Merge 35725bd4eb into 314cc8016d

Allow running CI pipelines on version-branches and still (only) tag latest on
master branch

.github/workflows/build.yml

@@ -4,8 +4,8 @@ on:
   workflow_dispatch:
   push:
     branches: 
-      - master
-      - version-*
+     - master
+     - version-* 
   schedule:
     # Build the image regularly (each Friday)
     - cron: '23 04 * * 5'
@@ -29,17 +29,20 @@ jobs:
 
       - name: Extract version for tags
         run: |
-          BRANCH="${GITHUB_REF#refs/heads/}"
-          VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile)
-          [ "$BRANCH" = "master" ] && echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
-          echo "FULL_VERSION=${VERSION:0:7}" >> $GITHUB_ENV
-          echo "MAJOR_VERSION=${VERSION:0:2}" >> $GITHUB_ENV
+          if [[ "$GITHUB_REF" == refs/heads/* ]]; then
+            BRANCH="${GITHUB_REF#refs/heads/}"
+            if [ "$BRANCH" = "master" ]; then
+              echo "BRANCH_VERSION=latest" >> $GITHUB_ENV
+            fi
+          fi
+          echo "FULL_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c6)" >> $GITHUB_ENV
+          echo "MAJOR_VERSION=$(grep -oP '(?<=NEXTCLOUD_VERSION=).*' Dockerfile | head -c2)" >> $GITHUB_ENV
 
       - name: Install cosign
         if: github.event_name != 'pull_request'
         uses: sigstore/cosign-installer@main
         with:
-          cosign-release: 'v2.2.2'
+          cosign-release: 'v1.13.1'
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v1
@@ -75,4 +78,4 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
-        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+        run: cosign sign ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}

Dockerfile

@@ -1,17 +1,17 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=28.0.14
+ARG NEXTCLOUD_VERSION=28.0.3
 ARG PHP_VERSION=8.2
-ARG NGINX_VERSION=1.26
+ARG NGINX_VERSION=1.24
 
-ARG ALPINE_VERSION=3.20
+ARG ALPINE_VERSION=3.18
 ARG HARDENED_MALLOC_VERSION=11
 ARG SNUFFLEUPAGUS_VERSION=0.10.0
 
 ARG UID=1000
 ARG GID=1000
 
-# nextcloud-28.0.14.tar.bz2
-ARG SHA256_SUM="4a937f1882486426c9703e59ec4b293f621be8d080b7f85016f629903c3af336"
+# nextcloud-28.0.3.tar.bz2
+ARG SHA256_SUM="9ed413c0de16f5b033ceeffcca99c0d61fc698dbeb8db851ac9adf9eef951906"
 
 # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
 ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"
@@ -43,7 +43,6 @@ RUN apk -U upgrade \
         gmp \
         icu \
         libjpeg-turbo \
-        librsvg \
         libpq \
         libpq \
         libwebp \

SECURITY.md

@@ -9,7 +9,7 @@ and will receive the minor version updates and security patches.
 | ------- | ------------------ |
 | 28. x   | :white_check_mark: |
 | 27. x   | :white_check_mark: |
-| 26. x   | :negative_squared_cross_mark: |
+| 26. x   | :white_check_mark: |
 | 25. x   | :negative_squared_cross_mark: |
 | 24. x   | :negative_squared_cross_mark: |
 | 23. x   | :negative_squared_cross_mark: |

rootfs/etc/nginx/conf.d/default.conf

@@ -72,7 +72,7 @@ server {
             access_log off;
         }
 
-        location ~ \.(otf|woff2)?$ {
+        location ~ \.woff2?$ {
             try_files $uri /index.php$uri$is_args$args;
             expires 7d;
             access_log off;