owncloud · dj4oC · Feb 22, 2026 · Feb 22, 2026 · Feb 22, 2026 · Feb 26, 2026
diff --git a/.github/workflows/ocis-full-smoke.yml b/.github/workflows/ocis-full-smoke.yml
@@ -0,0 +1,45 @@
+name: oCIS Full Smoke
+
+on:
+  pull_request:
+    paths:
+      - "deployments/examples/ocis_full/**"
+  push:
+    branches:
+      - master
+    paths:
+      - "deployments/examples/ocis_full/**"
+  schedule:
+    - cron: "0 3 * * *"
+
+jobs:
+  smoke:
+    runs-on: ubuntu-latest
+    timeout-minutes: 20
+    defaults:
+      run:
+        working-directory: deployments/examples/ocis_full
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Validate compose config
+        run: docker compose --env-file .env config >/dev/null
+
+      - name: Start default stack
+        run: docker compose --env-file .env up -d
+
+      - name: Wait for startup
+        run: sleep 45
+
+      - name: Show compose status
+        if: always()
+        run: docker compose --env-file .env ps
+
+      - name: Show recent compose logs
+        if: always()
+        run: docker compose --env-file .env logs --tail 200
+
+      - name: Tear down stack
+        if: always()
+        run: docker compose --env-file .env down -v --remove-orphans
diff --git a/.gitignore b/.gitignore
@@ -64,3 +64,5 @@ go.work.sum
 .envrc
 CLAUDE.md
 .claude/
+
+.DS_Store
diff --git a/deployments/examples/ocis_full/.env b/deployments/examples/ocis_full/.env
@@ -5,14 +5,15 @@ LOG_DRIVER=
 # If you're on an internet facing server, comment out following line.
 # It skips certificate validation for various parts of Infinite Scale and is
 # needed when self signed certificates are used.
-INSECURE=true
+INSECURE=false
 
 
 ## Traefik Settings ##
 # Note: Traefik is always enabled and can't be disabled.
 # The recommended (and tested) version to pull. If no version is used, it pulls "latest"
+# Documentation/manual override only: default compose pins a tag+digest in docker-compose.yml.
 # release notes: https://github.com/traefik/traefik/releases
-TRAEFIK_DOCKER_TAG=v3.6.7
+TRAEFIK_DOCKER_TAG=
 # Serve Traefik dashboard.
 # Defaults to "false".
 TRAEFIK_DASHBOARD=
@@ -42,6 +43,7 @@ OCIS=:ocis.yml
 # For production releases: "owncloud/ocis"
 # For rolling releases:    "owncloud/ocis-rolling"
 # Defaults to production if not set otherwise
+# Documentation/manual override only: default compose pins a tag+digest in ocis*.yml.
 OCIS_DOCKER_IMAGE=owncloud/ocis
 # The oCIS container version.
 # Defaults to "latest" and points to the latest stable tag.
@@ -155,6 +157,7 @@ START_ADDITIONAL_SERVICES="notifications"
 # The importer needs additional COMPANION config, see the following lines for more details.
 ## The docker image to be used for uppy companion.
 # owncloud has built a container with public link import support.
+# Documentation/manual override only: default compose pins a tag+digest in web_extensions/importer.yml.
 COMPANION_IMAGE=
 # Domain of Uppy Companion. Defaults to "companion.owncloud.test".
 COMPANION_DOMAIN=
@@ -172,6 +175,7 @@ COMPANION_ONEDRIVE_SECRET=
 TIKA=:tika.yml
 # Set the desired docker image tag or digest.
 # Defaults to "latest"
+# Documentation/manual override only: default compose pins a tag+digest in tika.yml.
 TIKA_IMAGE=
 
 ### IMPORTANT Note for Online Office Apps ###
@@ -184,8 +188,9 @@ TIKA_IMAGE=
 # Note: the leading colon is required to enable the service.
 COLLABORA=:collabora.yml
 # The recommended (and tested) version to pull. If no version is used, it pulls "latest"
+# Documentation/manual override only: default compose pins a tag+digest in collabora.yml.
 # release notes: https://www.collaboraonline.com/release-notes/
-COLLABORA_DOCKER_TAG=25.04.8.1.1
+COLLABORA_DOCKER_TAG=
 # Domain of Collabora, where you can find the frontend.
 # Defaults to "collabora.owncloud.test"
 COLLABORA_DOMAIN=
@@ -217,6 +222,7 @@ COLLABORA_SSL_VERIFICATION=false
 #CLAMAV=:clamav.yml
 # Image version of the ClamAV container.
 # Defaults to "latest"
+# Documentation/manual override only: default compose pins a tag+digest in clamav.yml.
 CLAMAV_DOCKER_TAG=
 
