Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CODE_OF_CONDUCT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
# Code of Conduct

This project follows the ownCloud Code of Conduct.

Please read the full Code of Conduct at:
**<https://owncloud.com/contribute/code-of-conduct/>**

By participating in this project, you agree to abide by its terms.
34 changes: 34 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Contributing

Thank you for your interest in contributing to this project!

Please read the full contributing guidelines at:
**<https://owncloud.com/contribute/>**

## About this repository

This repository builds the official **ownCloud Infinite Scale (oCIS)** Docker
images ([`owncloud/ocis`](https://hub.docker.com/r/owncloud/ocis) and the daily
[`owncloud/ocis-rolling`](https://hub.docker.com/r/owncloud/ocis-rolling)). It is
not the oCIS source code — it builds oCIS from source via a multi-stage
Dockerfile. Bug reports and feature requests for oCIS itself belong in the
upstream [`owncloud/ocis`](https://github.com/owncloud/ocis) repository; use this
repository's issues only for the Docker packaging. See the [README](README.md)
for build details, supported tags and usage.

## Pull requests

- **Rebase Early, Rebase Often!** We use a rebase workflow. Rebase on the target
branch before submitting a PR; do not create merge commits.
- **Signed commits**: All commits **must** be PGP/GPG signed. See
[GitHub's signing guide](https://docs.github.com/en/authentication/managing-commit-signature-verification).
- **DCO Sign-off**: Every commit must carry a `Signed-off-by` line:
```
git commit -S -s -m "your commit message"
```
- **Conventional Commits**: PR titles must follow the
[Conventional Commits](https://www.conventionalcommits.org/) format — this is
enforced by CI, and the PR title becomes the squash-merge commit message.
- **GitHub Actions Policy**: Workflows may only use actions that are (a) owned by
`owncloud`, (b) created by GitHub (`actions/*`), or (c) verified in the GitHub
Marketplace. Pin all actions to their full commit SHA.
58 changes: 58 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,6 +1,8 @@
# ownCloud Infinite Scale Docker Image

[![Docker Pulls](https://img.shields.io/docker/pulls/owncloud/ocis.svg)](https://hub.docker.com/r/owncloud/ocis)
[![License: Apache-2.0](https://img.shields.io/github/license/owncloud-docker/ocis)](https://github.com/owncloud-docker/ocis/blob/master/LICENSE)
[![ownCloud OSPO](https://img.shields.io/badge/OSPO-ownCloud-blue)](https://kiteworks.com/opensource)

Docker image for [ownCloud Infinite Scale (oCIS)](https://github.com/owncloud/ocis) — a modern file-sync and share platform.

Expand Down Expand Up @@ -96,6 +98,62 @@ The GitHub Actions workflow (`.github/workflows/main.yml`) builds and validates
3. **Smoke test** — starts the container, polls `https://localhost:9200/status.php` every 2s for up to 62s, and verifies the `.productversion` field in the JSON response matches the built tag. Uses `OCIS_INSECURE=true` to allow self-signed TLS on the test runner.
4. **Publish** — pushes to Docker Hub with floating major/minor tags (on `master` only).

## Community & Support

- [ownCloud Website](https://owncloud.com)
- [Community Discussions](https://github.com/orgs/owncloud/discussions)
- [Matrix Chat](https://app.element.io/#/room/#owncloud:matrix.org)
- [Documentation](https://doc.owncloud.com)
- [Enterprise Support](https://owncloud.com/contact-us/)
- [OSPO Home](https://kiteworks.com/opensource)

See [SUPPORT.md](SUPPORT.md) for the full list of support channels.

## Contributing

We welcome contributions! Please read the [Contributing Guidelines](CONTRIBUTING.md)
and our [Code of Conduct](CODE_OF_CONDUCT.md) before getting started.

