz
+#
+#      - name: Build package
+#        shell: bash
+#        run: |
+#          # Remove dist, build, and homeassistant.egg-info
+#          # when build locally for testing!
+#          pip install build
+#          python -m build
+#
+#      - name: Upload package to PyPI
+#        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
+#        with:
+#          skip-existing: true
+#
+#  hassfest-image:
+#    name: Build and test hassfest image
+#    runs-on: ubuntu-latest
+#    permissions:
+#      contents: read # To check out the repository
+#      packages: write # To push to GHCR
+#      attestations: write # For build provenance attestation
+#      id-token: write # For build provenance attestation
+#    needs: ["init"]
+#    if: github.repository_owner == 'home-assistant'
+#    env:
+#      HASSFEST_IMAGE_NAME: ghcr.io/home-assistant/hassfest
+#      HASSFEST_IMAGE_TAG: ghcr.io/home-assistant/hassfest:${{ needs.init.outputs.version }}
+#    steps:
+#      - name: Checkout repository
+#        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+#        with:
+#          persist-credentials: false
+#
+#      - name: Login to GitHub Container Registry
+#        uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
+#        with:
+#          registry: ghcr.io
+#          username: ${{ github.repository_owner }}
+#          password: ${{ secrets.GITHUB_TOKEN }}
+#
+#      - name: Build Docker image
+#        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+#        with:
+#          context: . # So action will not pull the repository again
+#          file: ./script/hassfest/docker/Dockerfile
+#          load: true
+#          tags: ${{ env.HASSFEST_IMAGE_TAG }}
+#
+#      - name: Run hassfest against core
+#        run: docker run --rm -v "${GITHUB_WORKSPACE}":/github/workspace "${HASSFEST_IMAGE_TAG}" --core-path=/github/workspace
+#
+#      - name: Push Docker image
+#        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
+#        id: push
+#        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+#        with:
+#          context: . # So action will not pull the repository again
+#          file: ./script/hassfest/docker/Dockerfile
+#          push: true
+#          tags: ${{ env.HASSFEST_IMAGE_TAG }},${{ env.HASSFEST_IMAGE_NAME }}:latest
+#
+#      - name: Generate artifact attestation
+#        if: needs.init.outputs.channel != 'dev' && needs.init.outputs.publish == 'true'
+#        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+#        with:
+#          subject-name: ${{ env.HASSFEST_IMAGE_NAME }}
+#          subject-digest: ${{ steps.push.outputs.digest }}
+#          push-to-registry: true

Dockerfile

@@ -10,7 +10,6 @@ LABEL \
     org.opencontainers.image.description="Open-source home automation platform running on Python 3" \
     org.opencontainers.image.documentation="https://www.home-assistant.io/docs/" \
     org.opencontainers.image.licenses="Apache-2.0" \
-    org.opencontainers.image.source="https://github.com/home-assistant/core" \
     org.opencontainers.image.title="Home Assistant" \
     org.opencontainers.image.url="https://www.home-assistant.io/"
 

machine/build.yaml

@@ -1,10 +0,0 @@
-image: ghcr.io/home-assistant/{machine}-homeassistant
-build_from:
-  aarch64: "ghcr.io/home-assistant/aarch64-homeassistant:"
-  amd64: "ghcr.io/home-assistant/amd64-homeassistant:"
-cosign:
-  base_identity: https://github.com/home-assistant/core/.*
-  identity: https://github.com/home-assistant/core/.*
-labels:
-  io.hass.type: core
-  org.opencontainers.image.source: https://github.com/home-assistant/core

machine/generic-x86-64

@@ -1,7 +1,10 @@
-ARG \
-    BUILD_FROM
-
-FROM $BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/amd64-homeassistant:latest
+FROM ${BUILD_FROM}
 
 RUN apk --no-cache add \
     libva-intel-driver
+
+LABEL io.hass.machine="generic-x86-64"

machine/green

@@ -1,4 +1,7 @@
-ARG \
-    BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
-FROM $BUILD_FROM
+LABEL io.hass.machine="green"

machine/intel-nuc

@@ -1,10 +1,10 @@
-ARG \
-    BUILD_FROM
-
-FROM $BUILD_FROM
-
-# NOTE: intel-nuc will be replaced by generic-x86-64. Make sure to apply
-# changes in generic-x86-64 as well.
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/amd64-homeassistant:latest
+FROM ${BUILD_FROM}
 
 RUN apk --no-cache add \
     libva-intel-driver
+
+LABEL io.hass.machine="intel-nuc"

machine/khadas-vim3

@@ -1,4 +1,7 @@
-ARG \
-    BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
-FROM $BUILD_FROM
+LABEL io.hass.machine="khadas-vim3"

machine/odroid-c2

@@ -1,4 +1,7 @@
-ARG \
-    BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
-FROM $BUILD_FROM
+LABEL io.hass.machine="odroid-c2"

machine/odroid-c4

@@ -1,4 +1,7 @@
-ARG \
-    BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
-FROM $BUILD_FROM
+LABEL io.hass.machine="odroid-c4"

machine/odroid-m1

@@ -1,4 +1,7 @@
-ARG \
-    BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
-FROM $BUILD_FROM
+LABEL io.hass.machine="odroid-m1"

machine/odroid-n2

@@ -1,4 +1,7 @@
-ARG \
-    BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
-FROM $BUILD_FROM
+LABEL io.hass.machine="odroid-n2"

machine/qemuarm-64

@@ -1,4 +1,7 @@
-ARG \
-    BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
-FROM $BUILD_FROM
+LABEL io.hass.machine="qemuarm-64"

machine/qemux86-64

@@ -1,4 +1,7 @@
-ARG \
-    BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/amd64-homeassistant:latest
+FROM ${BUILD_FROM}
 
