diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..ce144bf --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,8 @@ +# Code of Conduct + +This project follows the ownCloud Code of Conduct. + +Please read the full Code of Conduct at: +**** + +By participating in this project, you agree to abide by its terms. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..85db846 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,34 @@ +# Contributing + +Thank you for your interest in contributing to this project! + +Please read the full contributing guidelines at: +**** + +## About this repository + +This repository builds the official **ownCloud Infinite Scale (oCIS)** Docker +images ([`owncloud/ocis`](https://hub.docker.com/r/owncloud/ocis) and the daily +[`owncloud/ocis-rolling`](https://hub.docker.com/r/owncloud/ocis-rolling)). It is +not the oCIS source code — it builds oCIS from source via a multi-stage +Dockerfile. Bug reports and feature requests for oCIS itself belong in the +upstream [`owncloud/ocis`](https://github.com/owncloud/ocis) repository; use this +repository's issues only for the Docker packaging. See the [README](README.md) +for build details, supported tags and usage. + +## Pull requests + +- **Rebase Early, Rebase Often!** We use a rebase workflow. Rebase on the target + branch before submitting a PR; do not create merge commits. +- **Signed commits**: All commits **must** be PGP/GPG signed. See + [GitHub's signing guide](https://docs.github.com/en/authentication/managing-commit-signature-verification). +- **DCO Sign-off**: Every commit must carry a `Signed-off-by` line: + ``` + git commit -S -s -m "your commit message" + ``` +- **Conventional Commits**: PR titles must follow the + [Conventional Commits](https://www.conventionalcommits.org/) format — this is + enforced by CI, and the PR title becomes the squash-merge commit message. +- **GitHub Actions Policy**: Workflows may only use actions that are (a) owned by + `owncloud`, (b) created by GitHub (`actions/*`), or (c) verified in the GitHub + Marketplace. Pin all actions to their full commit SHA. diff --git a/README.md b/README.md index 551b72d..cf6eebb 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # ownCloud Infinite Scale Docker Image [![Docker Pulls](https://img.shields.io/docker/pulls/owncloud/ocis.svg)](https://hub.docker.com/r/owncloud/ocis) +[![License: Apache-2.0](https://img.shields.io/github/license/owncloud-docker/ocis)](https://github.com/owncloud-docker/ocis/blob/master/LICENSE) +[![ownCloud OSPO](https://img.shields.io/badge/OSPO-ownCloud-blue)](https://kiteworks.com/opensource) Docker image for [ownCloud Infinite Scale (oCIS)](https://github.com/owncloud/ocis) — a modern file-sync and share platform. @@ -96,6 +98,62 @@ The GitHub Actions workflow (`.github/workflows/main.yml`) builds and validates 3. **Smoke test** — starts the container, polls `https://localhost:9200/status.php` every 2s for up to 62s, and verifies the `.productversion` field in the JSON response matches the built tag. Uses `OCIS_INSECURE=true` to allow self-signed TLS on the test runner. 4. **Publish** — pushes to Docker Hub with floating major/minor tags (on `master` only). +## Community & Support + +- [ownCloud Website](https://owncloud.com) +- [Community Discussions](https://github.com/orgs/owncloud/discussions) +- [Matrix Chat](https://app.element.io/#/room/#owncloud:matrix.org) +- [Documentation](https://doc.owncloud.com) +- [Enterprise Support](https://owncloud.com/contact-us/) +- [OSPO Home](https://kiteworks.com/opensource) + +See [SUPPORT.md](SUPPORT.md) for the full list of support channels. + +## Contributing + +We welcome contributions! Please read the [Contributing Guidelines](CONTRIBUTING.md) +and our [Code of Conduct](CODE_OF_CONDUCT.md) before getting started. + +- **Rebase Early, Rebase Often!