 
@@ -227,10 +233,11 @@ CLAMAV_DOCKER_TAG=
 # For community releases:  "onlyoffice/documentserver"
 # For enterprise releases: "onlyoffice/documentserver-ee"
 # Defaults to community if not set otherwise
+# Documentation/manual override only: default compose pins a tag+digest in onlyoffice.yml.
 ONLYOFFICE_IMAGE=onlyoffice/documentserver
 # The recommended (and tested) version to pull. If no version is used, it pulls "latest"
 # release notes: https://github.com/ONLYOFFICE/DocumentServer/releases
-ONLYOFFICE_DOCKER_TAG=9.2.1.1
+ONLYOFFICE_DOCKER_TAG=
 
 # EE only: the path to your license file on the host.
 # To activate a license file, comment ONLYOFFICE_DEACTIVATE_LICENSE. Otherwise, it <must> stay uncommented.
@@ -256,8 +263,9 @@ ONLYOFFICE_DOMAIN=
 # Domain for mail server. Defaults to "mail.owncloud.test".
 MAIL_SERVER_DOMAIN=
 # The recommended (and tested) version to pull. If no version is used, it pulls "latest"
+# Documentation/manual override only: default compose pins a tag+digest in mailserver.yml.
 # release notes: https://github.com/axllent/mailpit/releases
-MAIL_SERVER_DOCKER_TAG=v1.28.0
+MAIL_SERVER_DOCKER_TAG=
 
 
 ### Debugging - Monitoring ###

diff --git a/deployments/examples/ocis_full/clamav.yml b/deployments/examples/ocis_full/clamav.yml
@@ -13,7 +13,8 @@ services:
       - "clamav-socket:/var/run/clamav"
 
   clamav:
-    image: clamav/clamav:${CLAMAV_DOCKER_TAG:-latest}
+    image: clamav/clamav:1.5.1@sha256:e4f5060e4ef3f066a4c1234fbe45d8d876635f03b13e41aa679f89792968bc6c
+    platform: linux/${IMAGE_ARCH:-amd64}
-    platform: linux/${IMAGE_ARCH:-amd64}
-    platform: linux/${IMAGE_ARCH:-amd64}
     # release notes: https://blog.clamav.net
     networks:
       ocis-net:

diff --git a/deployments/examples/ocis_full/collabora.yml b/deployments/examples/ocis_full/collabora.yml
@@ -12,7 +12,8 @@ services:
       GRAPH_AVAILABLE_ROLES: "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5,a8d5fe5e-96e3-418d-825b-534dbdf22b99,fb6c3e19-e378-47e5-b277-9732f9de6e21,58c63c02-1d89-4572-916a-870abc5a1b7d,2d00ce52-1fc2-4dbc-8b95-a73b73395f5a,1c996275-f1c9-4e71-abdf-a42f6495e960,312c0871-5ef7-4b3a-85b6-0e4074c64049,aa97fe03-7980-45ac-9e50-b325749fd7e6"
 
   collaboration:
-    image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
+    image: owncloud/ocis:8.0.0@sha256:41e6d78f43507015e0c34b87bff49ae0744f261a92916f044e47d32067ff18ce
+    platform: linux/${IMAGE_ARCH:-amd64}
-    platform: linux/${IMAGE_ARCH:-amd64}
-    platform: linux/${IMAGE_ARCH:-amd64}
     networks:
       ocis-net:
     depends_on:
@@ -49,7 +50,8 @@ services:
     restart: always
 
   collabora:
-    image: collabora/code:${COLLABORA_DOCKER_TAG:-latest}
+    image: collabora/code:25.04.8.1.1@sha256:3c58d0e9bae75e4647467d0c7d91cb66f261d3e814709aed590b5c334a04db26
+    platform: linux/${IMAGE_ARCH:-amd64}
-    platform: linux/${IMAGE_ARCH:-amd64}
-    platform: linux/${IMAGE_ARCH:-amd64}
     networks:
       ocis-net:
     environment:

