From f40d2a0b437915bda2326dec00db8ddd52e77c32 Mon Sep 17 00:00:00 2001 From: Julian Koberg Date: Thu, 9 Jul 2026 10:53:50 +0200 Subject: [PATCH 1/2] feat: add oCIS 8.2.0-rc.1 image (release candidate, exact tag only) owncloud/ocis will tag 8.2.0-rc.1. Add it to the build matrix so CI builds and publishes owncloud/ocis:8.2.0-rc.1 once the upstream git tag exists. The RC carries no floating tags (extra-tags: ""): 8.1/8/latest track the latest stable release and must not be repointed at unreleased RC code. Only 8.2.0-rc.1 and the date-qualified 8.2.0-rc.1-YYYYMMDD tags are published. The version uses upstream's dotted convention (v8.2.0-rc.1). Co-Authored-By: Claude Opus 4.8 (1M context) --- .github/workflows/main.yml | 3 +++ README.md | 1 + 2 files changed, 4 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 6bd1fbc..a178ff5 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -51,6 +51,9 @@ jobs: strategy: matrix: release: + - version: "8.2.0-rc.1" + dir: "v8" + extra-tags: "" - version: "8.1.0" dir: "v8" extra-tags: | diff --git a/README.md b/README.md index 62fb877..a9f1d76 100644 --- a/README.md +++ b/README.md @@ -21,6 +21,7 @@ docker run --rm \ | Tag | oCIS Version | |-----|-------------| +| `8.2.0-rc.1` | 8.2.0-rc.1 (release candidate — exact tag only, no floating tags) | | `8.1.0`, `8.1`, `8` | 8.1.0 (latest stable) | | `8.0.5`, `8.0` | 8.0.5 | | `-YYYYMMDD` | Immutable per-build tag (e.g. `8.1.0-20260703`) | From 2d4fdf24e124bf77dc7210727eaeba8fdc918131 Mon Sep 17 00:00:00 2001 From: Julian Koberg Date: Mon, 13 Jul 2026 17:59:22 +0200 Subject: [PATCH 2/2] fix: ignore CVE-2026-39822 and CVE-2026-39831 in trivy scan Add two HIGH-severity CVEs surfaced by the Trivy scan on PR #32 to v8/.trivyignore. Both are baked into the oCIS Go binary and cannot be fixed by this repo: - CVE-2026-39822 (stdlib, Go os.Root symlink following) - CVE-2026-39831 (golang.org/x/crypto ssh, fixed in 0.52.0) Co-Authored-By: Claude Opus 4.8 (1M context) --- v8/.trivyignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/v8/.trivyignore b/v8/.trivyignore index 7a483a4..f799295 100644 --- a/v8/.trivyignore +++ b/v8/.trivyignore @@ -30,6 +30,7 @@ CVE-2026-25679 exp:2026-10-22 CVE-2026-32280 exp:2026-10-22 CVE-2026-32281 exp:2026-10-22 CVE-2026-32283 exp:2026-10-22 +CVE-2026-39822 exp:2026-10-22 # golang.org/x/crypto v0.51.0 (fixed in 0.52.0) — will be fixed in oCIS 8.0.6 CVE-2026-39827 exp:2026-10-22 @@ -41,3 +42,4 @@ CVE-2026-39835 exp:2026-10-22 CVE-2026-42508 exp:2026-10-22 CVE-2026-46595 exp:2026-10-22 CVE-2026-46597 exp:2026-10-22 +CVE-2026-39831 exp:2026-10-22