chore: update version in README.md and SECURITY.md

- update Nextcloud to version 33.0.0
  - update Alpine Linux to 3.23
  - update PHP to 8.4
  - update hardened_malloc to branch 16
  - change verification of hardened_malloc to SSH signature instead of gpg
  - update Snuffleupagus to 0.13.0

.github/workflows/build.yml

@@ -62,12 +62,28 @@ jobs:
             ${{ env.FULL_VERSION }}
             ${{ env.MAJOR_VERSION }}
 
-      - name: Build and push Docker image
-        id: build-and-push
+      - name: Build and export Docker image to Docker
+        id: build
+        uses: docker/build-push-action@v2
+        with:
+          load: true
+          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing
+          context: .
+
+      - name: Test Docker image
+        id: test
+        run: |
+          docker run -d -p 8888:8888 --name nextcloud --rm ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:testing && \
+          docker exec nextcloud occ status && \
+          nc -z localhost 8888
+
+      - name: Push Docker image
+        id: push
+        if: github.event_name != 'pull_request'
         uses: docker/build-push-action@v2
         with:
           context: .
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
 
@@ -75,4 +91,4 @@ jobs:
         if: ${{ github.event_name != 'pull_request' }}
         env:
           COSIGN_EXPERIMENTAL: "true"
-        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.build-and-push.outputs.digest }}
+        run: cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.push.outputs.digest }}

.github/workflows/scan.yml

@@ -8,7 +8,7 @@ on:
 jobs:
   build:
     name: Scan current image & report results
-    runs-on: "ubuntu-20.04"
+    runs-on: "ubuntu-24.04"
     steps:
       - name: Checkout code
         uses: actions/checkout@v2

Dockerfile

@@ -1,24 +1,24 @@
 # -------------- Build-time variables --------------
-ARG NEXTCLOUD_VERSION=29.0.16
-ARG PHP_VERSION=8.2
-ARG NGINX_VERSION=1.26
+ARG NEXTCLOUD_VERSION=33.0.0
+ARG PHP_VERSION=8.4
+ARG NGINX_VERSION=1.28
 
-ARG ALPINE_VERSION=3.20
-ARG HARDENED_MALLOC_VERSION=11
-ARG SNUFFLEUPAGUS_VERSION=0.10.0
+ARG ALPINE_VERSION=3.23
+ARG HARDENED_MALLOC_VERSION=16
+ARG SNUFFLEUPAGUS_VERSION=0.13.0
 
 ARG UID=1000
 ARG GID=1000
 
-# nextcloud-29.0.16.tar.bz2
-ARG SHA256_SUM="499bf61ab19edcd4e542af86609243c5b4f440eb5bb06c2ba7da0c2faa525322"
+# nextcloud-33.0.0.tar.bz2
+ARG SHA256_SUM="6f7730902269c879f9f2ad4aa0a227cb16b5408ee46f093f68bd32633f741abf"
 
 # Nextcloud Security <security@nextcloud.com> (D75899B9A724937A)
 ARG GPG_FINGERPRINT="2880 6A87 8AE4 23A2 8372  792E D758 99B9 A724 937A"
 # ---------------------------------------------------
 
 ### Build PHP base
-FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} as base
+FROM docker.io/library/php:${PHP_VERSION}-fpm-alpine${ALPINE_VERSION} AS base
 
 ARG SNUFFLEUPAGUS_VERSION
 
@@ -85,25 +85,26 @@ RUN apk -U upgrade \
 
 ### Build Hardened Malloc
 ARG ALPINE_VERSION
-FROM docker.io/library/alpine:${ALPINE_VERSION} as build-malloc
+FROM docker.io/library/alpine:${ALPINE_VERSION} AS build-malloc
 