diff --git a/deployments/examples/ocis_full/docker-compose.yml b/deployments/examples/ocis_full/docker-compose.yml
@@ -1,7 +1,7 @@
 ---
 services:
   traefik:
-    image: traefik:${TRAEFIK_DOCKER_TAG:-latest}
+    image: traefik:v3.6.7@sha256:a9890c898f379c1905ee5b28342f6b408dc863f08db2dab20e46c267d1ff463a
     networks:
       ocis-net:
     command:

diff --git a/deployments/examples/ocis_full/mailserver.yml b/deployments/examples/ocis_full/mailserver.yml
@@ -8,7 +8,8 @@ services:
       NOTIFICATIONS_SMTP_INSECURE: "true"
 
   mailserver:
-    image: axllent/mailpit:${MAIL_SERVER_DOCKER_TAG:-latest}
+    image: axllent/mailpit:v1.28.0@sha256:c076638db1e15662150be4fb62b8a6e96ef6ba5bde90c838a0239225854830f7
+    platform: linux/${IMAGE_ARCH:-amd64}
-    platform: linux/${IMAGE_ARCH:-amd64}
-    platform: linux/${IMAGE_ARCH:-amd64}
     networks:
       - ocis-net
     ports:

diff --git a/deployments/examples/ocis_full/minio.yml b/deployments/examples/ocis_full/minio.yml
@@ -1,7 +1,7 @@
 ---
 services:
   minio:
-    image: minio/minio:latest
+    image: minio/minio:RELEASE.2025-09-07T16-13-09Z@sha256:14cea493d9a34af32f524e538b8346cf79f3321eff8e708c1e2960462bd8936e
     # release notes: https://github.com/minio/minio/releases
     networks:
       ocis-net:

diff --git a/deployments/examples/ocis_full/ocis.yml b/deployments/examples/ocis_full/ocis.yml
@@ -6,7 +6,7 @@ services:
         aliases:
           - ${OCIS_DOMAIN:-ocis.owncloud.test}
   ocis:
-    image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
+    image: owncloud/ocis:8.0.0@sha256:41e6d78f43507015e0c34b87bff49ae0744f261a92916f044e47d32067ff18ce
     # changelog: https://github.com/owncloud/ocis/tree/master/changelog
     # release notes: https://doc.owncloud.com/ocis_release_notes.html
     networks:

diff --git a/deployments/examples/ocis_full/onlyoffice.yml b/deployments/examples/ocis_full/onlyoffice.yml
@@ -7,7 +7,7 @@ services:
           - ${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
 
   collaboration-oo:
-    image: ${OCIS_DOCKER_IMAGE:-owncloud/ocis}:${OCIS_DOCKER_TAG:-latest}
+    image: owncloud/ocis:8.0.0@sha256:41e6d78f43507015e0c34b87bff49ae0744f261a92916f044e47d32067ff18ce
     networks:
       ocis-net:
     depends_on:
@@ -45,7 +45,7 @@ services:
 
   onlyoffice:
     # note, you also need to add a volume when using the enterprise version, see below
-    image: ${ONLYOFFICE_IMAGE:-onlyoffice/documentserver}:${ONLYOFFICE_DOCKER_TAG:-latest}
+    image: onlyoffice/documentserver:9.2.1.1@sha256:fd00acbbbde3d8b1ead9b933aafa7c2df77e62c48b1b171886e6bef343c13882
     networks:
       ocis-net:
     entrypoint:

diff --git a/deployments/examples/ocis_full/tika.yml b/deployments/examples/ocis_full/tika.yml
@@ -1,7 +1,7 @@
 ---
 services:
   tika:
-    image: ${TIKA_IMAGE:-apache/tika:latest-full}
+    image: apache/tika:3.2.3.0-full@sha256:21d8052de04e491ccf66e8680ade4da6f3d453a56d59f740b4167e54167219b7
     # release notes: https://tika.apache.org
     networks:
       ocis-net:

diff --git a/deployments/examples/ocis_full/web_extensions/drawio.yml b/deployments/examples/ocis_full/web_extensions/drawio.yml
@@ -6,7 +6,7 @@ services:
         condition: service_completed_successfully
 
