Migrate builder workflow to new builder actions (#258)

Migrate plugin image build to new builder actions. The resulting image
should be identical, while a multi-arch manifest should be now published
along the per-arch images.

The workflow should now also work in forked repos, unlike the old one
which had home-assistant org hardcoded on several places. In forked
repos, the version job is skipped now.

Closes #257

Author: sairon

.github/workflows/builder.yml

@@ -9,90 +9,107 @@ on:
     branches: ["master"]
     paths:
     - Dockerfile
-    - build.yaml
-    - 'rootfs/**' 
+    - 'rootfs/**'
     - '**.go'
     - go.mod
 
 env:
+  ARCHITECTURES: '["amd64", "aarch64"]'
   BUILD_NAME: observer
   BUILD_TYPE: plugin
+  IMAGE_NAME: hassio-observer
+
+permissions:
+  contents: read
 
 jobs:
   init:
     name: Initialize build
     runs-on: ubuntu-latest
     outputs:
-      architectures: ${{ steps.info.outputs.architectures }}
       version: ${{ steps.version.outputs.version }}
       channel: ${{ steps.version.outputs.channel }}
       publish: ${{ steps.version.outputs.publish }}
+      matrix: ${{ steps.matrix.outputs.matrix }}
     steps:
     - name: Checkout the repository
-      uses: actions/checkout@v6.0.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 0
 
-    - name: Get information
-      id: info
-      uses: home-assistant/actions/helpers/info@master
-
     - name: Get version
       id: version
       uses: home-assistant/actions/helpers/version@master
       with:
         type: ${{ env.BUILD_TYPE }}
 
+    - name: Get build matrix
+      id: matrix
+      uses: home-assistant/builder/actions/prepare-multi-arch-matrix@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+      with:
+        architectures: ${{ env.ARCHITECTURES }}
+        image-name: ${{ env.IMAGE_NAME }}
+
   build:
-    name: Build ${{ matrix.arch }} plugin
+    name: Build ${{ matrix.arch }} image
     needs: init
-    runs-on: ${{ matrix.runs-on }}
+    runs-on: ${{ matrix.os }}
     permissions:
       contents: read
-      packages: write
       id-token: write
+      packages: write
     strategy:
-      matrix:
-        arch: ${{ fromJson(needs.init.outputs.architectures) }}
-        include:
-          - runs-on: ubuntu-24.04
-          - arch: aarch64
-            runs-on: ubuntu-24.04-arm
+      fail-fast: false
+      matrix: ${{ fromJSON(needs.init.outputs.matrix) }}
     steps:
-    - name: Checkout the repository
-      uses: actions/checkout@v6.0.2
-   
-    - name: Login to GitHub Container Registry
-      if: needs.init.outputs.publish == 'true'
-      uses: docker/login-action@v4.0.0
-      with:
-        registry: ghcr.io
-        username: ${{ secrets.GIT_USER }}
-        password: ${{ secrets.GIT_TOKEN }}
+      - name: Checkout the repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
-    - name: Set build arguments
-      if: needs.init.outputs.publish == 'false'
-      run: echo "BUILD_ARGS=--test" >> $GITHUB_ENV
+      - name: Build image
+        id: build
+        uses: home-assistant/builder/actions/build-image@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+        with:
+          arch: ${{ matrix.arch }}
+          container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+          cosign-base-identity: 'https://github.com/home-assistant/docker-base/.*'
+          cosign-base-verify: ghcr.io/home-assistant/base:3.23
+          image: ${{ matrix.image }}
+          image-tags: |
+            ${{ needs.init.outputs.version }}
+            latest
+          push: ${{ needs.init.outputs.publish == 'true' }}
+          version: ${{ needs.init.outputs.version }}
 
