From b44fdf1d0dd58c5a4d20aaa5815b2a99bbef1446 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Tue, 5 May 2026 17:27:32 +0200 Subject: [PATCH 01/13] feat: build v7 oCIS binary from git source MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- v7/Dockerfile.multiarch | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/v7/Dockerfile.multiarch b/v7/Dockerfile.multiarch index 5ddd9d4..5198a9c 100644 --- a/v7/Dockerfile.multiarch +++ b/v7/Dockerfile.multiarch @@ -1,21 +1,43 @@ -FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS downloader +FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS node-builder + +ARG VERSION="7.3.2" + +RUN apk add --no-cache nodejs npm curl git make + +RUN npm install -g pnpm@10.12.1 + +RUN git clone --depth 1 --branch "v${VERSION}" https://github.com/owncloud/ocis.git /build + +WORKDIR /build/services/idp +RUN pnpm install --frozen-lockfile +RUN pnpm build +RUN curl -fsSL https://raw.githubusercontent.com/owncloud/assets/main/favicon.ico \ + -o assets/identifier/static/favicon.ico + +WORKDIR /build/services/web +RUN make pull-assets + + +FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS go-builder ARG VERSION="7.3.2" ARG TARGETARCH -RUN apk add --no-cache curl +RUN apk add --no-cache go gcc musl-dev libvips-dev curl-dev make git + +COPY --from=node-builder /build /build + +WORKDIR /build/ocis + +RUN CGO_ENABLED=1 ENABLE_VIPS=true \ + make release-linux-docker-${TARGETARCH} VERSION=${VERSION} -RUN BASE_URL="https://github.com/owncloud/ocis/releases/download/v${VERSION}" && \ - curl -fsSL "${BASE_URL}/ocis-${VERSION}-linux-${TARGETARCH}" -o /usr/bin/ocis && \ - curl -fsSL "${BASE_URL}/ocis-${VERSION}-linux-${TARGETARCH}.sha256" -o /tmp/ocis.sha256 && \ - EXPECTED=$(awk '{print $1}' /tmp/ocis.sha256) && \ - echo "${EXPECTED} /usr/bin/ocis" | sha256sum -c - && \ - chmod +x /usr/bin/ocis FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 ARG VERSION="" ARG REVISION="" +ARG TARGETARCH LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.title="ownCloud Infinite Scale" \ @@ -42,7 +64,7 @@ RUN mkdir -p /var/lib/ocis && \ chown -R ocis-user:ocis-group /etc/ocis && \ chmod -R 751 /etc/ocis -COPY --from=downloader /usr/bin/ocis /usr/bin/ocis +COPY --from=go-builder /build/ocis/dist/binaries/ocis-linux-${TARGETARCH} /usr/bin/ocis VOLUME [ "/var/lib/ocis", "/etc/ocis" ] From 4d3334b7132bff3f77a96fd1c7fb2e54a7f078f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Tue, 5 May 2026 17:27:33 +0200 Subject: [PATCH 02/13] feat: build v8 oCIS binary from git source MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- v8/Dockerfile.multiarch | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/v8/Dockerfile.multiarch b/v8/Dockerfile.multiarch index 979ea63..89d57be 100644 --- a/v8/Dockerfile.multiarch +++ b/v8/Dockerfile.multiarch @@ -1,21 +1,43 @@ -FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS downloader +FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS node-builder + +ARG VERSION="8.0.1" + +RUN apk add --no-cache nodejs npm curl git make + +RUN npm install -g pnpm@10.28.1 + +RUN git clone --depth 1 --branch "v${VERSION}" https://github.com/owncloud/ocis.git /build + +WORKDIR /build/services/idp +RUN pnpm install --frozen-lockfile +RUN pnpm build +RUN curl -fsSL https://raw.githubusercontent.com/owncloud/assets/main/favicon.ico \ + -o assets/identifier/static/favicon.ico + +WORKDIR /build/services/web +RUN make pull-assets + + +FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS go-builder ARG VERSION="8.0.1" ARG TARGETARCH -RUN apk add --no-cache curl +RUN apk add --no-cache go gcc musl-dev libvips-dev curl-dev make git + +COPY --from=node-builder /build /build + +WORKDIR /build/ocis + +RUN CGO_ENABLED=1 ENABLE_VIPS=true \ + make release-linux-docker-${TARGETARCH} VERSION=${VERSION} -RUN