 ARG HARDENED_MALLOC_VERSION
 ARG CONFIG_NATIVE=false
 ARG VARIANT=light
 
-RUN apk --no-cache add build-base git gnupg && cd /tmp \
- && wget -q https://github.com/thestinger.gpg && gpg --import thestinger.gpg \
+RUN apk --no-cache add build-base git openssh && cd /tmp \
+ && wget -q -O - https://github.com/thestinger.keys | while read -r key; do echo "thestinger@github.com $key"; done > allowed_signers \
+ && git config --global gpg.ssh.allowedSignersFile /tmp/allowed_signers \
  && git clone --depth 1 --branch ${HARDENED_MALLOC_VERSION} https://github.com/GrapheneOS/hardened_malloc \
  && cd hardened_malloc && git verify-tag $(git describe --tags) \
  && make CONFIG_NATIVE=${CONFIG_NATIVE} VARIANT=${VARIANT}
 
 
 ### Fetch nginx
-FROM docker.io/library/nginx:${NGINX_VERSION}-alpine as nginx
+FROM docker.io/library/nginx:${NGINX_VERSION}-alpine${ALPINE_VERSION} AS nginx
 
 
 ### Build Nextcloud (production environemnt)
-FROM base as nextcloud
+FROM base AS nextcloud
 
 COPY --from=nginx /usr/sbin/nginx /usr/sbin/nginx
 COPY --from=nginx /etc/nginx /etc/nginx

README.md

@@ -58,8 +58,8 @@ Verifying the signature isn't a requirement, and might not be as seamless as usi
 ## Tags
 
 - `latest` : latest Nextcloud version
-- `x` : latest Nextcloud x.x (e.g. `29`)
-- `x.x.x` : Nextcloud x.x.x (e.g. `29.0.0`)
+- `x` : latest Nextcloud x.x (e.g. `33`)
+- `x.x.x` : Nextcloud x.x.x (e.g. `33.0.0`)
 
 You can always have a glance [here](https://github.com/users/hoellen/packages/container/package/nextcloud).
 Only the **latest stable version** will be maintained by myself.

SECURITY.md

@@ -2,14 +2,18 @@
 
 ## Supported versions
 
-All versions of the Nextcloud community version which still receive updates will be supported 
+All versions of the Nextcloud community version which still receive updates will be supported
 and will receive the minor version updates and security patches.
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 29. x   | :white_check_mark: |
-| 28. x   | :white_check_mark: |
-| 27. x   | :white_check_mark: |
+| Version | Supported                     |
+| ------- | ----------------------------- |
+| 33. x   | :white_check_mark:            |
+| 32. x   | :white_check_mark:            |
+| 31. x   | :negative_squared_cross_mark: |
+| 30. x   | :negative_squared_cross_mark: |
+| 29. x   | :negative_squared_cross_mark: |
+| 28. x   | :negative_squared_cross_mark: |
+| 27. x   | :negative_squared_cross_mark: |
 | 26. x   | :negative_squared_cross_mark: |
 | 25. x   | :negative_squared_cross_mark: |
 | 24. x   | :negative_squared_cross_mark: |
@@ -25,9 +29,10 @@ Uploaded images are regularly scanned for [OS vulnerabilities](https://github.co
 
 ## Reporting a vulnerability
 
-*Upstream* vulnerabilities should be reported to *upstream* projects according to their own security policies.
+_Upstream_ vulnerabilities should be reported to _upstream_ projects according to their own security policies.
 
 Regarding vulnerabilities specific to this project:
+
 - Faulty configuration files
 - Unsafe defaults
 - Dependencies security updates

rootfs/etc/nginx/conf.d/default.conf

@@ -78,7 +78,7 @@ server {
             access_log off;
         }
 
-        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
+        location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$ {
             try_files $uri /index.php$uri$is_args$args;
             access_log off;
         }

rootfs/usr/local/bin/run.sh

@@ -34,4 +34,4 @@ else
 fi
 
 # Run processes
-exec /bin/s6-svscan /etc/s6.d
+exec /usr/bin/s6-svscan /etc/s6.d