Merge 35725bd4eb into cedf7fc4c6

Allow running CI pipelines on version-branches and still (only) tag latest on
master branch

.github/workflows/build.yml

@@ -3,9 +3,9 @@ name: build
 on:
   workflow_dispatch:
   push:
-    branches:
-      - master
-      - version-*
+    branches: 
+     - master
+     - version-* 
   schedule:
     # Build the image regularly (each Friday)
     - cron: '23 04 * * 5'
@@ -29,17 +29,20 @@ jobs:
 
       - name: Extract version for tags
         run: |
-          BRANCH="${GITHUB_REF#refs/heads/}"
-          VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile)
-          [ "$BRANCH" = "master" ] && echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
-          echo "FULL_VERSION=${VERSION:0:7}" >> $GITHUB_ENV
-          echo "MAJOR_VERSION=${VERSION:0:2}" >> $GITHUB_ENV
+          if [[ "$GITHUB_REF" == refs/heads/* ]]; then
+            BRANCH="${GITHUB_REF#refs/heads/}"
+            if [ "$BRANCH" = "master" ]; then
+              echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
+            fi
+          fi
+          echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV
+          echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV
 
       - name: Install cosign
         if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v2.2.2'
+          cosign-release: 'v1.13.1'
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
@@ -62,28 +65,12 @@ jobs:
             ${{ env.FULL_VERSION }}
             ${{ env.MAJOR_VERSION }}
 
-      - name: Build and export Docker image to Docker
-        id: build
-        uses: docker/build-push-action@v2
-        with:
-          load: true
-          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing
-          context: .
-
-      - name: Test Docker image
-        id: test
-        run: |
-          docker run -d -p 8888:8888 --name nextcloud --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing && \
-          docker exec nextcloud occ status && \
-          nc -z localhost 8888
-
-      - name: Push Docker image
-        id: push
-        if: github.event_name != 'pull_request'
+      - name: Build and push Docker image
+        id: build-and-push
         uses: docker/build-push-action@v2
         with:
           context: .
-          push: true
+          push: ${{ github.event_name != 'pull_request' }}
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
@@ -91,4 +78,4 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
-        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}
+        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

.github/workflows/scan.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   build:
     name: Scan current image & report results
-    runs-on: "ubuntu-24.04"
+    runs-on: "ubuntu-20.04"
     steps:
       - name: Checkout code
         uses: actions/checkout@v2

Dockerfile

@@ -1,24 +1,24 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=32.0.3
-ARG PHP_VERSION=8.3
-ARG NGINX_VERSION=1.28
+ARG NEXTCLOUD_VERSION=28.0.1
+ARG PHP_VERSION=8.2
+ARG NGINX_VERSION=1.24
 
-ARG ALPINE_VERSION=3.21
+ARG ALPINE_VERSION=3.18
 ARG HARDENED_MALLOC_VERSION=11
 ARG SNUFFLEUPAGUS_VERSION=0.10.0
 
 ARG UID=1000
 ARG GID=1000
 
-# nextcloud-32.0.3.tar.bz2
-ARG SHA256_SUM="9b71ac96c910b4a350d986bd3a92ea06f02a161fa586334b56d87d8acafc62d4"
+# nextcloud-28.0.1.tar.bz2
+ARG SHA256_SUM="2f80735b443082272fe6a3b5e32137957f1fc448c75342b94b5200b29725f3a4"
 
 # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
 ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"
 # ---------------------------------------------------
 
 ### Build PHP base
-FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} AS base
+FROM php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
 
 ARG SNUFFLEUPAGUS_VERSION
 
@@ -43,7 +43,6 @@ RUN apk -U upgrade \
         gmp \
         icu \
         libjpeg-turbo \
-        librsvg \
         libpq \
         libpq \
         libwebp \
@@ -85,7 +84,7 @@ RUN apk -U upgrade \
 
 ### Build Hardened Malloc
 ARG ALPINE_VERSION
-FROM docker.io/library/alpine:${ALPINE_VERSION} AS build-malloc
+FROM alpine:${ALPINE_VERSION} as build-malloc
 
 ARG HARDENED_MALLOC_VERSION
 ARG CONFIG_NATIVE=false
@@ -99,11 +98,11 @@ RUN apk --no-cache add build-base git gnupg && cd /tmp \
 
 
 ### Fetch nginx
-FROM docker.io/library/nginx:${NGINX_VERSION}-alpine AS nginx
+FROM nginx:${NGINX_VERSION}-alpine as nginx
 
 
 ### Build Nextcloud (production environemnt)
-FROM base AS nextcloud
+FROM base as nextcloud
 
 COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx
 COPY --from=nginx /etc/nginx /etc/nginx

README.md

@@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
 ## Tags
 
 - `latest` : latest Nextcloud version
-- `x` : latest Nextcloud x.x (e.g. `32`)
-- `x.x.x` : Nextcloud x.x.x (e.g. `32.0.0`)
+- `x` : latest Nextcloud x.x (e.g. `28`)
+- `x.x.x` : Nextcloud x.x.x (e.g. `28.0.0`)
 
 You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
 Only the **latest stable version** will be maintained by myself.