** We use a rebase workflow — rebase on the target + branch before submitting a PR. +- **Signed commits**: All commits **must** be PGP/GPG signed and carry a DCO + `Signed-off-by` line (`git commit -S -s`). +- **Conventional Commits**: PR titles must follow the + [Conventional Commits](https://www.conventionalcommits.org/) format — enforced + by CI. +- **GitHub Actions Policy**: Workflows may only use actions owned by `owncloud`, + created by GitHub (`actions/*`), or verified in the GitHub Marketplace, pinned + to a full commit SHA. + +Note: bug reports and feature requests for oCIS itself belong upstream in +[`owncloud/ocis`](https://github.com/owncloud/ocis) — this repository tracks only +the Docker packaging. + +## Security + +**Do not open a public GitHub issue for security vulnerabilities.** + +Report vulnerabilities at **** — see [SECURITY.md](SECURITY.md). + +Bug bounty: [YesWeHack ownCloud Program](https://yeswehack.com/programs/owncloud-bug-bounty-program) + +## About the ownCloud OSPO + +The [Kiteworks Open Source Program Office](https://kiteworks.com/opensource), operating under +the [ownCloud](https://owncloud.com) brand, launched on May 5, 2026, to steward the open source +ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance, +community health, and sustainable collaboration between the open source community and +[Kiteworks](https://www.kiteworks.com), which acquired ownCloud in 2023. + +- **OSPO Home**: +- **GitHub**: +- **ownCloud**: + +For questions about the OSPO or licensing, contact ospo@kiteworks.com. + +This repository is licensed under the **Apache License 2.0**, which is the license +the OSPO is adopting across the ecosystem. No relicensing is required. + ## License Apache-2.0 — see [LICENSE](LICENSE). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..78094ae --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,11 @@ +# Security Policy + +## Reporting a Vulnerability + +**Do NOT open a public GitHub issue for security vulnerabilities.** + +Please report security issues responsibly via: +**** + +You can also report vulnerabilities through our YesWeHack bug bounty program: +**** diff --git a/SUPPORT.md b/SUPPORT.md new file mode 100644 index 0000000..bed05d6 --- /dev/null +++ b/SUPPORT.md @@ -0,0 +1,10 @@ +# Support + +For support with this project, please use the following channels: + +- **Enterprise Support**: +- **Community discussions**: +- **Matrix Chat**: +- **Documentation**: + +Please do not use GitHub issues for general support questions. diff --git a/agents.md b/agents.md new file mode 100644 index 0000000..a9a661e --- /dev/null +++ b/agents.md @@ -0,0 +1,111 @@ +# agents.md — ocis + +## Repository Overview + +This repository builds the official **ownCloud Infinite Scale (oCIS)** Docker +images (`owncloud/ocis` on Docker Hub, plus the daily `owncloud/ocis-rolling`). +It does not contain the oCIS source code — it builds oCIS **from source** via a +multi-stage Dockerfile and ships a minimal Alpine runtime image. Images are +multi-architecture and built via GitHub Actions. + +- **Classification:** Docker image build (from source) +- **Activity Status:** Active +- **License:** Apache-2.0 +- **Language:** Dockerfile, Shell + +## Architecture & Key Paths + +- `v8/` — oCIS 8.x build context + - `v8/Dockerfile.multiarch` — three-stage build: + - **node-builder** — clones oCIS at `v${VERSION}`, builds the IDP React + frontend (`pnpm build`) and pulls the web assets (`make pull-assets`); + both are needed at compile time due to `//go:embed`. The `pnpm` step is + skipped automatically on newer `master` ("no-npm") commits. + - **go-builder** — compiles the oCIS binary with CGO + libvips via the + upstream `release-linux-docker-${TARGETARCH}` Makefile target. + - **runtime** — minimal Alpine image; runs `apk upgrade` at build time so + OS security fixes are picked up immediately. + - `v8/.trivyignore` — accepted-CVE exclusions for the Trivy scan +- `ubuntu-wf/` — helper directory +- `docs/` — design/spec notes +- `.github/workflows/main.yml` — **active** CI: builds the release matrix +- `.github/workflows/rolling.yml` — nightly build tracking oCIS `master` +- `.github/workflows/lint-pr-title.yml` — Conventional-Commit PR-title enforcement +- `.github/dependabot.yml` — weekly GitHub Actions dependency updates +- `.github/CODEOWNERS` — review ownership +- `.renovaterc.json` — Renovate preset for Docker digest updates +- `.editorconfig` — formatting rules (2-space indent, LF, trailing newline) +- `.trivyignore` — repo-root accepted-CVE exclusions +- `LICENSE` — Apache-2.0 + +There is **no `CHANGELOG.md`** in this repository. + +## Build & CI + +The image is built entirely from source. CI (`main.yml`) calls the reusable +`docker-build-native.yml` workflow hosted in +[`owncloud-docker/ubuntu`](https://github.com/owncloud-docker/ubuntu): + +- Release matrix builds tagged oCIS versions (e.g. `8.0.5` → `8.0`, `8`; + `8.1.0-rc.2` exact tag only), plus immutable `-YYYYMMDD` tags. +- `rolling.yml` resolves oCIS `master` HEAD nightly and publishes + `owncloud/ocis-rolling` (`latest`, `YYYYMMDD`, `sha-`). `VERSION` is + left empty on purpose so the build derives the version from the git HEAD. +- Smoke test: poll `https://localhost:9200/status.php` (with `OCIS_INSECURE=true`) + and assert `.productversion` matches the built tag. +- Trivy vulnerability scan (`.trivyignore` + `v8/.trivyignore`). +- On non-PR events: push to Docker Hub and sync the README as the description. + +To build locally: + +```bash +docker buildx build \ + --build-arg VERSION=8.0.5 \ + --build-arg REVISION=$(git rev-parse HEAD) \ + --platform linux/amd64 \ + -f v8/Dockerfile.multiarch v8/ +``` + +The image exposes port `9200` and uses volumes `/var/lib/ocis`, `/etc/ocis`. + +## Development Conventions + +- **No CHANGELOG** — do not create one. +- Conventional-Commit PR titles, enforced by `lint-pr-title.yml`. +- `.editorconfig` governs formatting. +- GitHub Actions are pinned to full commit SHAs. +- Bug reports for oCIS itself go upstream to + [`owncloud/ocis`](https://github.com/owncloud/ocis); this repo tracks only the + Docker packaging. + +## OSPO Policy Constraints + +### GitHub Actions +- **Only** use actions owned by `owncloud`, created by GitHub (`actions/*`), + verified on the GitHub Marketplace, or verified by the ownCloud Maintainers. +- Pin all actions to their full commit SHA (not tags): `uses: actions/checkout@ # vX.Y.Z`. +- Never introduce actions from unverified third parties. + +### Dependency Management +- Dependabot is configured for GitHub Actions updates; Renovate handles Docker + base-image digest updates. +- Review and merge dependency PRs as part of regular maintenance. + +### Git Workflow +- **Rebase policy**: Always rebase; never create merge commits. +- **Signed commits**: All commits **must** be PGP/GPG signed (`git commit -S`). +- **DCO sign-off**: Every commit needs a `Signed-off-by` line (`git commit -s`). +- **Conventional Commits & Squash Merge**: PR titles must follow + [Conventional Commits](https://www.conventionalcommits.org/); the PR title + becomes the squash-merge commit message and is enforced by CI. + +## Context for AI Agents + +- This is a Docker-image build repo that compiles oCIS from source — not the oCIS + application codebase. +- The active build systems are `main.yml` (releases) and `rolling.yml` (nightly + master); the rolling build intentionally leaves `VERSION` empty. +- The README is published verbatim as the Docker Hub image description — keep it + accurate and self-contained. +- License is **Apache-2.0**, which is the OSPO's ecosystem-wide migration target; + no relicensing is required.