feat: build oCIS from git source and add CI smoke test

.github/workflows/main.yml

@@ -24,20 +24,22 @@ jobs:
       docker-build-args: |
         VERSION=${{ matrix.release.version }}
         REVISION=${{ github.sha }}
+      docker-cache-from: type=gha
+      docker-cache-to: type=gha,mode=max
       trivy-ignore-files: .trivyignore,${{ matrix.release.dir }}/.trivyignore
       docker-extra-tags: ${{ matrix.release.extra-tags }}
+      smoke-test-port: "9200"
+      smoke-test-url: "https://localhost:9200/status.php"
+      smoke-test-entrypoint-cmd: "ocis init || true; exec ocis server"
+      smoke-test-env: "OCIS_INSECURE=true"
+      smoke-test-version-jq: ".productversion"
       push: false
     secrets:
       docker-hub-password: ${{ secrets.DOCKERHUB_TOKEN }}
 
     strategy:
       matrix:
         release:
-          - version: "7.3.2"
-            dir: "v7"
-            extra-tags: |
-              7.3
-              7
           - version: "8.0.1"
             dir: "v8"
             extra-tags: |

.gitignore

@@ -1,3 +1,5 @@
 .DS_Store
 *.swp
 *.swo
+.claude/
+docs/

README.md

@@ -18,7 +18,6 @@ docker run --rm \
 | Tag | oCIS Version |
 |-----|-------------|
 | `8.0.1` | 8.0.1 |
-| `7.3.2` | 7.3.2 |
 
 ## Volumes
 
@@ -37,8 +36,40 @@ docker run --rm \
 
 | ARG | Default | Purpose |
 |-----|---------|---------|
-| `VERSION` | version-specific | oCIS release to embed |
+| `VERSION` | version-specific | oCIS git tag to clone and build (without `v` prefix, e.g. `8.0.1`) |
 | `REVISION` | `""` | Git SHA embedded in OCI labels |
+| `TARGETARCH` | set by buildx | Target architecture (`amd64`, `arm64`) |
+
+## Building
+
+The image is built entirely from source via a three-stage Dockerfile:
+
+**`node-builder`** — clones the oCIS git repository at `v${VERSION}`, builds the IDP React frontend (`pnpm build`) and downloads the web frontend assets (`make pull-assets`). Both are required at compile time because `services/idp` and `services/web` use `//go:embed`.
+
+**`go-builder`** — compiles the oCIS binary with CGO and libvips enabled using the upstream Makefile target `release-linux-docker-${TARGETARCH}`. Outputs to `dist/binaries/ocis-linux-${TARGETARCH}`.
+
+**Runtime** — minimal Alpine image with the binary copied from `go-builder`.
+
+To build locally:
+
+```bash
+docker buildx build \
+  --build-arg VERSION=8.0.1 \
+  --build-arg REVISION=$(git rev-parse HEAD) \
+  --platform linux/amd64 \
+  -f v8/Dockerfile.multiarch v8/
+```
+
+## CI
+
+The GitHub Actions workflow (`.github/workflows/main.yml`) builds and validates the image on every push, pull request, and weekly schedule.
+
+**Steps per release matrix entry:**
+
+1. **Build** — multi-arch image (`linux/amd64`, `linux/arm64`) pushed to an ephemeral local registry using BuildKit with GHA layer cache.
+2. **Trivy scan** — scans for HIGH/CRITICAL CVEs; unfixable upstream CVEs are listed in `v8/.trivyignore`.
+3. **Smoke test** — starts the container, polls `https://localhost:9200/status.php` every 2s for up to 62s, and verifies the `.productversion` field in the JSON response matches the built tag. Uses `OCIS_INSECURE=true` to allow self-signed TLS on the test runner.
+4. **Publish** — pushes to Docker Hub with floating major/minor tags (on `master` only).
 
 ## License
 

v8/.trivyignore

@@ -19,6 +19,7 @@ CVE-2026-33487 exp:2026-10-22
 
 # go.opentelemetry.io/otel/sdk v1.39.0
 CVE-2026-24051 exp:2026-10-22
+CVE-2026-29181 exp:2026-10-22
 CVE-2026-39883 exp:2026-10-22
 
 # google.golang.org/grpc v1.78.0

v8/Dockerfile.multiarch

@@ -1,21 +1,43 @@
-FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS downloader
+FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS node-builder
+
+ARG VERSION="8.0.1"
+
+RUN apk add --no-cache bash nodejs npm curl git make
+
+RUN npm install -g pnpm@10.28.1
+
+RUN git clone --depth 1 --branch "v${VERSION}" https://github.com/owncloud/ocis.git /build
+
+WORKDIR /build/services/idp
+RUN pnpm install --frozen-lockfile
+RUN pnpm build
+RUN curl -fsSL https://raw.githubusercontent.com/owncloud/assets/main/favicon.ico \
+      -o assets/identifier/static/favicon.ico
+
+WORKDIR /build/services/web
+RUN make pull-assets
+
+
+FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11 AS go-builder
 
 ARG VERSION="8.0.1"
 ARG TARGETARCH
 
-RUN apk add --no-cache curl
+RUN apk add --no-cache bash go gcc musl-dev vips-dev curl-dev make git
+
+COPY --from=node-builder /build /build
+
+WORKDIR /build/ocis
+
+RUN CGO_ENABLED=1 ENABLE_VIPS=true \
+    make release-linux-docker-${TARGETARCH} VERSION=${VERSION}
 
-RUN BASE_URL="https://github.com/owncloud/ocis/releases/download/v${VERSION}" && \
-  curl -fsSL "${BASE_URL}/ocis-${VERSION}-linux-${TARGETARCH}" -o /usr/bin/ocis && \
-  curl -fsSL "${BASE_URL}/ocis-${VERSION}-linux-${TARGETARCH}.sha256" -o /tmp/ocis.sha256 && \
-  EXPECTED=$(awk '{print $1}' /tmp/ocis.sha256) && \
-  echo "${EXPECTED}  /usr/bin/ocis" | sha256sum -c - && \
-  chmod +x /usr/bin/ocis
 
 FROM docker.io/alpine:3.23.4@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
 
 ARG VERSION=""
 ARG REVISION=""
+ARG TARGETARCH
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.title="ownCloud Infinite Scale" \
@@ -42,7 +64,7 @@ RUN mkdir -p /var/lib/ocis && \
   chown -R ocis-user:ocis-group /etc/ocis && \
   chmod -R 751 /etc/ocis
 
-COPY --from=downloader /usr/bin/ocis /usr/bin/ocis
+COPY --from=go-builder /build/ocis/dist/binaries/ocis-linux-${TARGETARCH} /usr/bin/ocis
 
 VOLUME [ "/var/lib/ocis", "/etc/ocis" ]