feat: [OCISDEV-783] release pipeline by mklos-kw · Pull Request #12194 · owncloud/ocis

mklos-kw · 2026-04-08T11:27:12Z

Release Expected State

Reference release: v8.0.1

1. GitHub Release page

Property	Expected
`tag_name`	`v{VERSION}`
`name`	`{VERSION}` (no `v` prefix)
`draft`	`false`
`prerelease`	`false` for stable, `true` if version contains `-`
`target_commitish`	`master` (or active stable branch)

2. Release assets — exact file set (14 files)

ocis-{VERSION}-darwin-amd64
ocis-{VERSION}-darwin-amd64.sha256
ocis-{VERSION}-darwin-arm64
ocis-{VERSION}-darwin-arm64.sha256
ocis-{VERSION}-linux-386
ocis-{VERSION}-linux-386.sha256
ocis-{VERSION}-linux-amd64
ocis-{VERSION}-linux-amd64.sha256
ocis-{VERSION}-linux-arm
ocis-{VERSION}-linux-arm.sha256
ocis-{VERSION}-linux-arm64
ocis-{VERSION}-linux-arm64.sha256
End-User-License-Agreement-for-ownCloud-Infinite-Scale.pdf
third-party-licenses.tar.gz

3. Binary file checks

File	ELF/Mach-O header
linux-amd64	`ELF 64-bit x86-64`
linux-arm64	`ELF 64-bit aarch64`
linux-arm	`ELF 32-bit ARM`
linux-386	`ELF 32-bit Intel 80386`
darwin-amd64	`Mach-O 64-bit x86_64`
darwin-arm64	`Mach-O 64-bit arm64`

4. `.sha256` file checks

Each .sha256 file is 87–90 bytes
Content format: {sha256hash} {filename} (two spaces, standard sha256sum output)
The hash inside the file must match sha256sum of the corresponding binary

5. `third-party-licenses.tar.gz`

Valid gzip (file reports gzip compressed data)

6. EULA PDF

Valid PDF (file reports PDF document)
Exact filename: End-User-License-Agreement-for-ownCloud-Infinite-Scale.pdf

7. Docker images (production release only)

Image	Tags	Architectures
`owncloud/ocis-rolling`	`{VERSION}`, `{MAJOR}.{MINOR}`, `{MAJOR}`	linux/amd64, linux/arm64
`owncloud/ocis`	`{VERSION}`, `{MAJOR}.{MINOR}`, `{MAJOR}`	linux/amd64, linux/arm64

Verify:

docker buildx imagetools inspect owncloud/ocis:{VERSION}
# must show linux/amd64 and linux/arm64 manifests

8. Git tag

git tag -v v{VERSION}          # must be a signed tag
git cat-file -p v{VERSION} | grep "^object"  # must point to a commit on master

9. Release content audit `scripts/audit-release.py`

➜  GITHUB_TOKEN=<token> python3 scripts/audit-release.py --version 8.0.1 --github-release --docker --git 2>&1
[PASS] tag_name: v8.0.1
[PASS] name: 8.0.1
[PASS] draft: false
[PASS] prerelease: False
[PASS] assets: all 14 present
[PASS] owncloud/ocis-rolling:8.0.1: amd64+arm64 present
[PASS] owncloud/ocis:8.0.1: amd64+arm64 present
[WARN] v8.0.1: not a signed tag
[PASS] v8.0.1: object bb5c6c2c929e4e67e263ec3efd04e68a2c08b938

8 checks: 8 passed, 0 failed
➜  GITHUB_TOKEN=<token> python3 scripts/audit-release.py --version 8.0.0 --github-release --docker --git 2>&1
[PASS] tag_name: v8.0.0
[PASS] name: 8.0.0
[PASS] draft: false
[PASS] prerelease: False
[PASS] assets: all 14 present
[PASS] owncloud/ocis-rolling:8.0.0: amd64+arm64 present
[PASS] owncloud/ocis:8.0.0: amd64+arm64 present
[WARN] v8.0.0: not a signed tag
[PASS] v8.0.0: object 6bede1a396bbe525554c9bb16bb91ef7bef16c4a

8 checks: 8 passed, 0 failed

Checklist:

Code changes
Unit tests added
Acceptance tests added
Documentation ticket raised:

update-docs · 2026-04-08T11:27:17Z

Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes.