- **Rebase Early, Rebase Often!** We use a rebase workflow — rebase on the target
branch before submitting a PR.
- **Signed commits**: All commits **must** be PGP/GPG signed and carry a DCO
`Signed-off-by` line (`git commit -S -s`).
- **Conventional Commits**: PR titles must follow the
[Conventional Commits](https://www.conventionalcommits.org/) format — enforced
by CI.
- **GitHub Actions Policy**: Workflows may only use actions owned by `owncloud`,
created by GitHub (`actions/*`), or verified in the GitHub Marketplace, pinned
to a full commit SHA.

Note: bug reports and feature requests for oCIS itself belong upstream in
[`owncloud/ocis`](https://github.com/owncloud/ocis) — this repository tracks only
the Docker packaging.

## Security

**Do not open a public GitHub issue for security vulnerabilities.**

Report vulnerabilities at **<https://security.owncloud.com>** — see [SECURITY.md](SECURITY.md).

Bug bounty: [YesWeHack ownCloud Program](https://yeswehack.com/programs/owncloud-bug-bounty-program)

## About the ownCloud OSPO

The [Kiteworks Open Source Program Office](https://kiteworks.com/opensource), operating under
the [ownCloud](https://owncloud.com) brand, launched on May 5, 2026, to steward the open source
ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance,
community health, and sustainable collaboration between the open source community and
[Kiteworks](https://www.kiteworks.com), which acquired ownCloud in 2023.

- **OSPO Home**: <https://kiteworks.com/opensource>
- **GitHub**: <https://github.com/owncloud>
- **ownCloud**: <https://owncloud.com>

For questions about the OSPO or licensing, contact [email protected].

This repository is licensed under the **Apache License 2.0**, which is the license
the OSPO is adopting across the ecosystem. No relicensing is required.

## License

Apache-2.0 — see [LICENSE](LICENSE).
11 changes: 11 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# Security Policy

## Reporting a Vulnerability

**Do NOT open a public GitHub issue for security vulnerabilities.**

Please report security issues responsibly via:
**<https://security.owncloud.com>**

You can also report vulnerabilities through our YesWeHack bug bounty program:
**<https://yeswehack.com/programs/owncloud-bug-bounty-program>**
10 changes: 10 additions & 0 deletions SUPPORT.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
# Support

For support with this project, please use the following channels:

- **Enterprise Support**: <https://owncloud.com/contact-us/>
- **Community discussions**: <https://github.com/orgs/owncloud/discussions>
- **Matrix Chat**: <https://app.element.io/#/room/#owncloud:matrix.org>
- **Documentation**: <https://doc.owncloud.com>

Please do not use GitHub issues for general support questions.
111 changes: 111 additions & 0 deletions agents.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,111 @@
# agents.md — ocis

## Repository Overview

This repository builds the official **ownCloud Infinite Scale (oCIS)** Docker
images (`owncloud/ocis` on Docker Hub, plus the daily `owncloud/ocis-rolling`).
It does not contain the oCIS source code — it builds oCIS **from source** via a
multi-stage Dockerfile and ships a minimal Alpine runtime image. Images are
multi-architecture and built via GitHub Actions.

- **Classification:** Docker image build (from source)
- **Activity Status:** Active
- **License:** Apache-2.0
- **Language:** Dockerfile, Shell

## Architecture & Key Paths

- `v8/` — oCIS 8.x build context
- `v8/Dockerfile.multiarch` — three-stage build:
- **node-builder** — clones oCIS at `v${VERSION}`, builds the IDP React
frontend (`pnpm build`) and pulls the web assets (`make pull-assets`);
both are needed at compile time due to `//go:embed`. The `pnpm` step is
skipped automatically on newer `master` ("no-npm") commits.
- **go-builder** — compiles the oCIS binary with CGO + libvips via the
upstream `release-linux-docker-${TARGETARCH}` Makefile target.
- **runtime** — minimal Alpine image; runs `apk upgrade` at build time so
OS security fixes are picked up immediately.
- `v8/.trivyignore` — accepted-CVE exclusions for the Trivy scan
- `ubuntu-wf/` — helper directory
- `docs/` — design/spec notes
- `.github/workflows/main.yml` — **active** CI: builds the release matrix
- `.github/workflows/rolling.yml` — nightly build tracking oCIS `master`
- `.github/workflows/lint-pr-title.yml` — Conventional-Commit PR-title enforcement
- `.github/dependabot.yml` — weekly GitHub Actions dependency updates
- `.github/CODEOWNERS` — review ownership
- `.renovaterc.json` — Renovate preset for Docker digest updates
- `.editorconfig` — formatting rules (2-space indent, LF, trailing newline)
- `.trivyignore` — repo-root accepted-CVE exclusions
- `LICENSE` — Apache-2.0

