Skip to content

feat: [OCISDEV-783] release pipeline#12194

Open
mklos-kw wants to merge 29 commits intomasterfrom
feat/release-pipeline
Open

feat: [OCISDEV-783] release pipeline#12194
mklos-kw wants to merge 29 commits intomasterfrom
feat/release-pipeline

Conversation

@mklos-kw
Copy link
Copy Markdown
Member

@mklos-kw mklos-kw commented Apr 8, 2026
edited
Loading

Release Expected State

Reference release: v8.0.1

1. GitHub Release page

Property Expected
tag_name v{VERSION}
name {VERSION} (no v prefix)
draft false
prerelease false for stable, true if version contains -
target_commitish master (or active stable branch)

2. Release assets — exact file set (14 files)

ocis-{VERSION}-darwin-amd64
ocis-{VERSION}-darwin-amd64.sha256
ocis-{VERSION}-darwin-arm64
ocis-{VERSION}-darwin-arm64.sha256
ocis-{VERSION}-linux-386
ocis-{VERSION}-linux-386.sha256
ocis-{VERSION}-linux-amd64
ocis-{VERSION}-linux-amd64.sha256
ocis-{VERSION}-linux-arm
ocis-{VERSION}-linux-arm.sha256
ocis-{VERSION}-linux-arm64
ocis-{VERSION}-linux-arm64.sha256
End-User-License-Agreement-for-ownCloud-Infinite-Scale.pdf
third-party-licenses.tar.gz

3. Binary file checks

File ELF/Mach-O header
linux-amd64 ELF 64-bit x86-64
linux-arm64 ELF 64-bit aarch64
linux-arm ELF 32-bit ARM
linux-386 ELF 32-bit Intel 80386
darwin-amd64 Mach-O 64-bit x86_64
darwin-arm64 Mach-O 64-bit arm64

4. .sha256 file checks

  • Each .sha256 file is 87–90 bytes
  • Content format: {sha256hash} {filename} (two spaces, standard sha256sum output)
  • The hash inside the file must match sha256sum of the corresponding binary

5. third-party-licenses.tar.gz

  • Valid gzip (file reports gzip compressed data)

6. EULA PDF

  • Valid PDF (file reports PDF document)
  • Exact filename: End-User-License-Agreement-for-ownCloud-Infinite-Scale.pdf

7. Docker images (production release only)

Image Tags Architectures
owncloud/ocis-rolling {VERSION}, {MAJOR}.{MINOR}, {MAJOR} linux/amd64, linux/arm64
owncloud/ocis {VERSION}, {MAJOR}.{MINOR}, {MAJOR} linux/amd64, linux/arm64

Verify:

docker buildx imagetools inspect owncloud/ocis:{VERSION}
# must show linux/amd64 and linux/arm64 manifests

8. Git tag

git tag -v v{VERSION}          # must be a signed tag
git cat-file -p v{VERSION} | grep "^object"  # must point to a commit on master

9. Release content audit scripts/audit-release.py

➜  GITHUB_TOKEN=<token> python3 scripts/audit-release.py --version 8.0.1 --github-release --docker --git 2>&1
[PASS] tag_name: v8.0.1
[PASS] name: 8.0.1
[PASS] draft: false
[PASS] prerelease: False
[PASS] assets: all 14 present
[PASS] owncloud/ocis-rolling:8.0.1: amd64+arm64 present
[PASS] owncloud/ocis:8.0.1: amd64+arm64 present
[WARN] v8.0.1: not a signed tag
[PASS] v8.0.1: object bb5c6c2c929e4e67e263ec3efd04e68a2c08b938

8 checks: 8 passed, 0 failed
➜  GITHUB_TOKEN=<token> python3 scripts/audit-release.py --version 8.0.0 --github-release --docker --git 2>&1
[PASS] tag_name: v8.0.0
[PASS] name: 8.0.0
[PASS] draft: false
[PASS] prerelease: False
[PASS] assets: all 14 present
[PASS] owncloud/ocis-rolling:8.0.0: amd64+arm64 present
[PASS] owncloud/ocis:8.0.0: amd64+arm64 present
[WARN] v8.0.0: not a signed tag
[PASS] v8.0.0: object 6bede1a396bbe525554c9bb16bb91ef7bef16c4a

8 checks: 8 passed, 0 failed

Checklist:

  • Code changes
  • Unit tests added
  • Acceptance tests added
  • Documentation ticket raised:

@update-docs
Copy link
Copy Markdown

update-docs bot commented Apr 8, 2026

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

@mklos-kw mklos-kw force-pushed the feat/release-pipeline branch from e6924cd to cb31745 Compare April 8, 2026 16:36
DeepDiver1975
DeepDiver1975 reviewed Apr 9, 2026
View reviewed changes
.github/workflows/release.yml Outdated
repo: ${{ fromJSON(needs.determine-release-type.outputs.docker_repos) }}
steps:
- run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
Copy link
Copy Markdown
Member

@DeepDiver1975 DeepDiver1975 Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⛔ use the github action fro trivy

Copy link
Copy Markdown
Member Author

@mklos-kw mklos-kw Apr 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I copy pasted trivy image and SHA: The action aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
from
https://github.com/owncloud-docker/ubuntu/blob/1ade6e6489ab7c5f44496cd5405a1f932229a3ec/.github/workflows/docker-build.yml#L62

But Github complains:

The action aquasecurity/trivy-action@57a97c7 is not allowed in owncloud/ocis
https://github.com/owncloud/ocis/actions/runs/24236341605

DeepDiver1975
DeepDiver1975 reviewed Apr 9, 2026
View reviewed changes
.github/workflows/release.yml Outdated
matrix:
repo: ${{ fromJSON(needs.determine-release-type.outputs.docker_repos) }}
steps:
- run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
Copy link
Copy Markdown
Member

@DeepDiver1975 DeepDiver1975 Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⛔ use docker/login action

DeepDiver1975
DeepDiver1975 reviewed Apr 9, 2026
View reviewed changes
.github/workflows/release.yml
- run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin
- if: ${{ contains(matrix.repo, 'rolling') }}
run: |
docker buildx imagetools create \
Copy link
Copy Markdown
Member

@DeepDiver1975 DeepDiver1975 Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⛔ use docker/build-push-actio

DeepDiver1975
DeepDiver1975 reviewed Apr 9, 2026
View reviewed changes
.github/workflows/release.yml Outdated
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- run: |
README=$(python3 -c "import sys,json; print(json.dumps(sys.stdin.read()))" < ocis/docker/README.md)
Copy link
Copy Markdown
Member

@DeepDiver1975 DeepDiver1975 Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⛔ use peter-evans/dockerhub-description

DeepDiver1975
DeepDiver1975 reviewed Apr 9, 2026
View reviewed changes
.github/workflows/release.yml Outdated
path: .
- run: |
[[ "${{ needs.determine-release-type.outputs.is_prerelease }}" == "true" ]] && PRERELEASE=--prerelease
gh release create -R "${{ github.repository }}" "${{ needs.determine-release-type.outputs.version }}" \
Copy link
Copy Markdown
Member

@DeepDiver1975 DeepDiver1975 Apr 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

also pre defined actions do exist for that

@mklos-kw mklos-kw marked this pull request as ready for review April 10, 2026 08:36
@mklos-kw mklos-kw mentioned this pull request Apr 10, 2026
Open
13 tasks
@mklos-kw mklos-kw force-pushed the feat/release-pipeline branch from 097566c to 1fe0395 Compare April 10, 2026 09:30
kw-lschwarz and others added 19 commits April 10, 2026 23:37
@kw-lschwarz @mklos-kw
feat: Add basic GH Actions file
e75d5a8
@mklos-kw
feat: [OCISDEV-783] release pipeline
0e9f19e
@mklos-kw
feat: [OCISDEV-783] release pipeline
a6addc2
@mklos-kw
feat: [OCISDEV-783] release pipeline, DeepDiver's review comments
a4d6b51
@mklos-kw
feat: [OCISDEV-783] release pipeline, DeepDiver's review comments
976dc4b
@mklos-kw
feat: [OCISDEV-783] release pipeline, assert release
0600675
@mklos-kw
feat: [OCISDEV-783] release pipeline, audit release
e689813
@mklos-kw
feat: [OCISDEV-783] release pipeline, bianaries
e3e3942
@mklos-kw
feat: [OCISDEV-783] release pipeline, bianaries
3274d21
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
5f3afc4
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
635f26f
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
6914717
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
10193e2
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
c38bc37
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
3569065
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
32a4240
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
317e30f
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
6d5baec
@mklos-kw
feat: [OCISDEV-783] release pipeline, dev.1
03e7254
@mklos-kw mklos-kw force-pushed the feat/release-pipeline branch from a6106d7 to fb53d24 Compare April 10, 2026 22:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DeepDiver1975 DeepDiver1975 DeepDiver1975 left review comments

@mzner mzner mzner approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mklos-kw @DeepDiver1975 @mzner @kw-lschwarz