kobergj

Want to remove this? Rest looks 👍

* feat: Add basic GH Actions file * feat: [OCISDEV-783] release pipeline * feat: [OCISDEV-783] release pipeline * feat: [OCISDEV-783] release pipeline, DeepDiver's review comments * feat: [OCISDEV-783] release pipeline, DeepDiver's review comments * feat: [OCISDEV-783] release pipeline, assert release * feat: [OCISDEV-783] release pipeline, audit release * feat: [OCISDEV-783] release pipeline, bianaries * feat: [OCISDEV-783] release pipeline, bianaries * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, trivy scan * feat: [OCISDEV-783] release pipeline, gh actions * trigger CI * feat: [OCISDEV-783] release pipeline, align versions * feat: [OCISDEV-783] release pipeline, scan message * feat: [OCISDEV-783] release pipeline, ack alpine scan * feat: [OCISDEV-783] release pipeline, align versions * feat: [OCISDEV-783] release pipeline, review * feat: [OCISDEV-783] release pipeline, review * feat: [OCISDEV-783] release pipeline, trivy scan --------- Co-authored-by: Lukas Schwarz <lukas.schwarz@kiteworks.com>

* chore: release 8.0.0-rc.1 Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * [docs-only] Fix of storage-publiclink readme * fix: some notifications were translated wrong due to an empty l10n key The expected translatable message was empty, which caused the translation system to use the empty key, which contains "weird" unrelated data. With the fix, if there is no translatable message, the related output will remain empty. * [docs-only][stable-8.0] Update web-extensions image versions in ocis_full * feat: bump go to 1.25 feat: bump mockery to v2.53.5 feat: bump govulncheck feat: bump bingo to v0.10.0 force go-1.25.7 update thumbnail images for test * chore: bump web to v12.3.1 * fix: ocis-multi deployment example groups Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * chore: release 8.0.0 Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * fix: add v8 to production versions Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * chore: write to docs-stable branch Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * test: fix public link related test for k8s deployment * chore(idp): use kpop without dependency Instead of trying to download kpop every time, bring in the specific code that we are using. There is very little code that we are actually using from kpop so pulling it as a dependency is not really necessary and it should fix the current CI issues. * fix: codacy deprecated reporter * fix: post rebase cleanup * chore(web): bump ownCloud Web to v12.3.2 * fix(graph): Don't use hardcoded groupOfNames in group creation * fix(graph): (ai) fix other groupOfNames and comment Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * test: let (ai) add a test for it Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * fix: adjust ocis-multi example Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * docs: update changelog item Co-authored-by: Martin <github@diemattels.at> * fix:[OCISDEV-617] Expose the signature-auth attribute * ci: use plugins/s3:1.4.0 * fix: dont write externalID when empty Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * feat: add globalID for EK users * fix: bump reva version Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * chore: release 8.0.1 Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * [backport] feat: [OCISDEV-732] acceptance test (#12143) to stable-8.0.0 (#12236) * feat: [OCISDEV-732] acceptance test (#12143) * feat: acceptance test - graph * feat: acceptance test - graph * feat: acceptance test - graph * fix: remove drone * feat: run each behat suite as a separate worker * feat: rename feat: [OCISDEV-740] acceptance test, coverage P0 feat: [OCISDEV-743] build and unit test ci: [ocisdev-730] code quality feat: [OCISDEV-741] local-api-test part 2 feat: [OCISDEV-741] local-api-test, apiSpaces feat: [OCISDEV-744] cli-test feat: [OCISDEV-741] local-api-test, apiCollaboration # Conflicts: # .github/workflows/acceptance-tests.yml # tests/acceptance/run-github.py feat: [OCISDEV-741] integration feat: [OCISDEV-744] build-and-test, lint feat: [OCISDEV-744] e2e-test # Conflicts: # .github/workflows/acceptance-tests.yml feat: [OCISDEV-744] fix apiSearch2 test suite * test [OCISDEV-744]: Run apiSearch2 test suite * Added php8.4-gd to all 4 PHP install lines * test [OCISDEV-744]: Enable all commented tests * test [OCISDEV-744]: Fixed failings * test [OCISDEV-744]: Fixed failings feat: [OCISDEV-744] fix apiOcm test suite * test [OCISDEV-744]: fix apiOcm tests * test [OCISDEV-744]: remove redundant .sh files * test [OCISDEV-744]: remove run-e2e.sh. Fix DRY vialation in run-github.py * test [OCISDEV-744]: documentation fixes --------- Co-authored-by: Deyan Zhekov <deyan.zhekov@kiteworks.com> fix: [OCISDEV-730] actions compliance (#12187) feat: [OCISDEV-786] Split coreApiSharees and coreApiSharePublicLink2 (#12196) feat: [OCISDEV-779] reduce ci duration, libcurl (#12193) * feat: [OCISDEV-779] reduce ci duration, libcurl * feat: [OCISDEV-779] reduce ci duration, libcurl * feat: [OCISDEV-779] reduce ci duration, libcurl * feat: [OCISDEV-779] reduce ci duration, libcurl feat: [OCISDEV-792] reduce ci duration, build-and-run (#12204) * feat: [OCISDEV-792] reduce ci duration, build-and-run * feat: [OCISDEV-792] reduce ci duration, build-and-run * feat: [OCISDEV-792] reduce ci duration, pre-check * feat: [OCISDEV-792] reduce ci duration, pre-check * feat: [OCISDEV-792] reduce ci duration, pre-check * feat: [OCISDEV-792] reduce ci duration, pre-check * feat: [OCISDEV-792] reduce ci duration, pre-check fix: ci, govulncheck stderr (#12219) * fix: ci, govulncheck stderr * fix: ci, litmus flakines feat: [OCISDEV-779] reduce CI duration, PHP-version (#12217) * feat: [OCISDEV-779] reduce CI duration, php-version * feat: [OCISDEV-779] fix flaky test in apiSharingNgShares * feat: [OCISDEV-779] fix flaky preview comparison * feat: [OCISDEV-779] fix flaky preview comparison * feat: [OCISDEV-779] replace manual PHP installation with shivammathur/setup-php action * feat: [OCISDEV-779] fix Pre-checks and generate step * feat: [OCISDEV-779] fix flaky preview comparison * feat: [OCISDEV-779] fix failing test --------- Co-authored-by: Michal Klos <michal.klos@kiteworks.com> * feat: post rebase fix * feat: post rebase fix * feat: post rebase fix * feat: [OCISDEV-783] release pipeline (#12194) (#12235) * feat: Add basic GH Actions file * feat: [OCISDEV-783] release pipeline * feat: [OCISDEV-783] release pipeline * feat: [OCISDEV-783] release pipeline, DeepDiver's review comments * feat: [OCISDEV-783] release pipeline, DeepDiver's review comments * feat: [OCISDEV-783] release pipeline, assert release * feat: [OCISDEV-783] release pipeline, audit release * feat: [OCISDEV-783] release pipeline, bianaries * feat: [OCISDEV-783] release pipeline, bianaries * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, dev.1 * feat: [OCISDEV-783] release pipeline, trivy scan * feat: [OCISDEV-783] release pipeline, gh actions * trigger CI * feat: [OCISDEV-783] release pipeline, align versions * feat: [OCISDEV-783] release pipeline, scan message * feat: [OCISDEV-783] release pipeline, ack alpine scan * feat: [OCISDEV-783] release pipeline, align versions * feat: [OCISDEV-783] release pipeline, review * feat: [OCISDEV-783] release pipeline, review * feat: [OCISDEV-783] release pipeline, trivy scan --------- Co-authored-by: Lukas Schwarz <lukas.schwarz@kiteworks.com> * feat(graph): [OCISDEV-794] allow multiple objectClasses on group creation Add GroupAdditionalObjectClasses config field (env vars OCIS_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES / GRAPH_LDAP_GROUP_ADDITIONAL_OBJECTCLASSES) that appends extra objectClasses when creating groups in LDAP, alongside the existing primary GroupObjectClass. Applied to both groupToLDAPAttrValues and CreateLDAPGroupByDN. Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * feat(webdav): [OCISDEV-602] add spaceid to report Added the `spaceid` to the REPORT responses. This is aligning the `REPORT` method with the `PROPFIND` method. * build(deps): stable-8.0 * feat(graph): [OCISDEV-807] add SpaceEditorWithoutVersionsWithoutTrashbin role Adds a new space membership role "Can edit" that allows creating, uploading, downloading, editing, moving and deleting on a space without access to file versions or the trashbin. Also bumps reva to include the corresponding role constructor. Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * fix(collaboration): [OCISDEV-781] return 200 OK for WOPI Lock in read-only modes OnlyOffice sends a WOPI Lock request on document open regardless of whether the user has write access. The Lock handler was calling SetLock with a read-only CS3 token, which returned a permission error propagated as HTTP 500 to OnlyOffice, causing an error dialog on load. Return 200 OK immediately for READ_ONLY and VIEW_ONLY view modes without acquiring a CS3 lock. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * fix: fixed the internal links access control * use the web stable-12.3 latest * fix the OCM share permission change notification handling * [OCISDEV-830] Add GitHub Actions workflow for k6 load tests with flag [k6-test] * [OCISDEV-827] Add workflow file to run k6-tests in GitHub Actions * [OCISDEV-827] Fix broken pipeline job * [OCISDEV-827] Fix broken pipeline job - switched to double quotes. * [OCISDEV-827] Trying to fix a broken pipeline job * [OCISDEV-827] Fix secrets and variables used to run k6-test * [OCISDEV-827] Add health check and SSH keepalive in run_k6_tests.sh * [OCISDEV-827] Rename variable DRONE_COMMIT to OCIS_COMMIT_SHA * chore: bump web version to 12.3.3 * [OCISDEV-833] Added rm -rf k6-ocis via SSH before ocis.sh start (#12280) * fix(proxy): [OCISDEV-845] skip space reconciliation on signed URL requests The space management middleware removed users from all project spaces when processing signed URL requests because no OIDC claims are present in that auth context. Return early when claims are nil to prevent the oscillating add/remove cycle. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * chore(proxy): [OCISDEV-845] add changelog for space manager fix Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * chore: release 8.0.2 Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * chore: bump libvips (#12304) * chore: bump go version (#12306) * fix: [OCISDEV-864] CI, fix passing version string value to image (#12309) (#12319) * fix: release fix passing version string value to image * fix: bump release tag * chore: bump go-git * fix: missing fcntl64 int the build image due to GHA image update * fix: [OCISDEV-865] CI, release pipeline steps ordering (#12310) (#12320) * fix: ci, release pipeline steps ordering * chore: security bump * fix: ignore for trivy scan, steps order # Conflicts: # services/idp/package.json # services/idp/pnpm-lock.yaml * fix: [backport][OCISDEV-873] *WithoutTrashbin space editor roles render files read-only in Web frontend (#12351) fix: [OCISDEV-873] *WithoutTrashbin space editor roles render files read-only in Web frontend (#12346) * fix: [OCISDEV-873] *WithoutTrashbin space editor roles render files as read-only in Web frontend * fix: ci after godata bump ocis CI bumped github.com/CiscoM31/godata from v1.0.10 → v1.0.11 as a transitive dependency of the reva bump. The new godata version parses "mail add 10 (invalid operator) as a parse error → 400 instead of unsupported operation → 501. * fix ci: more precise role * fix: bump reva to pull fix merged into reva * Release 8.0.4 (#12352) chore: Release 8.0.4 Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> * fix: dont write externalID when empty Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> --------- Signed-off-by: Julian Koberg <julian.koberg@kiteworks.com> Co-authored-by: Martin Mattel <github@diemattels.at> Co-authored-by: Juan Pablo Villafáñez <jvillafanez@solidgeargroup.com> Co-authored-by: Roman Perekhod <2403905@gmail.com> Co-authored-by: Roman Perekhod <rperekhod@owncloud.com> Co-authored-by: Matteo <matteo.sonnenholzner@kiteworks.com> Co-authored-by: Niraj Acharya <niraj@jankaritech.com> Co-authored-by: Lukas Hirt <info@hirt.cz> Co-authored-by: Michal Klos <michal.klos@kiteworks.com> Co-authored-by: Gwilherm Folliot <gwilherm55fo@gmail.com> Co-authored-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> Co-authored-by: Lukas Schwarz <lukas.schwarz@kiteworks.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: Deyan Zhekov <deyan.zhekov@kiteworks.com> Co-authored-by: Matteo <193476828+mzner@users.noreply.github.com>

mzner approved these changes Apr 8, 2026

View reviewed changes

mklos-kw force-pushed the feat/release-pipeline branch from e6924cd to cb31745 Compare April 8, 2026 16:36