BASE_URL="https://github.com/owncloud/ocis/releases/download/v${VERSION}" && \ - curl -fsSL "${BASE_URL}/ocis-${VERSION}-linux-${TARGETARCH}" -o /usr/bin/ocis && \ - curl -fsSL "${BASE_URL}/ocis-${VERSION}-linux-${TARGETARCH}.sha256" -o /tmp/ocis.sha256 && \ - EXPECTED=$(awk '{print $1}' /tmp/ocis.sha256) && \ - echo "${EXPECTED} /usr/bin/ocis" | sha256sum -c - && \ - chmod +x /usr/bin/ocis FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 ARG VERSION="" ARG REVISION="" +ARG TARGETARCH LABEL maintainer="ownCloud GmbH " \ org.opencontainers.image.title="ownCloud Infinite Scale" \ @@ -42,7 +64,7 @@ RUN mkdir -p /var/lib/ocis && \ chown -R ocis-user:ocis-group /etc/ocis && \ chmod -R 751 /etc/ocis -COPY --from=downloader /usr/bin/ocis /usr/bin/ocis +COPY --from=go-builder /build/ocis/dist/binaries/ocis-linux-${TARGETARCH} /usr/bin/ocis VOLUME [ "/var/lib/ocis", "/etc/ocis" ] From 6175e853941ce82cd367d669c8eade8e9f32ddaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Tue, 5 May 2026 17:33:00 +0200 Subject: [PATCH 03/13] fix: use correct Alpine package name vips-dev instead of libvips-dev MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- v7/Dockerfile.multiarch | 2 +- v8/Dockerfile.multiarch | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/v7/Dockerfile.multiarch b/v7/Dockerfile.multiarch index 5198a9c..424a0cb 100644 --- a/v7/Dockerfile.multiarch +++ b/v7/Dockerfile.multiarch @@ -23,7 +23,7 @@ FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145 ARG VERSION="7.3.2" ARG TARGETARCH -RUN apk add --no-cache go gcc musl-dev libvips-dev curl-dev make git +RUN apk add --no-cache go gcc musl-dev vips-dev curl-dev make git COPY --from=node-builder /build /build diff --git a/v8/Dockerfile.multiarch b/v8/Dockerfile.multiarch index 89d57be..e3ad33d 100644 --- a/v8/Dockerfile.multiarch +++ b/v8/Dockerfile.multiarch @@ -23,7 +23,7 @@ FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145 ARG VERSION="8.0.1" ARG TARGETARCH -RUN apk add --no-cache go gcc musl-dev libvips-dev curl-dev make git +RUN apk add --no-cache go gcc musl-dev vips-dev curl-dev make git COPY --from=node-builder /build /build From 1a3c65cebda04d14220be74906a5a67ed1492c9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Tue, 5 May 2026 17:36:05 +0200 Subject: [PATCH 04/13] fix: add bash to node-builder stage for make pull-assets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- v7/Dockerfile.multiarch | 2 +- v8/Dockerfile.multiarch | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/v7/Dockerfile.multiarch b/v7/Dockerfile.multiarch index 424a0cb..c2664e4 100644 --- a/v7/Dockerfile.multiarch +++ b/v7/Dockerfile.multiarch @@ -2,7 +2,7 @@ FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145 ARG VERSION="7.3.2" -RUN apk add --no-cache nodejs npm curl git make +RUN apk add --no-cache bash nodejs npm curl git make RUN npm install -g pnpm@10.12.1 diff --git a/v8/Dockerfile.multiarch b/v8/Dockerfile.multiarch index e3ad33d..5aa2151 100644 --- a/v8/Dockerfile.multiarch +++ b/v8/Dockerfile.multiarch @@ -2,7 +2,7 @@ FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145 ARG VERSION="8.0.1" -RUN apk add --no-cache nodejs npm curl git make +RUN apk add --no-cache bash nodejs npm curl git make RUN npm install -g pnpm@10.28.1 From 4bbe7c7bb7c7cd7d303339e5efb5834a2cc262de Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Tue, 5 May 2026 17:39:42 +0200 Subject: [PATCH 05/13] fix: add bash to go-builder stage for make targets MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- v7/Dockerfile.multiarch | 2 +- v8/Dockerfile.multiarch | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/v7/Dockerfile.multiarch b/v7/Dockerfile.multiarch index c2664e4..b5c8fff 100644 --- a/v7/Dockerfile.multiarch +++ b/v7/Dockerfile.multiarch @@ -23,7 +23,7 @@ FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145 ARG VERSION="7.3.2" ARG TARGETARCH -RUN apk add --no-cache go gcc musl-dev vips-dev curl-dev make git +RUN apk add --no-cache bash go gcc musl-dev vips-dev curl-dev make git COPY --from=node-builder /build /build diff --git a/v8/Dockerfile.multiarch b/v8/Dockerfile.multiarch index 5aa2151..0d63b8d 100644 --- a/v8/Dockerfile.multiarch +++ b/v8/Dockerfile.multiarch @@ -23,7 +23,7 @@ FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145 ARG VERSION="8.0.1" ARG TARGETARCH -RUN apk add --no-cache go gcc musl-dev vips-dev curl-dev make git +RUN apk add --no-cache bash go gcc musl-dev vips-dev curl-dev make git COPY --from=node-builder /build /build From 3d67bb4e8b2ff811e77c8796ef9b853d6e83da61 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Tue, 5 May 2026 18:10:19 +0200 Subject: [PATCH 06/13] feat: drop v7/7.3.2 - dead kopano upstream dependency prevents IDP build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .github/workflows/main.yml | 5 --- README.md | 1 - v7/.trivyignore | 35 ----------------- v7/Dockerfile.multiarch | 79 -------------------------------------- 4 files changed, 120 deletions(-) delete mode 100644 v7/.trivyignore delete mode 100644 v7/Dockerfile.multiarch diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b41e08c..17ba31a 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -33,11 +33,6 @@ jobs: strategy: matrix: release: - - version: "7.3.2" - dir: "v7" - extra-tags: | - 7.3 - 7 - version: "8.0.1" dir: "v8" extra-tags: | diff --git a/README.md b/README.md index e285cbb..f199fdf 100644 --- a/README.md +++ b/README.md @@ -18,7 +18,6 @@ docker run --rm \ | Tag | oCIS Version | |-----|-------------| | `8.0.1` | 8.0.1 | -| `7.3.2` | 7.3.2 | ## Volumes diff --git a/v7/.trivyignore b/v7/.trivyignore deleted file mode 100644 index 80ce25d..0000000 --- a/v7/.trivyignore +++ /dev/null @@ -1,35 +0,0 @@ -# CVEs in the oCIS 7.3.2 binary (Go dependencies). Unfixable by this repo — requires upstream owncloud/ocis release. - -# github.com/go-acme/lego/v4 v4.25.2 -CVE-2026-40611 exp:2026-10-22 - -# github.com/go-jose/go-jose/v3 v3.0.4 -CVE-2026-34986 exp:2026-10-22 - -# github.com/nats-io/nats-server/v2 v2.12.0 -CVE-2026-27889 exp:2026-10-22 -CVE-2026-29785 exp:2026-10-22 -CVE-2026-33216 exp:2026-10-22 -CVE-2026-33217 exp:2026-10-22 -CVE-2026-33218 exp:2026-10-22 -CVE-2026-33247 exp:2026-10-22 - -# github.com/russellhaering/goxmldsig v1.5.0 -CVE-2026-33487 exp:2026-10-22 - -# go.opentelemetry.io/otel/sdk v1.38.0 -CVE-2026-24051 exp:2026-10-22 -CVE-2026-39883 exp:2026-10-22 - -# google.golang.org/grpc v1.75.1 -CVE-2026-33186 exp:2026-10-22 - -# stdlib v1.24.10 -CVE-2025-68121 exp:2026-10-22 -CVE-2025-61726 exp:2026-10-22 -CVE-2025-61728 exp:2026-10-22 -CVE-2025-61729 exp:2026-10-22 -CVE-2026-25679 exp:2026-10-22 -CVE-2026-32280 exp:2026-10-22 -CVE-2026-32281 exp:2026-10-22 -CVE-2026-32283 exp:2026-10-22 diff --git a/v7/Dockerfile.multiarch b/v7/Dockerfile.multiarch deleted file mode 100644 index b5c8fff..0000000 --- a/v7/Dockerfile.multiarch +++ /dev/null @@ -1,79 +0,0 @@ -FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS node-builder - -ARG VERSION="7.3.2" - -RUN apk add --no-cache bash nodejs npm curl git make - -RUN npm install -g pnpm@10.12.1 - -RUN git clone --depth 1 --branch "v${VERSION}" https://github.com/owncloud/ocis.git /build - -WORKDIR /build/services/idp -RUN pnpm install --frozen-lockfile -RUN pnpm build -RUN curl -fsSL https://raw.githubusercontent.com/owncloud/assets/main/favicon.ico \ - -o assets/identifier/static/favicon.ico - -WORKDIR /build/services/web -RUN make pull-assets - - -FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS go-builder - -ARG VERSION="7.3.2" -ARG TARGETARCH - -RUN apk add --no-cache bash go gcc musl-dev vips-dev curl-dev make git - -COPY --from=node-builder /build /build - -WORKDIR /build/ocis - -RUN CGO_ENABLED=1 ENABLE_VIPS=true \ - make release-linux-docker-${TARGETARCH} VERSION=${VERSION} - - -FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 - -ARG VERSION="" -ARG REVISION="" -ARG TARGETARCH - -LABEL maintainer="ownCloud GmbH " \ - org.opencontainers.image.title="ownCloud Infinite Scale" \ - org.opencontainers.image.vendor="ownCloud GmbH" \ - org.opencontainers.image.authors="ownCloud GmbH" \ - org.opencontainers.image.description="oCIS - ownCloud Infinite Scale is a modern file-sync and share platform" \ - org.opencontainers.image.licenses="Apache-2.0" \ - org.opencontainers.image.documentation="https://github.com/owncloud/ocis" \ - org.opencontainers.image.url="https://hub.docker.com/r/owncloud/ocis" \ - org.opencontainers.image.source="https://github.com/owncloud/ocis" \ - org.opencontainers.image.version="${VERSION}" \ - org.opencontainers.image.revision="${REVISION}" - -RUN apk add --no-cache attr bash ca-certificates curl inotify-tools libc6-compat mailcap tree vips patch && \ - echo 'hosts: files dns' >| /etc/nsswitch.conf - -RUN addgroup -g 1000 -S ocis-group && \ - adduser -S --ingroup ocis-group --uid 1000 ocis-user --home /var/lib/ocis - -RUN mkdir -p /var/lib/ocis && \ - chown -R ocis-user:ocis-group /var/lib/ocis && \ - chmod -R 751 /var/lib/ocis && \ - mkdir -p /etc/ocis && \ - chown -R ocis-user:ocis-group /etc/ocis && \ - chmod -R 751 /etc/ocis - -COPY --from=go-builder /build/ocis/dist/binaries/ocis-linux-${TARGETARCH} /usr/bin/ocis - -VOLUME [ "/var/lib/ocis", "/etc/ocis" ] - -WORKDIR /var/lib/ocis - -USER 1000 - -EXPOSE 9200/tcp - -ENTRYPOINT ["/usr/bin/ocis"] - -CMD ["server"] From 1a81159a535ff7503392757c2a889b4d6c4b61e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Wed, 6 May 2026 11:48:26 +0200 Subject: [PATCH 07/13] feat: enable BuildKit GHA cache for Docker build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .github/workflows/main.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 17ba31a..3a67dd8 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -24,6 +24,8 @@ jobs: docker-build-args: | VERSION=${{ matrix.release.version }} REVISION=${{ github.sha }} + docker-cache-from: type=gha + docker-cache-to: type=gha,mode=max trivy-ignore-files: .trivyignore,${{ matrix.release.dir }}/.trivyignore docker-extra-tags: ${{ matrix.release.extra-tags }} push: false From 906b5f87751bdb249bb15ba40ebfe3a0b2239547 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Wed, 6 May 2026 15:39:17 +0200 Subject: [PATCH 08/13] fix: ignore CVE-2026-29181 in trivy scan for v8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit go.opentelemetry.io/otel/sdk v1.39.0 — unfixable by this repo, requires upstream owncloud/ocis release. Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- v8/.trivyignore | 1 + 1 file changed, 1 insertion(+) diff --git a/v8/.trivyignore b/v8/.trivyignore index 0b6db4c..88b0be4 100644 --- a/v8/.trivyignore +++ b/v8/.trivyignore @@ -19,6 +19,7 @@ CVE-2026-33487 exp:2026-10-22 # go.opentelemetry.io/otel/sdk v1.39.0 CVE-2026-24051 exp:2026-10-22 +CVE-2026-29181 exp:2026-10-22 CVE-2026-39883 exp:2026-10-22 # google.golang.org/grpc v1.78.0 From 13cccc159496722aaf954f42097ef8e6c0d40d75 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 7 May 2026 12:53:37 +0200 Subject: [PATCH 09/13] docs: add smoke test design spec MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .../specs/2026-05-07-smoke-test-design.md | 44 +++++++++++++++++++ 1 file changed, 44 insertions(+) create mode 100644 docs/superpowers/specs/2026-05-07-smoke-test-design.md diff --git a/docs/superpowers/specs/2026-05-07-smoke-test-design.md b/docs/superpowers/specs/2026-05-07-smoke-test-design.md