OCIS_FULL deployment example: use renovate to enhance security#12048
OCIS_FULL deployment example: use renovate to enhance security#12048
Conversation
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
There was a problem hiding this comment.
Pull request overview
This PR enhances the security and maintainability of the ocis_full deployment example by implementing Docker image digest pinning and automated dependency update tracking. The changes ensure deterministic deployments and provide visibility into security updates through Renovate-generated pull requests, moving away from potentially unstable latest tags while avoiding the security risks of static pinned tags.
Changes:
- Added digest pinning to all Docker images in ocis_full compose files (tag@sha256:digest format)
- Added Renovate configuration to automate detection and PRs for image updates
- Added GitHub Actions smoke test workflow to validate compose configurations on PR changes
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| renovate.json | New Renovate configuration for automated Docker image update detection in ocis_full |
| deployments/examples/ocis_full/web_extensions/unzip.yml | Added digest pinning and platform specification for unzip extension |
| deployments/examples/ocis_full/web_extensions/progressbars.yml | Added digest pinning and platform specification for progressbars extension |
| deployments/examples/ocis_full/web_extensions/jsonviewer.yml | Added digest pinning and platform specification for jsonviewer extension |
| deployments/examples/ocis_full/web_extensions/importer.yml | Added digest pinning and platform specification for importer and companion services |
| deployments/examples/ocis_full/web_extensions/externalsites.yml | Added digest pinning and platform specification for externalsites extension |
| deployments/examples/ocis_full/web_extensions/drawio.yml | Added digest pinning and platform specification for drawio extension |
| deployments/examples/ocis_full/tika.yml | Added digest pinning and platform specification, updated from latest-full to specific version |
| deployments/examples/ocis_full/onlyoffice.yml | Added digest pinning and platform specification for OnlyOffice and collaboration services |
| deployments/examples/ocis_full/ocis.yml | Added digest pinning and platform specification for main oCIS service |
| deployments/examples/ocis_full/minio.yml | Added digest pinning and platform specification, updated to versioned release tag |
| deployments/examples/ocis_full/mailserver.yml | Added digest pinning and platform specification for mailpit service |
| deployments/examples/ocis_full/docker-compose.yml | Added digest pinning and platform specification for Traefik |
| deployments/examples/ocis_full/collabora.yml | Added digest pinning and platform specification for Collabora and collaboration services |
| deployments/examples/ocis_full/clamav.yml | Added digest pinning and platform specification for ClamAV |
| deployments/examples/ocis_full/.env | Added IMAGE_ARCH variable, emptied DOCKER_TAG variables, added documentation comments for manual override |
| .gitignore | Added .DS_Store to ignore macOS system files |
| .github/workflows/ocis-full-smoke.yml | New smoke test workflow to validate ocis_full compose configuration on PRs |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Changed INSECURE setting to false and removed IMAGE_ARCH configuration.
dj4oC
left a comment
dj4oC
left a comment
There was a problem hiding this comment.
Addressed all issues
deployments/examples/ocis_full/web_extensions/externalsites.yml
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 17 out of 18 changed files in this pull request and generated 5 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # The recommended (and tested) version to pull. If no version is used, it pulls "latest" | ||
| # Documentation/manual override only: default compose pins a tag+digest in docker-compose.yml. | ||
| # release notes: https://github.com/traefik/traefik/releases | ||
| TRAEFIK_DOCKER_TAG=v3.6.7 | ||
| TRAEFIK_DOCKER_TAG= |
There was a problem hiding this comment.
Several image override env vars (e.g. TRAEFIK_DOCKER_TAG, OCIS_DOCKER_IMAGE/OCIS_DOCKER_TAG, TIKA_IMAGE, COLLABORA_DOCKER_TAG, CLAMAV_DOCKER_TAG, ONLYOFFICE_IMAGE, MAIL_SERVER_DOCKER_TAG, COMPANION_IMAGE) are now documented as “manual override only”, but they are no longer referenced by any compose file under deployments/examples/ocis_full after switching to hard-pinned image: ...@sha256:.... This is misleading because editing .env won’t change the pulled images anymore. Either reintroduce env interpolation (with the pinned tag@digest as the default) or remove/rename these variables and update the comments accordingly.
There was a problem hiding this comment.