-    - name: Build plugin
-      uses: home-assistant/builder@2026.02.1
-      with:
-        image: ${{ matrix.arch }}
-        args: |
-          $BUILD_ARGS \
-          --${{ matrix.arch }} \
-          --cosign \
-          --target /data \
-          --generic ${{ needs.init.outputs.version }}
+  manifest:
+    name: Publish multi-arch manifest
+    needs: [init, build]
+    if: needs.init.outputs.publish == 'true'
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      packages: write
+    steps:
+      - name: Publish multi-arch manifest
+        uses: home-assistant/builder/actions/publish-multi-arch-manifest@62a1597b84b3461abad9816d9cd92862a2b542c3 # 2026.03.2
+        with:
+          architectures: ${{ env.ARCHITECTURES }}
+          container-registry-password: ${{ secrets.GITHUB_TOKEN }}
+          image-name: ${{ env.IMAGE_NAME }}
+          image-tags: |
+            ${{ needs.init.outputs.version }}
+            latest
 
   version:
     name: Update version
-    needs: ["init", "build"]
+    needs: [init, build, manifest]
     runs-on: ubuntu-latest
+    if: github.repository_owner == 'home-assistant'
     steps:
     - name: Checkout the repository
       if: needs.init.outputs.publish == 'true'
-      uses: actions/checkout@v6.0.2
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
     - name: Initialize git
       if: needs.init.outputs.publish == 'true'

Dockerfile

@@ -1,31 +1,41 @@
-ARG BUILD_FROM
-
-FROM golang:1.25-alpine3.23 AS builder
-
-WORKDIR /workspace/observer-plugin
-ARG BUILD_ARCH
-
-COPY . .
-
-# Build
-RUN \
-        if [ "${BUILD_ARCH}" = "aarch64" ]; then \
-            CGO_ENABLED=0 GOARCH=arm64 go build -ldflags="-s -w"; \
-        elif [ "${BUILD_ARCH}" = "amd64" ]; then \
-            CGO_ENABLED=0 GOARCH=amd64 go build -ldflags="-s -w"; \
-        else \
-            exit 1; \
-        fi \
-    && cp -f plugin-observer /workspace/observer \
-    && rm -rf /workspace/observer-plugin
-
-
-FROM ${BUILD_FROM}
-
-ENV DOCKER_HOST="unix:///run/docker.sock"
-
-WORKDIR /
-COPY --from=builder /workspace/observer /usr/bin/observer
-COPY rootfs /
-
-ENTRYPOINT ["/usr/bin/observer"]
+ARG BUILD_FROM=scratch
+
+FROM golang:1.25-alpine3.23 AS builder
+
+WORKDIR /workspace/observer-plugin
+ARG TARGETARCH
+
+COPY . .
+
+# Build
+RUN \
+    if [ -z "${TARGETARCH}" ]; then \
+        echo "TARGETARCH is not set, please use Docker BuildKit for the build." && exit 1; \
+    fi \
+    && case "${TARGETARCH}" in \
+            amd64|arm64) ;; \
+            *) echo "Unsupported TARGETARCH: ${TARGETARCH}" && exit 1 ;; \
+        esac \
+    && CGO_ENABLED=0 GOARCH=${TARGETARCH} go build -ldflags="-s -w" \
+    && cp -f plugin-observer /workspace/observer \
+    && rm -rf /workspace/observer-plugin
+
+
+FROM ${BUILD_FROM}
+
+ENV DOCKER_HOST="unix:///run/docker.sock"
+
+WORKDIR /
+COPY --from=builder /workspace/observer /usr/bin/observer
+COPY rootfs /
+
+ENTRYPOINT ["/usr/bin/observer"]
+
+LABEL \
+    io.hass.type="observer" \
+    org.opencontainers.image.title="Home Assistant Observer Plugin" \
+    org.opencontainers.image.description="Home Assistant Supervisor plugin monitor Supervisor" \
+    org.opencontainers.image.authors="The Home Assistant Authors" \
+    org.opencontainers.image.url="https://www.home-assistant.io/" \
+    org.opencontainers.image.documentation="https://www.home-assistant.io/docs/" \
+    org.opencontainers.image.licenses="Apache License 2.0"