new file mode 100644 index 0000000..4a5ac41 --- /dev/null +++ b/docs/superpowers/specs/2026-05-07-smoke-test-design.md @@ -0,0 +1,44 @@ +# oCIS Docker Image: Smoke Test + +**Date:** 2026-05-07 +**Scope:** Add a smoke test to the `build` job in `.github/workflows/main.yml` that verifies the built oCIS image is functional before publishing. + +## Problem + +The CI pipeline builds and Trivy-scans the image but never runs it. A broken binary, a missing embedded asset, or a wrong embedded version would not be caught until after the image is published. + +## Design + +Wire the two smoke-test mechanisms already provided by `owncloud-docker/ubuntu/.github/workflows/docker-build.yml` into the existing `build` job. No new jobs or files are required. + +### Inputs added to the `build` job + +| Input | Value | Purpose | +|---|---|---| +| `smoke-test-cmd` | `/usr/bin/ocis version` | One-shot binary check: confirms binary is present and executable | +| `smoke-test-port` | `9200` | Exposes the oCIS HTTPS port for polling | +| `smoke-test-url` | `https://localhost:9200/status.php` | Endpoint polled for HTTP 200 | +| `smoke-test-entrypoint-cmd` | `ocis init \|\| true; exec ocis server` | Initialises config then starts the server as PID 1 | +| `smoke-test-env` | `OCIS_INSECURE=true` | Disables inter-service TLS verification for single-node test deployments | +| `smoke-test-version-jq` | `.versionstring` | Extracts the semver string from the `/status.php` JSON response and asserts it equals `docker-tag` | + +### Execution order (within the reusable workflow) + +1. **Build** — multi-arch image pushed to local ephemeral registry +2. **Trivy scan** +3. **Smoke test (cmd)** — `docker run --rm image /bin/sh -c "/usr/bin/ocis version"`; exits 0 or fails the job +4. **Smoke test (server)** — starts container with `ocis init || true; exec ocis server`, polls `https://localhost:9200/status.php` every 2s for up to 62s, verifies `.versionstring == docker-tag` + +Steps 3 and 4 are independent guards — both run if both inputs are set. + +### Constraints + +- **Startup time:** The workflow polls for 62s (31 × 2s). oCIS starts ~20 microservices; 62s is generally sufficient on standard GitHub runners. +- **TLS:** oCIS generates a self-signed cert on first run. `OCIS_INSECURE=true` disables inter-service TLS verification; `curl -sk` in the workflow skips cert validation for the external poll. +- **Permissions:** The container runs as uid 1000 (`ocis-user`). `/var/lib/ocis` and `/etc/ocis` are already `chown`ed to that user in the Dockerfile. `ocis init` writes to both directories without permission issues. +- **Ephemeral state:** The smoke test container is started with `--rm -d` and torn down after the poll. No volumes are mounted. +- **Architecture:** The smoke test runs on `ubuntu-latest` (amd64). The arm64 binary is built and Trivy-scanned but not smoke-tested — this is acceptable. + +## Files Changed + +- `.github/workflows/main.yml` — add six inputs to the `with:` block of the `build` job's `uses:` call From a51a1da20c65935d1655db0a3b97d3806bb4241f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 7 May 2026 13:09:16 +0200 Subject: [PATCH 10/13] feat: add smoke test to CI build job MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .github/workflows/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 3a67dd8..7e93cbc 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,6 +28,12 @@ jobs: docker-cache-to: type=gha,mode=max trivy-ignore-files: .trivyignore,${{ matrix.release.dir }}/.trivyignore docker-extra-tags: ${{ matrix.release.extra-tags }} + smoke-test-cmd: "/usr/bin/ocis version" + smoke-test-port: "9200" + smoke-test-url: "https://localhost:9200/status.php" + smoke-test-entrypoint-cmd: "ocis init || true; exec ocis server" + smoke-test-env: "OCIS_INSECURE=true" + smoke-test-version-jq: ".versionstring" push: false secrets: docker-hub-password: ${{ secrets.DOCKERHUB_TOKEN }} From 37cdf8cf29955965846c1f928c5b4ceaa0ecce92 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 7 May 2026 13:58:21 +0200 Subject: [PATCH 11/13] fix: use .productversion jq field for smoke test version check MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .github/workflows/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 7e93cbc..b94d438 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -33,7 +33,7 @@ jobs: smoke-test-url: "https://localhost:9200/status.php" smoke-test-entrypoint-cmd: "ocis init || true; exec ocis server" smoke-test-env: "OCIS_INSECURE=true" - smoke-test-version-jq: ".versionstring" + smoke-test-version-jq: ".productversion" push: false secrets: docker-hub-password: ${{ secrets.DOCKERHUB_TOKEN }} From 206b30750d4cb0ada4960ad8387690e3ff794bac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 7 May 2026 14:02:48 +0200 Subject: [PATCH 12/13] fix: remove smoke-test-cmd for now MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .github/workflows/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index b94d438..12f186f 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -28,7 +28,6 @@ jobs: docker-cache-to: type=gha,mode=max trivy-ignore-files: .trivyignore,${{ matrix.release.dir }}/.trivyignore docker-extra-tags: ${{ matrix.release.extra-tags }} - smoke-test-cmd: "/usr/bin/ocis version" smoke-test-port: "9200" smoke-test-url: "https://localhost:9200/status.php" smoke-test-entrypoint-cmd: "ocis init || true; exec ocis server" From ff80eabd30709e4ffedfa87e217556de1bc4f399 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Thu, 7 May 2026 14:19:19 +0200 Subject: [PATCH 13/13] docs: add Building and CI sections to README, gitignore docs/ and .claude/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .gitignore | 2 + README.md | 34 +++++++++++++- .../specs/2026-05-07-smoke-test-design.md | 44 ------------------- 3 files changed, 35 insertions(+), 45 deletions(-) delete mode 100644 docs/superpowers/specs/2026-05-07-smoke-test-design.md diff --git a/.gitignore b/.gitignore index 482e34b..e01c188 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ .DS_Store *.swp *.swo +.claude/ +docs/ diff --git a/README.md b/README.md index f199fdf..40de170 100644 --- a/README.md +++ b/README.md @@ -36,8 +36,40 @@ docker run --rm \ | ARG | Default | Purpose | |-----|---------|---------| -| `VERSION` | version-specific | oCIS release to embed | +| `VERSION` | version-specific | oCIS git tag to clone and build (without `v` prefix, e.g. `8.0.1`) | | `REVISION` | `""` | Git SHA embedded in OCI labels | +| `TARGETARCH` | set by buildx | Target architecture (`amd64`, `arm64`) | + +## Building + +The image is built entirely from source via a three-stage Dockerfile: + +**`node-builder`** — clones the oCIS git repository at `v${VERSION}`, builds the IDP React frontend (`pnpm build`) and downloads the web frontend assets (`make pull-assets`). Both are required at compile time because `services/idp` and `services/web` use `//go:embed`. + +**`go-builder`** — compiles the oCIS binary with CGO and libvips enabled using the upstream Makefile target `release-linux-docker-${TARGETARCH}`. Outputs to `dist/binaries/ocis-linux-${TARGETARCH}`. + +**Runtime** — minimal Alpine image with the binary copied from `go-builder`. + +To build locally: + +```bash +docker buildx build \ + --build-arg VERSION=8.0.1 \ + --build-arg REVISION=$(git rev-parse HEAD) \ + --platform linux/amd64 \ + -f v8/Dockerfile.multiarch v8/ +``` + +## CI + +The GitHub Actions workflow (`.github/workflows/main.yml`) builds and validates the image on every push, pull request, and weekly schedule. + +**Steps per