Merge pull request #3 from offbyone/action-version-bump

Bump a whole bunch of action versions

.github/workflows/builder.yml

@@ -21,12 +21,13 @@ jobs:
       changed: ${{ steps.changed_addons.outputs.changed }}
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v3.0.2
+        uses: actions/checkout@v4
 
       - name: Get changed files
         id: changed_files
-        # pinning out of paranoia, this is the modern-node fork of jitterbit/get-changed-files
-        uses: masesgroup/retrieve-changed-files@076a92699259d81d1c607bd91f0e1e9d45fd3151
+        # pinning out of paranoia; this is the modern-node fork of jitterbit/get-changed-files
+        # at v3.0.0
+        uses: masesgroup/retrieve-changed-files@491e80760c0e28d36ca6240a27b1ccb8e1402c13
 
       - name: Find add-on directories
         id: addons
@@ -37,7 +38,11 @@ jobs:
         run: |
           declare -a changed_addons
           for addon in ${{ steps.addons.outputs.addons }}; do
-            if [[ "${{ steps.changed_files.outputs.all }}" =~ $addon ]]; then
+            # if one of the changed files was this action, we retry all the builds
+            if [[ "${{ steps.changed_files.outputs.all }}" =~ '.github/workflows/.*\.yml' ]]; then
+              changed_addons+=("\"${addon}\",");
+              echo "Including ${addon} because the build action changed"
+            elif [[ "${{ steps.changed_files.outputs.all }}" =~ $addon ]]; then
               for file in ${{ env.MONITORED_FILES }}; do
                   if [[ "${{ steps.changed_files.outputs.all }}" =~ $addon/$file ]]; then
                     if [[ ! "${changed_addons[@]}" =~ $addon ]]; then
@@ -59,10 +64,39 @@ jobs:
           else
             echo "No add-on had any monitored files changed (${{ env.MONITORED_FILES }})";
           fi
+  test:
+    needs: init
+    runs-on: ubuntu-latest
+    if: needs.init.outputs.changed == 'true' && github.event_name == 'pull_request'
+    name: Verify ${{ matrix.addon }} add-on before build/publish
+    strategy:
+      matrix:
+        addon: ${{ fromJson(needs.init.outputs.changed_addons) }}
+
+    steps:
+      - name: Check out repository
+        uses: actions/checkout@v4
+
+      - name: Get information
+        id: info
+        uses: home-assistant/actions/helpers/info@master
+        with:
+          path: "./${{ matrix.addon }}"
+
+      - name: Test ${{ matrix.addon }} add-on
+        uses: home-assistant/builder@master
+        with:
+          args: |
+            --test \
+            --all \
+            --target /data/${{ matrix.addon }} \
+            --image "${{ matrix.addon }}" \
+            --docker-hub "ghcr.io/${{ github.repository_owner }}"
+
   build:
     needs: init
     runs-on: ubuntu-latest
-    if: needs.init.outputs.changed == 'true'
+    if: needs.init.outputs.changed == 'true' && github.event_name != 'pull_request'
     name: Build ${{ matrix.arch }} ${{ matrix.addon }} add-on
     strategy:
       matrix:
@@ -71,7 +105,7 @@ jobs:
 
     steps:
       - name: Check out repository
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get information
         id: info
@@ -98,15 +132,15 @@ jobs:
 
       - name: Login to GitHub Container Registry
         if: env.BUILD_ARGS != '--test'
-        uses: docker/login-action@v2.0.0
+        uses: docker/login-action@v3.0.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Build ${{ matrix.addon }} add-on
         if: steps.check.outputs.build_arch == 'true'
-        uses: home-assistant/builder@2022.11.0
+        uses: home-assistant/builder@2023.09.0
         with:
           args: |
             ${{ env.BUILD_ARGS }} \

.github/workflows/lint.yml

@@ -18,7 +18,7 @@ jobs:
       addons: ${{ steps.addons.outputs.addons_list }}
     steps:
       - name: ⤵️ Check out code from GitHub
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: 🔍 Find add-on directories
         id: addons
@@ -33,7 +33,7 @@ jobs:
         path: ${{ fromJson(needs.find.outputs.addons) }}
     steps:
       - name: ⤵️ Check out code from GitHub
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: 🚀 Run Home Assistant Add-on Lint
         uses: frenck/action-addon-linter@v2

iot-certbot/CHANGELOG.md

@@ -1,5 +1,12 @@
 <!-- https://developers.home-assistant.io/docs/add-ons/presentation#keeping-a-changelog -->
 
+## 1.1.1
+
+- Switched to a forever-running script in `run`
+- bump the build base image
+- bump cryptography to 41.0.5
+- bump certbot to 2.7.4
+
 ## 1.1.0
 