   drawio-init:
-    image: owncloud/web-extensions:draw-io-0.3.3
+    image: owncloud/web-extensions:draw-io-0.3.3@sha256:57ef8c26e4e811f92e6e2ac784c42969f50ef0ac9e4384dbbf13b12f2a4c1ae4
     user: root
     volumes:
       - ocis-apps:/apps

diff --git a/deployments/examples/ocis_full/web_extensions/externalsites.yml b/deployments/examples/ocis_full/web_extensions/externalsites.yml
@@ -8,7 +8,7 @@ services:
         condition: service_completed_successfully
 
   externalsites-init:
-    image: owncloud/web-extensions:external-sites-0.3.3
+    image: owncloud/web-extensions:external-sites-0.3.3@sha256:88bbc188996ef4d42dbb530da938206e610237e117a5a76d54321437072acb42
     user: root
     volumes:
       - ocis-apps:/apps

diff --git a/deployments/examples/ocis_full/web_extensions/importer.yml b/deployments/examples/ocis_full/web_extensions/importer.yml
@@ -14,7 +14,7 @@ services:
         condition: service_completed_successfully
 
   importer-init:
-    image: owncloud/web-extensions:importer-0.3.2
+    image: owncloud/web-extensions:importer-0.3.2@sha256:a813d0678b69473d3bfe127fa1649c5cdaed89cf57619c1b55aa3245e695e003
     user: root
     volumes:
       - ocis-apps:/apps
@@ -23,7 +23,7 @@ services:
     command: [ "-c", "cp -R /var/lib/nginx/html/importer/ /apps" ]
 
   companion:
-    image: ${COMPANION_IMAGE:-transloadit/companion:5.8.0}
+    image: ${COMPANION_IMAGE:-transloadit/companion:5.8.0@sha256:65052a640897deb14fdf449fa88a121b8648f0fb06c52a1503fa4b3bb1d2564f}
     networks:
       - ocis-net
     environment:

diff --git a/deployments/examples/ocis_full/web_extensions/jsonviewer.yml b/deployments/examples/ocis_full/web_extensions/jsonviewer.yml
@@ -6,7 +6,7 @@ services:
         condition: service_completed_successfully
 
   jsonviewer-init:
-    image: owncloud/web-extensions:json-viewer-0.3.3
+    image: owncloud/web-extensions:json-viewer-0.3.3@sha256:1a609676de54153b4d7618413904b12078119a55ca3379ec75cedd1f84544cea
     user: root
     volumes:
       - ocis-apps:/apps

diff --git a/deployments/examples/ocis_full/web_extensions/progressbars.yml b/deployments/examples/ocis_full/web_extensions/progressbars.yml
@@ -6,7 +6,7 @@ services:
         condition: service_completed_successfully
 
   progressbars-init:
-    image: owncloud/web-extensions:progress-bars-0.3.3
+    image: owncloud/web-extensions:progress-bars-0.3.3@sha256:8faf230c3c601fb4d212720a0edd86073e292893b032021f951512e78e215390
     user: root
     volumes:
       - ocis-apps:/apps

diff --git a/deployments/examples/ocis_full/web_extensions/unzip.yml b/deployments/examples/ocis_full/web_extensions/unzip.yml
@@ -6,12 +6,10 @@ services:
         condition: service_completed_successfully
 
   unzip-init:
-    image: owncloud/web-extensions:unzip-0.4.3
+    image: owncloud/web-extensions:unzip-0.4.3@sha256:9fc726645749514c98c6b9b5a7e6315295897ff5c62a538a3ff383a49272160b
     user: root
     volumes:
       - ocis-apps:/apps
     entrypoint:
       - /bin/sh
     command: ["-c", "cp -R /var/lib/nginx/html/unzip/ /apps"]
-
-
diff --git a/renovate.json b/renovate.json
@@ -0,0 +1,19 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": ["config:base", "docker:pinDigests"],
+  "labels": ["dependencies", "docker", "ocis_full"],
+  "reviewers": ["owncloud/qa"],
+  "assignees": ["owncloud/qa"],
+  "timezone": "Europe/Berlin",
+  "schedule": ["every weekend"],
+  "prConcurrentLimit": 10,
+  "packageRules": [
+    {
+      "matchManagers": ["docker-compose"],
+      "matchFileNames": [
+        "^deployments/examples/ocis_full/.*\\.ya?ml$"
+      ],
+      "groupName": "ocis_full image updates (tags+digests)"
+    }
+  ]
+}