release matrix entry:** + +1. **Build** — multi-arch image (`linux/amd64`, `linux/arm64`) pushed to an ephemeral local registry using BuildKit with GHA layer cache. +2. **Trivy scan** — scans for HIGH/CRITICAL CVEs; unfixable upstream CVEs are listed in `v8/.trivyignore`. +3. **Smoke test** — starts the container, polls `https://localhost:9200/status.php` every 2s for up to 62s, and verifies the `.productversion` field in the JSON response matches the built tag. Uses `OCIS_INSECURE=true` to allow self-signed TLS on the test runner. +4. **Publish** — pushes to Docker Hub with floating major/minor tags (on `master` only). ## License diff --git a/docs/superpowers/specs/2026-05-07-smoke-test-design.md b/docs/superpowers/specs/2026-05-07-smoke-test-design.md deleted file mode 100644 index 4a5ac41..0000000 --- a/docs/superpowers/specs/2026-05-07-smoke-test-design.md +++ /dev/null @@ -1,44 +0,0 @@ -# oCIS Docker Image: Smoke Test - -**Date:** 2026-05-07 -**Scope:** Add a smoke test to the `build` job in `.github/workflows/main.yml` that verifies the built oCIS image is functional before publishing. - -## Problem - -The CI pipeline builds and Trivy-scans the image but never runs it. A broken binary, a missing embedded asset, or a wrong embedded version would not be caught until after the image is published. - -## Design - -Wire the two smoke-test mechanisms already provided by `owncloud-docker/ubuntu/.github/workflows/docker-build.yml` into the existing `build` job. No new jobs or files are required. - -### Inputs added to the `build` job - -| Input | Value | Purpose | -|---|---|---| -| `smoke-test-cmd` | `/usr/bin/ocis version` | One-shot binary check: confirms binary is present and executable | -| `smoke-test-port` | `9200` | Exposes the oCIS HTTPS port for polling | -| `smoke-test-url` | `https://localhost:9200/status.php` | Endpoint polled for HTTP 200 | -| `smoke-test-entrypoint-cmd` | `ocis init \|\| true; exec ocis server` | Initialises config then starts the server as PID 1 | -| `smoke-test-env` | `OCIS_INSECURE=true` | Disables inter-service TLS verification for single-node test deployments | -| `smoke-test-version-jq` | `.versionstring` | Extracts the semver string from the `/status.php` JSON response and asserts it equals `docker-tag` | - -### Execution order (within the reusable workflow) - -1. **Build** — multi-arch image pushed to local ephemeral registry -2. **Trivy scan** -3. **Smoke test (cmd)** — `docker run --rm image /bin/sh -c "/usr/bin/ocis version"`; exits 0 or fails the job -4. **Smoke test (server)** — starts container with `ocis init || true; exec ocis server`, polls `https://localhost:9200/status.php` every 2s for up to 62s, verifies `.versionstring == docker-tag` - -Steps 3 and 4 are independent guards — both run if both inputs are set. - -### Constraints - -- **Startup time:** The workflow polls for 62s (31 × 2s). oCIS starts ~20 microservices; 62s is generally sufficient on standard GitHub runners. -- **TLS:** oCIS generates a self-signed cert on first run. `OCIS_INSECURE=true` disables inter-service TLS verification; `curl -sk` in the workflow skips cert validation for the external poll. -- **Permissions:** The container runs as uid 1000 (`ocis-user`). `/var/lib/ocis` and `/etc/ocis` are already `chown`ed to that user in the Dockerfile. `ocis init` writes to both directories without permission issues. -- **Ephemeral state:** The smoke test container is started with `--rm -d` and torn down after the poll. No volumes are mounted. -- **Architecture:** The smoke test runs on `ubuntu-latest` (amd64). The arm64 binary is built and Trivy-scanned but not smoke-tested — this is acceptable. - -## Files Changed - -- `.github/workflows/main.yml` — add six inputs to the `with:` block of the `build` job's `uses:` call