There is **no `CHANGELOG.md`** in this repository.

## Build & CI

The image is built entirely from source. CI (`main.yml`) calls the reusable
`docker-build-native.yml` workflow hosted in
[`owncloud-docker/ubuntu`](https://github.com/owncloud-docker/ubuntu):

- Release matrix builds tagged oCIS versions (e.g. `8.0.5` → `8.0`, `8`;
`8.1.0-rc.2` exact tag only), plus immutable `<version>-YYYYMMDD` tags.
- `rolling.yml` resolves oCIS `master` HEAD nightly and publishes
`owncloud/ocis-rolling` (`latest`, `YYYYMMDD`, `sha-<short>`). `VERSION` is
left empty on purpose so the build derives the version from the git HEAD.
- Smoke test: poll `https://localhost:9200/status.php` (with `OCIS_INSECURE=true`)
and assert `.productversion` matches the built tag.
- Trivy vulnerability scan (`.trivyignore` + `v8/.trivyignore`).
- On non-PR events: push to Docker Hub and sync the README as the description.

To build locally:

```bash
docker buildx build \
--build-arg VERSION=8.0.5 \
--build-arg REVISION=$(git rev-parse HEAD) \
--platform linux/amd64 \
-f v8/Dockerfile.multiarch v8/
```

The image exposes port `9200` and uses volumes `/var/lib/ocis`, `/etc/ocis`.

## Development Conventions

- **No CHANGELOG** — do not create one.
- Conventional-Commit PR titles, enforced by `lint-pr-title.yml`.
- `.editorconfig` governs formatting.
- GitHub Actions are pinned to full commit SHAs.
- Bug reports for oCIS itself go upstream to
[`owncloud/ocis`](https://github.com/owncloud/ocis); this repo tracks only the
Docker packaging.

## OSPO Policy Constraints

### GitHub Actions
- **Only** use actions owned by `owncloud`, created by GitHub (`actions/*`),
verified on the GitHub Marketplace, or verified by the ownCloud Maintainers.
- Pin all actions to their full commit SHA (not tags): `uses: actions/checkout@<SHA> # vX.Y.Z`.
- Never introduce actions from unverified third parties.

### Dependency Management
- Dependabot is configured for GitHub Actions updates; Renovate handles Docker
base-image digest updates.
- Review and merge dependency PRs as part of regular maintenance.

### Git Workflow
- **Rebase policy**: Always rebase; never create merge commits.
- **Signed commits**: All commits **must** be PGP/GPG signed (`git commit -S`).
- **DCO sign-off**: Every commit needs a `Signed-off-by` line (`git commit -s`).
- **Conventional Commits & Squash Merge**: PR titles must follow
[Conventional Commits](https://www.conventionalcommits.org/); the PR title
becomes the squash-merge commit message and is enforced by CI.

## Context for AI Agents

- This is a Docker-image build repo that compiles oCIS from source — not the oCIS
application codebase.
- The active build systems are `main.yml` (releases) and `rolling.yml` (nightly
master); the rolling build intentionally leaves `VERSION` empty.
- The README is published verbatim as the Docker Hub image description — keep it
accurate and self-contained.
- License is **Apache-2.0**, which is the OSPO's ecosystem-wide migration target;
no relicensing is required.