SECURITY.md

@@ -2,18 +2,14 @@
 
 ## Supported versions
 
-All versions of the Nextcloud community version which still receive updates will be supported
+All versions of the Nextcloud community version which still receive updates will be supported 
 and will receive the minor version updates and security patches.
 
-| Version | Supported                     |
-| ------- | ----------------------------- |
-| 32. x   | :white_check_mark:            |
-| 31. x   | :white_check_mark:            |
-| 30. x   | :negative_squared_cross_mark: |
-| 29. x   | :negative_squared_cross_mark: |
-| 28. x   | :negative_squared_cross_mark: |
-| 27. x   | :negative_squared_cross_mark: |
-| 26. x   | :negative_squared_cross_mark: |
+| Version | Supported          |
+| ------- | ------------------ |
+| 28. x   | :white_check_mark: |
+| 27. x   | :white_check_mark: |
+| 26. x   | :white_check_mark: |
 | 25. x   | :negative_squared_cross_mark: |
 | 24. x   | :negative_squared_cross_mark: |
 | 23. x   | :negative_squared_cross_mark: |
@@ -28,10 +24,9 @@ Uploaded images are regularly scanned for [OS vulnerabilities](https://github.co
 
 ## Reporting a vulnerability
 
-_Upstream_ vulnerabilities should be reported to _upstream_ projects according to their own security policies.
+*Upstream* vulnerabilities should be reported to *upstream* projects according to their own security policies.
 
 Regarding vulnerabilities specific to this project:
-
 - Faulty configuration files
 - Unsafe defaults
 - Dependencies security updates

rootfs/etc/nginx/conf.d/default.conf

@@ -18,6 +18,7 @@ server {
 
         add_header Referrer-Policy "no-referrer" always;
         add_header X-Content-Type-Options "nosniff" always;
+        add_header X-Download-Options "noopen" always;
         add_header X-Frame-Options "SAMEORIGIN" always;
         add_header X-Permitted-Cross-Domain-Policies "none" always;
         add_header X-Robots-Tag "noindex, nofollow" always;
@@ -30,8 +31,8 @@ server {
         }
 
         location ^~ /.well-known {
-            location = /.well-known/carddav   { return 301 $nc_proto://$host/remote.php/dav/; }
-            location = /.well-known/caldav    { return 301 $nc_proto://$host/remote.php/dav/; }
+            location = /.well-known/carddav   { return 301 $nc_proto://$host/remote.php/dav; }
+            location = /.well-known/caldav    { return 301 $nc_proto://$host/remote.php/dav; }
             location ^~ /.well-known          { return 301 $nc_proto://$host/index.php$uri;  }
             try_files $uri $uri/ =404;
         }
@@ -66,19 +67,19 @@ server {
             index index.php;
         }
 
-        location ~ \.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$ {
+        location ~ \.(?:css|js|svg|gif|map)$ {
             try_files $uri /index.php$uri$is_args$args;
             expires 6M;
             access_log off;
         }
 
-        location ~ \.(otf|woff2)?$ {
+        location ~ \.woff2?$ {
             try_files $uri /index.php$uri$is_args$args;
             expires 7d;
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
             try_files $uri /index.php$uri$is_args$args;
             access_log off;
         }

rootfs/etc/nginx/nginx.conf

@@ -9,11 +9,6 @@ events {
 
 http {
     include /etc/nginx/mime.types;
-    # Add .mjs as a file extension for javascript
-    # https://github.com/nextcloud/server/pull/36057
-    types {
-        application/javascript mjs;
-    }
     default_type  application/octet-stream;
 
     access_log /nginx/logs/access.log combined;

rootfs/usr/local/bin/run.sh

@@ -17,8 +17,7 @@ fi
 
 # Check if database is available
 if [ -n "${DB_TYPE}" ] && [ "${DB_TYPE}" != "sqlite3" ]; then
-  DB_PORT=${DB_PORT:-$( [ "${DB_TYPE}" = "pgsql" ] && echo 5432 || echo 3306 )}
-  until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT}"
+  until nc -z "${DB_HOST:-nextcloud-db}" "${DB_PORT:-3306}"
   do
     echo "waiting for the database container..."
     sleep 1
@@ -34,4 +33,4 @@ else
 fi
 
 # Run processes
-exec /usr/bin/s6-svscan /etc/s6.d
+exec /bin/s6-svscan /etc/s6.d