 Stop trying to run periodically, depend on automations

iot-certbot/build.yaml

@@ -1,10 +1,15 @@
 ---
 build_from:
-  aarch64: ghcr.io/home-assistant/aarch64-base-python:3.9-alpine3.14
-  amd64: ghcr.io/home-assistant/amd64-base-python:3.9-alpine3.14
-  armhf: ghcr.io/home-assistant/armhf-base-python:3.9-alpine3.14
-  armv7: ghcr.io/home-assistant/armv7-base-python:3.9-alpine3.14
-  i386: ghcr.io/home-assistant/i386-base-python:3.9-alpine3.14
+  aarch64: "ghcr.io/home-assistant/aarch64-base:3.15"
+  amd64: "ghcr.io/home-assistant/amd64-base:3.15"
+  armhf: "ghcr.io/home-assistant/armhf-base:3.15"
+  armv7: "ghcr.io/home-assistant/armv7-base:3.15"
+  i386: "ghcr.io/home-assistant/i386-base:3.15"
+labels:
+  org.opencontainers.image.title: "Home Assistant Add-on: AWS IOT Certbot"
+  org.opencontainers.image.description: "Use AWS IOT and LetsEncrpyt for DNS challenge certs"
+  org.opencontainers.image.source: "https://github.com/offbyone/homeassistant-addons"
+  org.opencontainers.image.licenses: "BSD"
 args:
-  CRYPTOGRAPHY_VERSION: 39.0.0
-  CERTBOT_VERSION: 2.1.0
+  CRYPTOGRAPHY_VERSION: 41.0.5
+  CERTBOT_VERSION: 2.7.4

iot-certbot/rootfs/etc/services.d/lets-encrypt/finish

@@ -1,4 +1,5 @@
 #!/usr/bin/env bashio
+# -*- shell-script -*-
 # ==============================================================================
 # Take down the S6 supervision tree when letsencrypt fails
 # s6-overlay docs: https://github.com/just-containers/s6-overlay

iot-certbot/rootfs/etc/services.d/lets-encrypt/run

@@ -1,58 +1,10 @@
 #!/usr/bin/with-contenv bashio
+# -*- shell-script -*-
 # ==============================================================================
-# Start sshd service if enabled
+# Re-run the renew script forever, until the addon is stopped. Hourly ought to
+# be good enough.
 # ==============================================================================
-CERT_DIR=/data/letsencrypt
-WORK_DIR=/data/workdir
-PROVIDER_ARGUMENTS=()
-ACME_CUSTOM_SERVER_ARGUMENTS=()
-
-EMAIL=$(bashio::config 'email')
-DOMAINS=$(bashio::config 'domains')
-KEYFILE=$(bashio::config 'keyfile')
-CERTFILE=$(bashio::config 'certfile')
-ACME_SERVER=$(bashio::config 'acme_server')
-ACME_ROOT_CA=$(bashio::config 'acme_root_ca_cert')
-
-PROPAGATION_SECONDS=60
-if bashio::config.exists 'dns.propagation_seconds'; then
-    PROPAGATION_SECONDS="$(bashio::config 'dns.propagation_seconds')"
-fi
-bashio::log.info "Use propagation seconds: ${PROPAGATION_SECONDS}"
-
-# ensure our current credentials are up to date
-/opt/iot/bin/update-credentials.sh
-
-# Source our current credentials
-AWS_CONFIG_FILE=/opt/iot/credentials/default
-export AWS_CONFIG_FILE
-PROVIDER_ARGUMENTS+=("--dns-route53")
-
-if bashio::config.has_value 'acme_server' ; then
-    ACME_CUSTOM_SERVER_ARGUMENTS+=("--server" "${ACME_SERVER}")
-
-    if bashio::config.has_value 'acme_root_ca_cert'; then
-      echo "${ACME_ROOT_CA}" > /tmp/root-ca-cert.crt
-      # Certbot will automatically open the filepath contained in REQUESTS_CA_BUNDLE for extra CA cert
-      export REQUESTS_CA_BUNDLE=/tmp/root-ca-cert.crt
-    fi
-fi
-
-# Gather all domains into a plaintext file
-DOMAIN_ARR=()
-for line in $DOMAINS; do
-    DOMAIN_ARR+=(-d "$line")
+while true; do
+  /opt/letsencrypt/bin/renew || bashio::log.error "Most recent letsencrypt run failed; check your logs"
+  sleep 3600
 done
-echo "$DOMAINS" > /data/domains.gen
-
-certbot certonly --non-interactive --keep-until-expiring --expand \
-    --email "$EMAIL" --agree-tos \
-    --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
-    --preferred-challenges "dns" "${DOMAIN_ARR[@]}" "${PROVIDER_ARGUMENTS[@]}" \
-    --preferred-chain "ISRG Root X1"
-
-# Get the last modified cert directory and copy the cert and private key to store
-# shellcheck disable=SC2012
-CERT_DIR_LATEST="$(ls -td $CERT_DIR/live/*/ | head -1)"
-cp "${CERT_DIR_LATEST}privkey.pem" "/ssl/$KEYFILE"
-cp "${CERT_DIR_LATEST}fullchain.pem" "/ssl/$CERTFILE"