@copilot open a new pull request to apply changes based on this feedback
There was a problem hiding this comment.
This is a point. We should have a consistent definition. In my opinion the COMPANION_DOCKER_IMAGE definition looks correct.
image: ${COMPANION_DOCKER_IMAGE:-transloadit/companion:5.8.0@sha256:65052a640897deb14fdf449fa88a121b8648f0fb06c52a1503fa4b3bb1d2564f}
Replace the TRAEFIK_DOCKER_TAG to TRAEFIK_DOCKER_IMAGE
and uses it:
image: ${TRAEFIK_DOCKER_IMAGE:-traefik:v3.6.7@sha256:a9890c898f379c1905ee5b28342f6b408dc863f08db2dab20e46c267d1ff463a}
For Ocis:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} it will be replased by:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis:8.0.0@sha256:41e6d78f43507015e0c34b87bff49ae0744f261a92916f044e47d32067ff18ce}
Therefore, we no longer use *_DOCKER_TAG variables. Use only *_DOCKER_IMAGE if necessary.
There was a problem hiding this comment.
The variable's name could be confusing there. It was OCIS_DOCKER_IMAGE:OCIS_DOCKER_TAG -> owncloud/ocis:tag_name, and then I proposed using the same variable OCIS_DOCKER_IMAGE for full image definition OCIS_DOCKER_IMAGE -> owncloud/ocis:tag_name it could break something.
@kobergj Maybe we need a new pattern like *_DOCKER_IMAGE_NAME or *_IMAGE
For Ocis:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} it will be replased by:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis:8.0.0@sha256:41e6d78f43507015e0c34b87bff49ae0744f261a92916f044e47d32067ff18ce}
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Remove specific version for ONLYOFFICE_DOCKER_TAG
|
| # The recommended (and tested) version to pull. If no version is used, it pulls "latest" | ||
| # Documentation/manual override only: default compose pins a tag+digest in docker-compose.yml. | ||
| # release notes: https://github.com/traefik/traefik/releases | ||
| TRAEFIK_DOCKER_TAG=v3.6.7 | ||
| TRAEFIK_DOCKER_TAG= |
There was a problem hiding this comment.
This is a point. We should have a consistent definition. In my opinion the COMPANION_DOCKER_IMAGE definition looks correct.
image: ${COMPANION_DOCKER_IMAGE:-transloadit/companion:5.8.0@sha256:65052a640897deb14fdf449fa88a121b8648f0fb06c52a1503fa4b3bb1d2564f}
Replace the TRAEFIK_DOCKER_TAG to TRAEFIK_DOCKER_IMAGE
and uses it:
image: ${TRAEFIK_DOCKER_IMAGE:-traefik:v3.6.7@sha256:a9890c898f379c1905ee5b28342f6b408dc863f08db2dab20e46c267d1ff463a}
For Ocis:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest} it will be replased by:
image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis:8.0.0@sha256:41e6d78f43507015e0c34b87bff49ae0744f261a92916f044e47d32067ff18ce}
Therefore, we no longer use *_DOCKER_TAG variables. Use only *_DOCKER_IMAGE if necessary.
Just a quick note: Renovate app is already installed in the org as we are using it in several FE repositories (web, web-extensions, web-app-skeleton). |
Summary
This PR hardens the deployments/examples/ocis_full Docker Compose example by pinning Docker images to tag@digest (deterministic + security rebuild aware) and adds automation so image updates become reviewable PRs instead of silent drift.
What’s included
Why this change
Known issue / follow-up
Activation required (Org Admin action)
renovate.json is committed, but Renovate won’t run until one of the following is enabled:
Option A (preferred): Install Renovate GitHub App for this repo only
1. Install Renovate (Mend) GitHub App for the org
2. Choose Only select repositories
3. Select owncloud/ocis
4. Ensure permissions allow creating branches + PRs (contents + pull-requests write)
Option B: Run Renovate via GitHub Actions (if App install isn’t possible)
• Provide a bot token and store it as repo secret RENOVATE_TOKEN
• Add a scheduled workflow to execute Renovate (I can add this once the secret exists)
How to test
From deployments/examples/ocis_full:
Expected outcome
• Users of ocis_full always pull a deterministic, reviewed image set.
• Security rebuilds and upstream image updates become visible Renovate PRs routed to QA.