From 4e4ba49cd987186ce4ad8e9fde0c6eb22b344e73 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?=
 <1005065+DeepDiver1975@users.noreply.github.com>
Date: Wed, 1 Apr 2026 16:37:36 +0200
Subject: [PATCH 1/5] ci: use GitHub actions

---
 .github/dependabot.yml              |  7 +++
 .github/settings.yml                | 66 -----------------------------
 .github/workflows/lint-pr-title.yml | 16 +++++++
 .github/workflows/main.yml          | 43 +++++++++++++++++++
 .gitignore                          |  1 +
 .trivyignore                        |  2 +
 v7.4/Dockerfile.multiarch           |  2 +-
 v8.0/Dockerfile.multiarch           |  2 +-
 v8.1/Dockerfile.multiarch           |  2 +-
 v8.2/Dockerfile.multiarch           |  2 +-
 v8.3/Dockerfile.multiarch           |  2 +-
 v8.4/Dockerfile.multiarch           |  2 +-
 v8.5/Dockerfile.multiarch           |  2 +-
 13 files changed, 76 insertions(+), 73 deletions(-)
 create mode 100644 .github/dependabot.yml
 delete mode 100644 .github/settings.yml
 create mode 100644 .github/workflows/lint-pr-title.yml
 create mode 100644 .github/workflows/main.yml
 create mode 100644 .gitignore
 create mode 100644 .trivyignore

