From 6381c95f342191d0e09cc027a14ffe9aa890af4f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Mon, 6 Jul 2026 09:27:36 +0200 Subject: [PATCH 1/2] =?UTF-8?q?docs(ospo):=20community=20health=20rollout?= =?UTF-8?q?=20v2=20=E2=80=94=20README,=20agents.md,=20health=20files?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Incorporate the Kiteworks OSPO community health rollout v2 (adapted from owncloud-docker/server#637) into this repository, with all repo-specific facts adjusted for the oCIS build-from-source image repo. - README.md: append Community & Support, Contributing, Security and About the ownCloud OSPO sections plus License and OSPO badges (additive — the existing Docker reference is kept since it is synced to Docker Hub) - agents.md: new AI-agent context file describing the multi-stage build, rolling image, CI and OSPO policy - CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, SUPPORT.md: new community health files License is Apache-2.0 — already the OSPO's ecosystem-wide migration target, so no relicensing is required. This repo has no CHANGELOG.md by convention, so none was added. Co-Authored-By: Claude Opus 4.8 Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- CODE_OF_CONDUCT.md | 8 ++++ CONTRIBUTING.md | 34 ++++++++++++++ README.md | 58 +++++++++++++++++++++++ SECURITY.md | 11 +++++ SUPPORT.md | 10 ++++ agents.md | 111 +++++++++++++++++++++++++++++++++++++++++++++ 6 files changed, 232 insertions(+) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 SECURITY.md create mode 100644 SUPPORT.md create mode 100644 agents.md diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..ce144bf --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,8 @@ +# Code of Conduct + +This project follows the ownCloud Code of Conduct. + +Please read the full Code of Conduct at: +**** + +By participating in this project, you agree to abide by its terms. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..85db846 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,34 @@ +# Contributing + +Thank you for your interest in contributing to this project! + +Please read the full contributing guidelines at: +**** + +## About this repository + +This repository builds the official **ownCloud Infinite Scale (oCIS)** Docker +images ([`owncloud/ocis`](https://hub.docker.com/r/owncloud/ocis) and the daily +[`owncloud/ocis-rolling`](https://hub.docker.com/r/owncloud/ocis-rolling)). It is +not the oCIS source code — it builds oCIS from source via a multi-stage +Dockerfile. Bug reports and feature requests for oCIS itself belong in the +upstream [`owncloud/ocis`](https://github.com/owncloud/ocis) repository; use this +repository's issues only for the Docker packaging. See the [README](README.md) +for build details, supported tags and usage. + +## Pull requests + +- **Rebase Early, Rebase Often!** We use a rebase workflow. Rebase on the target + branch before submitting a PR; do not create merge commits. +- **Signed commits**: All commits **must** be PGP/GPG signed. See + [GitHub's signing guide](https://docs.github.com/en/authentication/managing-commit-signature-verification). +- **DCO Sign-off**: Every commit must carry a `Signed-off-by` line: + ``` + git commit -S -s -m "your commit message" + ``` +- **Conventional Commits**: PR titles must follow the + [Conventional Commits](https://www.conventionalcommits.org/) format — this is + enforced by CI, and the PR title becomes the squash-merge commit message. +- **GitHub Actions Policy**: Workflows may only use actions that are (a) owned by + `owncloud`, (b) created by GitHub (`actions/*`), or (c) verified in the GitHub + Marketplace. Pin all actions to their full commit SHA. diff --git a/README.md b/README.md index 551b72d..cf6eebb 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,8 @@ # ownCloud Infinite Scale Docker Image [![Docker Pulls](https://img.shields.io/docker/pulls/owncloud/ocis.svg)](https://hub.docker.com/r/owncloud/ocis) +[![License: Apache-2.0](https://img.shields.io/github/license/owncloud-docker/ocis)](https://github.com/owncloud-docker/ocis/blob/master/LICENSE) +[![ownCloud OSPO](https://img.shields.io/badge/OSPO-ownCloud-blue)](https://kiteworks.com/opensource) Docker image for [ownCloud Infinite Scale (oCIS)](https://github.com/owncloud/ocis) — a modern file-sync and share platform. @@ -96,6 +98,62 @@ The GitHub Actions workflow (`.github/workflows/main.yml`) builds and validates 3. **Smoke test** — starts the container, polls `https://localhost:9200/status.php` every 2s for up to 62s, and verifies the `.productversion` field in the JSON response matches the built tag. Uses `OCIS_INSECURE=true` to allow self-signed TLS on the test runner. 4. **Publish** — pushes to Docker Hub with floating major/minor tags (on `master` only). +## Community & Support + +- [ownCloud Website](https://owncloud.com) +- [Community Discussions](https://github.com/orgs/owncloud/discussions) +- [Matrix Chat](https://app.element.io/#/room/#owncloud:matrix.org) +- [Documentation](https://doc.owncloud.com) +- [Enterprise Support](https://owncloud.com/contact-us/) +- [OSPO Home](https://kiteworks.com/opensource) + +See [SUPPORT.md](SUPPORT.md) for the full list of support channels. + +## Contributing + +We welcome contributions! Please read the [Contributing Guidelines](CONTRIBUTING.md) +and our [Code of Conduct](CODE_OF_CONDUCT.md) before getting started. + +- **Rebase Early, Rebase Often!