iot-certbot/rootfs/opt/letsencrypt/bin/renew

@@ -0,0 +1,59 @@
+#!/usr/bin/with-contenv bashio
+# -*- shell-script -*-
+# ==============================================================================
+# Start sshd service if enabled
+# ==============================================================================
+CERT_DIR=/data/letsencrypt
+WORK_DIR=/data/workdir
+PROVIDER_ARGUMENTS=()
+ACME_CUSTOM_SERVER_ARGUMENTS=()
+
+EMAIL=$(bashio::config 'email')
+DOMAINS=$(bashio::config 'domains')
+KEYFILE=$(bashio::config 'keyfile')
+CERTFILE=$(bashio::config 'certfile')
+ACME_SERVER=$(bashio::config 'acme_server')
+ACME_ROOT_CA=$(bashio::config 'acme_root_ca_cert')
+
+PROPAGATION_SECONDS=60
+if bashio::config.exists 'dns.propagation_seconds'; then
+    PROPAGATION_SECONDS="$(bashio::config 'dns.propagation_seconds')"
+fi
+bashio::log.info "Use propagation seconds: ${PROPAGATION_SECONDS}"
+
+# ensure our current credentials are up to date
+/opt/iot/bin/update-credentials.sh
+
+# Source our current credentials
+AWS_CONFIG_FILE=/opt/iot/credentials/default
+export AWS_CONFIG_FILE
+PROVIDER_ARGUMENTS+=("--dns-route53")
+
+if bashio::config.has_value 'acme_server' ; then
+    ACME_CUSTOM_SERVER_ARGUMENTS+=("--server" "${ACME_SERVER}")
+
+    if bashio::config.has_value 'acme_root_ca_cert'; then
+      echo "${ACME_ROOT_CA}" > /tmp/root-ca-cert.crt
+      # Certbot will automatically open the filepath contained in REQUESTS_CA_BUNDLE for extra CA cert
+      export REQUESTS_CA_BUNDLE=/tmp/root-ca-cert.crt
+    fi
+fi
+
+# Gather all domains into a plaintext file
+DOMAIN_ARR=()
+for line in $DOMAINS; do
+    DOMAIN_ARR+=(-d "$line")
+done
+echo "$DOMAINS" > /data/domains.gen
+
+certbot certonly --non-interactive --keep-until-expiring --expand \
+    --email "$EMAIL" --agree-tos \
+    --config-dir "$CERT_DIR" --work-dir "$WORK_DIR" \
+    --preferred-challenges "dns" "${DOMAIN_ARR[@]}" "${PROVIDER_ARGUMENTS[@]}" \
+    --preferred-chain "ISRG Root X1"
+
+# Get the last modified cert directory and copy the cert and private key to store
+# shellcheck disable=SC2012
+CERT_DIR_LATEST="$(ls -td $CERT_DIR/live/*/ | head -1)"
+cp "${CERT_DIR_LATEST}privkey.pem" "/ssl/$KEYFILE"
+cp "${CERT_DIR_LATEST}fullchain.pem" "/ssl/$CERTFILE"

iot-certbot/test/.gitignore

@@ -0,0 +1,4 @@
+config/*
+data/*
+ssl/*
+!.gitignore

iot-certbot/test/README.md

@@ -0,0 +1,16 @@
+# Test data for the container.
+
+This directory can be used to provide the necessary set of mounts for the container to act "home-assistant-ish".
+
+Here's a shell invocation that runs this container:
+
+``` shellsession
+docker run --rm -it \
+    -v (pwd)/test/ssl:/ssl \
+    -v (pwd)/test/data:/data \
+    -v (pwd)/test/cache:/tmp/.bashio/ \
+    -v (pwd)/test/config:/config \
+    --name iot-certbot local/iot_certbot
+```
+
+You should set up the necessary addon config in `test/cache` (there's an example in there that I have _not_ done the necessary work to correct, sorry :( )

iot-certbot/test/cache/addons.self.options.config.cache

@@ -0,0 +1,5 @@
+{
+  "email": "[email protected]",
+  "domains": ["a.b.c"],
+  "acme_server": "https://acme-staging-v02.api.letsencrypt.org/directory"
+}