-FROM $BUILD_FROM
+LABEL io.hass.machine="qemux86-64"

machine/raspberrypi3-64

@@ -1,7 +1,10 @@
-ARG \
-    BUILD_FROM
-
-FROM $BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
 RUN apk --no-cache add \
-        raspberrypi-utils
+    raspberrypi-utils
+
+LABEL io.hass.machine="raspberrypi3-64"

machine/raspberrypi4-64

@@ -1,7 +1,10 @@
-ARG \
-    BUILD_FROM
-
-FROM $BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
 RUN apk --no-cache add \
-        raspberrypi-utils
+    raspberrypi-utils
+
+LABEL io.hass.machine="raspberrypi4-64"

machine/raspberrypi5-64

@@ -1,7 +1,10 @@
-ARG \
-    BUILD_FROM
-
-FROM $BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
 RUN apk --no-cache add \
-        raspberrypi-utils
+    raspberrypi-utils
+
+LABEL io.hass.machine="raspberrypi5-64"

machine/yellow

@@ -1,7 +1,10 @@
-ARG \
-    BUILD_FROM
-
-FROM $BUILD_FROM
+# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/aarch64-homeassistant:latest
+FROM ${BUILD_FROM}
 
 RUN apk --no-cache add \
-        raspberrypi-utils
+    raspberrypi-utils
+
+LABEL io.hass.machine="yellow"

script/hassfest/docker.py

@@ -25,7 +25,6 @@ LABEL \
     org.opencontainers.image.description="Open-source home automation platform running on Python 3" \
     org.opencontainers.image.documentation="https://www.home-assistant.io/docs/" \
     org.opencontainers.image.licenses="Apache-2.0" \
-    org.opencontainers.image.source="https://github.com/home-assistant/core" \
     org.opencontainers.image.title="Home Assistant" \
     org.opencontainers.image.url="https://www.home-assistant.io/"
 
@@ -77,6 +76,59 @@ RUN \
 WORKDIR /config
 """
 
+
+@dataclass(frozen=True)
+class _MachineConfig:
+    """Machine-specific Dockerfile configuration."""
+
+    arch: str
+    packages: tuple[str, ...] = ()
+
+
+_MACHINES = {
+    "generic-x86-64": _MachineConfig(arch="amd64", packages=("libva-intel-driver",)),
+    "green": _MachineConfig(arch="aarch64"),
+    "intel-nuc": _MachineConfig(arch="amd64", packages=("libva-intel-driver",)),
+    "khadas-vim3": _MachineConfig(arch="aarch64"),
+    "odroid-c2": _MachineConfig(arch="aarch64"),
+    "odroid-c4": _MachineConfig(arch="aarch64"),
+    "odroid-m1": _MachineConfig(arch="aarch64"),
+    "odroid-n2": _MachineConfig(arch="aarch64"),
+    "qemuarm-64": _MachineConfig(arch="aarch64"),
+    "qemux86-64": _MachineConfig(arch="amd64"),
+    "raspberrypi3-64": _MachineConfig(arch="aarch64", packages=("raspberrypi-utils",)),
+    "raspberrypi4-64": _MachineConfig(arch="aarch64", packages=("raspberrypi-utils",)),
+    "raspberrypi5-64": _MachineConfig(arch="aarch64", packages=("raspberrypi-utils",)),
+    "yellow": _MachineConfig(arch="aarch64", packages=("raspberrypi-utils",)),
+}
+
+_MACHINE_DOCKERFILE_TEMPLATE = r"""# Automatically generated by hassfest.
+#
+# To update, run python3 -m script.hassfest -p docker
+ARG BUILD_FROM=ghcr.io/home-assistant/{arch}-homeassistant:latest
+FROM ${{BUILD_FROM}}
+{extra_packages}
+LABEL io.hass.machine="{machine}"
+"""
+
+
+def _generate_machine_dockerfile(
+    machine_name: str, machine_config: _MachineConfig
+) -> str:
+    """Generate a machine Dockerfile from configuration."""
+    if machine_config.packages:
+        pkg_lines = " \\\n    ".join(machine_config.packages)
+        extra_packages = f"\nRUN apk --no-cache add \\\n    {pkg_lines}\n"
+    else:
+        extra_packages = ""
+
+    return _MACHINE_DOCKERFILE_TEMPLATE.format(
+        arch=machine_config.arch,
+        extra_packages=extra_packages,
+        machine=machine_name,
+    )
+
+
 _HASSFEST_TEMPLATE = r"""# Automatically generated by hassfest.
 #
 # To update, run python3 -m script.hassfest -p docker
@@ -174,7 +226,7 @@ def _generate_files(config: Config) -> list[File]:
         config.root / "requirements_test_pre_commit.txt", {"ruff"}
     )
 
-    return [
+    files = [
         File(
             DOCKERFILE_TEMPLATE.format(
                 timeout=timeout,
@@ -192,6 +244,16 @@ def _generate_files(config: Config) -> list[File]:
         ),
     ]
 
+    for machine_name, machine_config in sorted(_MACHINES.items()):
+        files.append(
+            File(
+                _generate_machine_dockerfile(machine_name, machine_config),
+                config.root / "machine" / machine_name,
+            )
+        )
+
+    return files
+
 
 def validate(integrations: dict[str, Integration], config: Config) -> None:
     """Validate dockerfile."""