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..00b49a4
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,7 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/" # Location of package manifests
+    schedule:
+      interval: "weekly"
+
diff --git a/.github/settings.yml b/.github/settings.yml
deleted file mode 100644
index 65c56d8..0000000
--- a/.github/settings.yml
+++ /dev/null
@@ -1,66 +0,0 @@
----
-repository:
-  name: php
-  description: ":wrench: Docker images for PHP"
-  topics: docker, php, ci
-
-  private: false
-  has_issues: true
-  has_projects: false
-  has_wiki: false
-  has_downloads: false
-
-  default_branch: master
-
-  allow_squash_merge: true
-  allow_merge_commit: true
-  allow_rebase_merge: true
-
-labels:
-  - name: bug
-    color: d73a4a
-    description: Something isn't working
-  - name: documentation
-    color: 0075ca
-    description: Improvements or additions to documentation
-  - name: duplicate
-    color: cfd3d7
-    description: This issue or pull request already exists
-  - name: enhancement
-    color: a2eeef
-    description: New feature or request
-  - name: good first issue
-    color: 7057ff
-    description: Good for newcomers
-  - name: help wanted
-    color: 008672
-    description: Extra attention is needed
-  - name: invalid
-    color: e4e669
-    description: This doesn't seem right
-  - name: question
-    color: d876e3
-    description: Further information is requested
-  - name: wontfix
-    color: ffffff
-    description: This will not be worked on
-
-teams:
-  - name: bot
-    permission: admin
-
-branches:
-  - name: master
-    protection:
-      required_pull_request_reviews: null
-      required_status_checks:
-        strict: false
-        contexts:
-          - continuous-integration/drone/pr
-      enforce_admins: false
-      restrictions:
-        apps:
-          - renovate
-        users: []
-        teams:
-          - bot
diff --git a/.github/workflows/lint-pr-title.yml b/.github/workflows/lint-pr-title.yml
new file mode 100644
index 0000000..c5c76b1
--- /dev/null
+++ b/.github/workflows/lint-pr-title.yml
@@ -0,0 +1,16 @@
+name: Lint PR title
+
+on:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - synchronize
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: amannn/action-semantic-pull-request@48f256284bd46cdaab1048c3721360e808335d50 # v6
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
new file mode 100644
index 0000000..75cea55
--- /dev/null
+++ b/.github/workflows/main.yml
@@ -0,0 +1,43 @@
+name: Docker CI
+
+on:
+  push:
+    branches: [master]
+    tags: ["*"]
+  pull_request:
+
+jobs:
+  lint:
+    uses: owncloud-docker/ubuntu/.github/workflows/lint-editorconfig.yml@master  
+    
+  build:
+    needs: lint
+    uses: owncloud-docker/ubuntu/.github/workflows/docker-build.yml@master
+    with:
+      docker-repo-name: owncloudci/${{ github.event.repository.name }}
+      docker-tag: ${{ matrix.version }}
+      docker-context: v${{ matrix.version }}
+      docker-file: v${{ matrix.version }}/Dockerfile.multiarch
+      docker-hub-username: ${{ vars.DOCKERHUB_USERNAME }}
+      push: ${{ github.ref == 'refs/heads/master' }}
+    secrets:
+      docker-hub-password: ${{ secrets.DOCKERHUB_TOKEN }}
+      docker-secrets: |
+        mirror-url=${{ secrets.DEB_MIRROR_URL }}
+        mirror-auth=machine ${{secrets.DEB_MIRROR_URL}} login ${{secrets.DEB_MIRROR_LOGIN}} password ${{secrets.DEB_MIRROR_PWD}}
+
+    strategy:
+      matrix:
+        #version: ["7.4", "8.0", "8.1", "8.2", "8.3", "8.4", "8.5"]
+        version: ["8.3", "8.4", "8.5"]
+
+  update-docker-hub-description:
+    needs: build
+    if: github.ref == 'refs/heads/master'
+    uses: owncloud-docker/ubuntu/.github/workflows/docker-hub-desc.yml@master
+    with:
+      docker-repo-name: owncloudci/${{ github.event.repository.name }}
+      docker-repo-description: ownCloud PHP base image for use in CI
+      docker-hub-username: ${{ vars.DOCKERHUB_USERNAME }}
+    secrets:
+      docker-hub-password: ${{ secrets.DOCKERHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..b13ebc3
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.claude/
\ No newline at end of file
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..6774155
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,2 @@
+# Ignore snakeoil SSL key
+/etc/ssl/private/ssl-cert-snakeoil.key
diff --git a/v7.4/Dockerfile.multiarch b/v7.4/Dockerfile.multiarch
index f3b7d32..bafd343 100644
--- a/v7.4/Dockerfile.multiarch
+++ b/v7.4/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM docker.io/owncloud/ubuntu:22.04@sha256:69e2b55da1b9e238db0f9653c5c0dc815eaf7a97fd93ccc7befcd6baf2cc2393
+FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.0/Dockerfile.multiarch b/v8.0/Dockerfile.multiarch
index 4d7b965..35143da 100644
--- a/v8.0/Dockerfile.multiarch
+++ b/v8.0/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM docker.io/owncloud/ubuntu:22.04@sha256:69e2b55da1b9e238db0f9653c5c0dc815eaf7a97fd93ccc7befcd6baf2cc2393
+FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.1/Dockerfile.multiarch b/v8.1/Dockerfile.multiarch
index 2768796..f59fa43 100644
--- a/v8.1/Dockerfile.multiarch
+++ b/v8.1/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM docker.io/owncloud/ubuntu:22.04@sha256:69e2b55da1b9e238db0f9653c5c0dc815eaf7a97fd93ccc7befcd6baf2cc2393
+FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.2/Dockerfile.multiarch b/v8.2/Dockerfile.multiarch
index 31d4da4..10a5097 100644
--- a/v8.2/Dockerfile.multiarch
+++ b/v8.2/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM docker.io/owncloud/ubuntu:22.04@sha256:69e2b55da1b9e238db0f9653c5c0dc815eaf7a97fd93ccc7befcd6baf2cc2393
+FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.3/Dockerfile.multiarch b/v8.3/Dockerfile.multiarch
index 82f55a1..0e7f54f 100644
--- a/v8.3/Dockerfile.multiarch
+++ b/v8.3/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM docker.io/owncloud/ubuntu:22.04@sha256:69e2b55da1b9e238db0f9653c5c0dc815eaf7a97fd93ccc7befcd6baf2cc2393
+FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.4/Dockerfile.multiarch b/v8.4/Dockerfile.multiarch
index f199bf9..cd03544 100644
--- a/v8.4/Dockerfile.multiarch
+++ b/v8.4/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM docker.io/owncloud/ubuntu:22.04@sha256:69e2b55da1b9e238db0f9653c5c0dc815eaf7a97fd93ccc7befcd6baf2cc2393
+FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.5/Dockerfile.multiarch b/v8.5/Dockerfile.multiarch
index 29f3f9e..90f117c 100644
--- a/v8.5/Dockerfile.multiarch
+++ b/v8.5/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM docker.io/owncloud/ubuntu:22.04@sha256:69e2b55da1b9e238db0f9653c5c0dc815eaf7a97fd93ccc7befcd6baf2cc2393
+FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \

From 58b4ee1ed08124f68e41d89e04dd97254918e2b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?=
 <1005065+DeepDiver1975@users.noreply.github.com>
Date: Thu, 21 May 2026 16:18:58 +0200
Subject: [PATCH 2/5] fix: update base image

---
 v8.3/Dockerfile.multiarch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/v8.3/Dockerfile.multiarch b/v8.3/Dockerfile.multiarch
index 0e7f54f..0c8bc49 100644
--- a/v8.3/Dockerfile.multiarch
+++ b/v8.3/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
+FROM owncloud/ubuntu:22.04@sha256:546797975cc227aa2abb401a3a8c0b0f475af20b919f6d7d0a2f3c6c1a3de044
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \

From 8e26fa6d730d1ed300c9ac70f5e49263cdf1f9fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?=
 <1005065+DeepDiver1975@users.noreply.github.com>
Date: Thu, 21 May 2026 16:18:58 +0200
Subject: [PATCH 3/5] fix: update base image

---
 v7.4/Dockerfile.multiarch | 2 +-
 v8.0/Dockerfile.multiarch | 2 +-
 v8.1/Dockerfile.multiarch | 2 +-
 v8.2/Dockerfile.multiarch | 2 +-
 v8.4/Dockerfile.multiarch | 2 +-
 v8.5/Dockerfile.multiarch | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/v7.4/Dockerfile.multiarch b/v7.4/Dockerfile.multiarch
index bafd343..5b69206 100644
--- a/v7.4/Dockerfile.multiarch
+++ b/v7.4/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
+FROM owncloud/ubuntu:22.04@sha256:546797975cc227aa2abb401a3a8c0b0f475af20b919f6d7d0a2f3c6c1a3de044
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.0/Dockerfile.multiarch b/v8.0/Dockerfile.multiarch
index 35143da..78ef519 100644
--- a/v8.0/Dockerfile.multiarch
+++ b/v8.0/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
+FROM owncloud/ubuntu:22.04@sha256:546797975cc227aa2abb401a3a8c0b0f475af20b919f6d7d0a2f3c6c1a3de044
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.1/Dockerfile.multiarch b/v8.1/Dockerfile.multiarch
index f59fa43..f566398 100644
--- a/v8.1/Dockerfile.multiarch
+++ b/v8.1/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
+FROM owncloud/ubuntu:22.04@sha256:546797975cc227aa2abb401a3a8c0b0f475af20b919f6d7d0a2f3c6c1a3de044
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.2/Dockerfile.multiarch b/v8.2/Dockerfile.multiarch
index 10a5097..a58ead3 100644
--- a/v8.2/Dockerfile.multiarch
+++ b/v8.2/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
+FROM owncloud/ubuntu:22.04@sha256:546797975cc227aa2abb401a3a8c0b0f475af20b919f6d7d0a2f3c6c1a3de044
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.4/Dockerfile.multiarch b/v8.4/Dockerfile.multiarch
index cd03544..7812a1e 100644
--- a/v8.4/Dockerfile.multiarch
+++ b/v8.4/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
+FROM owncloud/ubuntu:22.04@sha256:546797975cc227aa2abb401a3a8c0b0f475af20b919f6d7d0a2f3c6c1a3de044
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \
diff --git a/v8.5/Dockerfile.multiarch b/v8.5/Dockerfile.multiarch
index 90f117c..b0d18d8 100644
--- a/v8.5/Dockerfile.multiarch
+++ b/v8.5/Dockerfile.multiarch
@@ -1,4 +1,4 @@
-FROM owncloud/ubuntu:22.04@sha256:1d1f5d61aa08ca5a2c422b37835608405014388a1603c9d16e1186e8535cca2b
+FROM owncloud/ubuntu:22.04@sha256:546797975cc227aa2abb401a3a8c0b0f475af20b919f6d7d0a2f3c6c1a3de044
 
 LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.authors="ownCloud DevOps <devops@owncloud.com>" \

From f79cf1a09fe77c097a32b8ce350ff675c90ab69c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?=
 <1005065+DeepDiver1975@users.noreply.github.com>
Date: Thu, 21 May 2026 17:16:59 +0200
Subject: [PATCH 4/5] fix: replace broken .trivyignore with YAML format to
 suppress snakeoil secret finding
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The plain-text .trivyignore format only accepts CVE/rule IDs; a bare file
path is silently ignored. Trivy's secrets scanner flags the snakeoil SSL
private key as HIGH (AsymmetricPrivateKey). Switch to .trivyignore.yaml
which supports path-scoped secrets ignores, and pass it explicitly via
the trivy-ignore-files workflow input.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
---
 .github/workflows/main.yml | 1 +
 .trivyignore               | 2 --
 .trivyignore.yaml          | 4 ++++
 3 files changed, 5 insertions(+), 2 deletions(-)
 delete mode 100644 .trivyignore
 create mode 100644 .trivyignore.yaml

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 75cea55..1d3d64a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -20,6 +20,7 @@ jobs:
       docker-file: v${{ matrix.version }}/Dockerfile.multiarch
       docker-hub-username: ${{ vars.DOCKERHUB_USERNAME }}
       push: ${{ github.ref == 'refs/heads/master' }}
+      trivy-ignore-files: .trivyignore.yaml
     secrets:
       docker-hub-password: ${{ secrets.DOCKERHUB_TOKEN }}
       docker-secrets: |
diff --git a/.trivyignore b/.trivyignore
deleted file mode 100644
index 6774155..0000000
--- a/.trivyignore
+++ /dev/null
@@ -1,2 +0,0 @@
-# Ignore snakeoil SSL key
-/etc/ssl/private/ssl-cert-snakeoil.key
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
new file mode 100644
index 0000000..92ee4b0
--- /dev/null
+++ b/.trivyignore.yaml
@@ -0,0 +1,4 @@
+secrets:
+  - id: private-key
+    paths:
+      - /etc/ssl/private/ssl-cert-snakeoil.key

From f7e666ee5a977d0f010020773b38adfb652e22bc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Thomas=20M=C3=BCller?=
 <1005065+DeepDiver1975@users.noreply.github.com>
Date: Thu, 21 May 2026 17:46:07 +0200
Subject: [PATCH 5/5] ci: enable GitHub Actions layer cache for Docker builds
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

QEMU-emulated arm64 takes 10-11x longer than amd64 (654s vs 56s for the
main apt-get install layer). Using GHA cache per-version scope makes
re-runs after trivial changes near-instant instead of 15+ minutes.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
---
 .github/workflows/main.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1d3d64a..df2e20d 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -21,6 +21,8 @@ jobs:
       docker-hub-username: ${{ vars.DOCKERHUB_USERNAME }}
       push: ${{ github.ref == 'refs/heads/master' }}
       trivy-ignore-files: .trivyignore.yaml
+      docker-cache-from: type=gha,scope=${{ matrix.version }}
+      docker-cache-to: type=gha,scope=${{ matrix.version }},mode=max
     secrets:
       docker-hub-password: ${{ secrets.DOCKERHUB_TOKEN }}
       docker-secrets: |