** We use a rebase workflow — rebase on the target + branch before submitting a PR. +- **Signed commits**: All commits **must** be PGP/GPG signed and carry a DCO + `Signed-off-by` line (`git commit -S -s`). +- **Conventional Commits**: PR titles must follow the + [Conventional Commits](https://www.conventionalcommits.org/) format — enforced + by CI. +- **GitHub Actions Policy**: Workflows may only use actions owned by `owncloud`, + created by GitHub (`actions/*`), or verified in the GitHub Marketplace, pinned + to a full commit SHA. + +Note: bug reports and feature requests for oCIS itself belong upstream in +[`owncloud/ocis`](https://github.com/owncloud/ocis) — this repository tracks only +the Docker packaging. + +## Security + +**Do not open a public GitHub issue for security vulnerabilities.** + +Report vulnerabilities at **** — see [SECURITY.md](SECURITY.md). + +Bug bounty: [YesWeHack ownCloud Program](https://yeswehack.com/programs/owncloud-bug-bounty-program) + +## About the ownCloud OSPO + +The [Kiteworks Open Source Program Office](https://kiteworks.com/opensource), operating under +the [ownCloud](https://owncloud.com) brand, launched on May 5, 2026, to steward the open source +ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance, +community health, and sustainable collaboration between the open source community and +[Kiteworks](https://www.kiteworks.com), which acquired ownCloud in 2023. + +- **OSPO Home**: +- **GitHub**: +- **ownCloud**: + +For questions about the OSPO or licensing, contact ospo@kiteworks.com. + +This repository is licensed under the **Apache License 2.0**, which is the license +the OSPO is adopting across the ecosystem. No relicensing is required. + ## License Apache-2.0 — see [LICENSE](LICENSE). diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..78094ae --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,11 @@ +# Security Policy + +## Reporting a Vulnerability + +**Do NOT open a public GitHub issue for security vulnerabilities.** + +Please report security issues responsibly via: +**** + +You can also report vulnerabilities through our YesWeHack bug bounty program: +**** diff --git a/SUPPORT.md b/SUPPORT.md new file mode 100644 index 0000000..bed05d6 --- /dev/null +++ b/SUPPORT.md @@ -0,0 +1,10 @@ +# Support + +For support with this project, please use the following channels: + +- **Enterprise Support**: +- **Community discussions**: +- **Matrix Chat**: +- **Documentation**: + +Please do not use GitHub issues for general support questions. diff --git a/agents.md b/agents.md new file mode 100644 index 0000000..017da11 --- /dev/null +++ b/agents.md @@ -0,0 +1,111 @@ +# agents.md — ocis + +## Repository Overview + +This repository builds the official **ownCloud Infinite Scale (oCIS)** Docker +images (`owncloud/ocis` on Docker Hub, plus the daily `owncloud/ocis-rolling`). +It does not contain the oCIS source code — it builds oCIS **from source** via a +multi-stage Dockerfile and ships a minimal Alpine runtime image. Images are +multi-architecture and built via GitHub Actions. + +- **Classification:** Docker image build (from source) +- **Activity Status:** Active +- **License:** Apache-2.0 +- **Language:** Dockerfile, Shell + +## Architecture & Key Paths + +- `v8/` — oCIS 8.x build context + - `v8/Dockerfile.multiarch` — three-stage build: + 1. **node-builder** — clones oCIS at `v${VERSION}`, builds the IDP React + frontend (`pnpm build`) and pulls the web assets (`make pull-assets`); + both are needed at compile time due to `//go:embed`. The `pnpm` step is + skipped automatically on newer `master` ("no-npm") commits. + 2. **go-builder** — compiles the oCIS binary with CGO + libvips via the + upstream `release-linux-docker-${TARGETARCH}` Makefile target. + 3. **runtime** — minimal Alpine image; runs `apk upgrade` at build time so + OS security fixes are picked up immediately. + - `v8/.trivyignore` — accepted-CVE exclusions for the Trivy scan +- `ubuntu-wf/` — helper directory +- `docs/` — design/spec notes +- `.github/workflows/main.yml` — **active** CI: builds the release matrix +- `.github/workflows/rolling.yml` — nightly build tracking oCIS `master` +- `.github/workflows/lint-pr-title.yml` — Conventional-Commit PR-title enforcement +- `.github/dependabot.yml` — weekly GitHub Actions dependency updates +- `.github/CODEOWNERS` — review ownership +- `.renovaterc.json` — Renovate preset for Docker digest updates +- `.editorconfig` — formatting rules (2-space indent, LF, trailing newline) +- `.trivyignore` — repo-root accepted-CVE exclusions +- `LICENSE` — Apache-2.0 + +There is **no `CHANGELOG.md`** in this repository. + +## Build & CI + +The image is built entirely from source. CI (`main.yml`) calls the reusable +`docker-build-native.yml` workflow hosted in +[`owncloud-docker/ubuntu`](https://github.com/owncloud-docker/ubuntu): + +- Release matrix builds tagged oCIS versions (e.g. `8.0.5` → `8.0`, `8`; + `8.1.0-rc.2` exact tag only), plus immutable `-YYYYMMDD` tags. +- `rolling.yml` resolves oCIS `master` HEAD nightly and publishes + `owncloud/ocis-rolling` (`latest`, `YYYYMMDD`, `sha-`). `VERSION` is + left empty on purpose so the build derives the version from the git HEAD. +- Smoke test: poll `https://localhost:9200/status.php` (with `OCIS_INSECURE=true`) + and assert `.productversion` matches the built tag. +- Trivy vulnerability scan (`.trivyignore` + `v8/.trivyignore`). +- On non-PR events: push to Docker Hub and sync the README as the description. + +To build locally: + +```bash +docker buildx build \ + --build-arg VERSION=8.0.5 \ + --build-arg REVISION=$(git rev-parse HEAD) \ + --platform linux/amd64 \ + -f v8/Dockerfile.multiarch v8/ +``` + +The image exposes port `9200` and uses volumes `/var/lib/ocis`, `/etc/ocis`. + +## Development Conventions + +- **No CHANGELOG** — do not create one. +- Conventional-Commit PR titles, enforced by `lint-pr-title.yml`. +- `.editorconfig` governs formatting. +- GitHub Actions are pinned to full commit SHAs. +- Bug reports for oCIS itself go upstream to + [`owncloud/ocis`](https://github.com/owncloud/ocis); this repo tracks only the + Docker packaging. + +## OSPO Policy Constraints + +### GitHub Actions +- **Only** use actions owned by `owncloud`, created by GitHub (`actions/*`), + verified on the GitHub Marketplace, or verified by the ownCloud Maintainers. +- Pin all actions to their full commit SHA (not tags): `uses: actions/checkout@ # vX.Y.Z`. +- Never introduce actions from unverified third parties. + +### Dependency Management +- Dependabot is configured for GitHub Actions updates; Renovate handles Docker + base-image digest updates. +- Review and merge dependency PRs as part of regular maintenance. + +### Git Workflow +- **Rebase policy**: Always rebase; never create merge commits. +- **Signed commits**: All commits **must** be PGP/GPG signed (`git commit -S`). +- **DCO sign-off**: Every commit needs a `Signed-off-by` line (`git commit -s`). +- **Conventional Commits & Squash Merge**: PR titles must follow + [Conventional Commits](https://www.conventionalcommits.org/); the PR title + becomes the squash-merge commit message and is enforced by CI. + +## Context for AI Agents + +- This is a Docker-image build repo that compiles oCIS from source — not the oCIS + application codebase. +- The active build systems are `main.yml` (releases) and `rolling.yml` (nightly + master); the rolling build intentionally leaves `VERSION` empty. +- The README is published verbatim as the Docker Hub image description — keep it + accurate and self-contained. +- License is **Apache-2.0**, which is the OSPO's ecosystem-wide migration target; + no relicensing is required. From f1184805d79325fc7355b820e533f6976502711a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Mon, 6 Jul 2026 09:42:59 +0200 Subject: [PATCH 2/2] fix(ospo): satisfy editorconfig indent rule in agents.md MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The lint-editorconfig CI check failed: the numbered sub-list under the Dockerfile build description had continuation lines padded to 7 spaces, which is not a multiple of the repo's `indent_size = 2`. Convert the numbered sub-list to a bullet sub-list so continuation lines align at an even column, matching the pattern used in owncloud-docker/server/agents.md. Co-Authored-By: Claude Opus 4.8 Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- agents.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/agents.md b/agents.md index 017da11..a9a661e 100644 --- a/agents.md +++ b/agents.md @@ -17,14 +17,14 @@ multi-architecture and built via GitHub Actions. - `v8/` — oCIS 8.x build context - `v8/Dockerfile.multiarch` — three-stage build: - 1. **node-builder** — clones oCIS at `v${VERSION}`, builds the IDP React - frontend (`pnpm build`) and pulls the web assets (`make pull-assets`); - both are needed at compile time due to `//go:embed`. The `pnpm` step is - skipped automatically on newer `master` ("no-npm") commits. - 2. **go-builder** — compiles the oCIS binary with CGO + libvips via the - upstream `release-linux-docker-${TARGETARCH}` Makefile target. - 3. **runtime** — minimal Alpine image; runs `apk upgrade` at build time so - OS security fixes are picked up immediately. + - **node-builder** — clones oCIS at `v${VERSION}`, builds the IDP React + frontend (`pnpm build`) and pulls the web assets (`make pull-assets`); + both are needed at compile time due to `//go:embed`. The `pnpm` step is + skipped automatically on newer `master` ("no-npm") commits. + - **go-builder** — compiles the oCIS binary with CGO + libvips via the + upstream `release-linux-docker-${TARGETARCH}` Makefile target. + - **runtime** — minimal Alpine image; runs `apk upgrade` at build time so + OS security fixes are picked up immediately. - `v8/.trivyignore` — accepted-CVE exclusions for the Trivy scan - `ubuntu-wf/` — helper directory - `docs/` — design/spec notes