docs: add Docker image lifecycle concept document#1
Conversation
Document how the ownCloud server and ocis images are built, tagged, scanned, kept up to date and published, with emphasis on the dependency-update / vulnerability-management mechanism requested by the security team. Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
Review: Docker image lifecycle concept documentDocumentation-only PR. Since the doc's stated value is fidelity to the real workflows ("verified against the actual reusable workflows… not from memory"), I fact-checked its claims against the six sibling repos ( Findings1. §5a/§5c — Renovate is credited with Dependabot's schedule. The doc says Renovate opens PRs "weekly (Sun 22:00 UTC, ≤5 open PRs)". Neither 2. §5b + §7 table ("OS-package CVEs" row) — the 3. §6 — base-image smoke-test example cites a check that exists nowhere. The doc gives "a command check (e.g. 4. §3 tagging table — RC builds are described as "exact tag only" but also get an immutable date tag. Nothing else surfaced — the remaining ~30 verifiable claims matched the source down to literal cron strings, port numbers, jq field names, and CVE justification comments. 🤖 Generated with Claude Code |
Fixes four fact-check findings on the image lifecycle doc: - §5a/§5c/§7: attribute the 'Sun 22:00 UTC, <=5 PRs' cadence to Dependabot (github-actions), not Renovate. The Renovate docker preset has no fixed schedule/limit; it auto-merges allowlisted digest updates on green CI. Added a separate Dependabot row to the schedule table. - §5b/§7: correct the OS-package upgrade claim. Only owncloud/ubuntu runs apt-get upgrade (cascading to php/base/server); the oCIS runtime runs apk upgrade; web has no apk upgrade and relies on nginx:alpine digest bumps. - §6: fix smoke-test command examples per image (ubuntu os-release, php --version, base php -r echo OK, web nginx -t). - §3: RC builds also receive an immutable <version>-<YYYYMMDD> tag; only floating latest/major/minor tags are omitted. Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
|
Thanks — I verified all four findings against the source and pushed corrections in 4daf757. Every finding was valid; two of them (1 and 2) turned out to understate the automation, so the fixes also improve accuracy rather than just removing claims. 1. Renovate vs Dependabot cadence (§5a/§5c/§7) — Confirmed. The 2. 3. base smoke-test example (§6) — Fixed. Now lists each check accurately: 4. RC date tags (§3) — Confirmed. For ocis the date tag rides in 🤖 Generated with Claude Code |
Re-review after revision — all four findings resolved ✅Re-checked the revised doc against the real repos. The author addressed every previous finding, and I verified the new, more-specific claims added in the process:
Nothing new surfaced. Two optional nitpicks (non-blocking):
LGTM. 🤖 Generated with Claude Code |
The owncloud/web image repository is being retired, so drop it from the lifecycle doc: image list, topology, build-args and tagging tables, per-image OS-package/version notes, publishing conditions, smoke-test examples, the §7 security-control table, and references. The oCIS embedded web-assets build step is unrelated and stays. Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
What
Adds
docs/IMAGE-LIFECYCLE.md— an authoritative, security-focused concept document describing how the official ownCloud Docker images (owncloud/server,owncloud/ocis, and the supportingbase/php/ubuntu/webimages) are built, tagged, scanned, kept up to date, and published.Also adds a short repo
README.mdpointing to it.Why
The security team asked for a clear write-up of how the final images are kept up to date with dependency and CVE fixes. That knowledge was previously scattered across per-repo READMEs, CI workflow YAML,
.renovaterc.jsonand.trivyignorefiles across six separate repositories. This document consolidates it in one org-level place.Highlights
apt/apk upgrade, weekly + daily scheduled rebuilds, Trivy gating (exit-code: 1,ignore-unfixed), the.trivyignoreexception process, and Dependabot/SHA-pinned Actions.ubunturepo, theserver/ocismain.yml/rolling.yml, the Dockerfiles, and the Renovate config — not from memory.Review notes
🤖 Generated with Claude Code