feat: add oCIS 8.0.5 image with date-based tags and enable Docker Hub push

[DeepDiver1975]

Context

oCIS v8.0.5 (stable, published 2026-06-19) is the newest patch in the 8.0.x line, superseding 8.0.4.

Changes

.github/workflows/main.yml

• Replace the 8.0.4 release-matrix entry with 8.0.5 (inherits floating 8.0 / 8 tags). 8.1.0-rc.1 unchanged.
• Add a prepare job that resolves a UTC date stamp and append a version-qualified date tag <version>-YYYYMMDD (e.g. 8.0.5-20260623) to docker-extra-tags. This distinguishes rebuilds of the same oCIS version at different OS-patch levels — relevant now that the runtime stage runs apk upgrade at build time (fix: upgrade OS packages in runtime stage to pick up Alpine security patches #17). Mirrors the rolling workflow's date pattern.
• Enable Docker Hub push: push: ${{ github.event_name != 'pull_request' }} — same gate as rolling.yml. Publishes on push-to-master / tag / schedule, not on PRs.
• Re-enable the update-docker-hub-description job (was disabled only until publishing was authorized; gated on refs/heads/master).

README.md — refresh the "Supported Tags" table and document the date tag.

Verification

• ✅ Built v8.0.5 locally (VERSION=8.0.5) — builds cleanly (the IDP package.json still ships on this tag, so node-builder runs the pnpm build).
• ✅ Smoke test (ocis init || true; exec ocis server, OCIS_INSECURE=true) → status.php returns "productversion": "8.0.5", matching CI's smoke-test-version-jq.
• ✅ main.yml validates as YAML.
• Post-merge: confirm the master run publishes 8.0.5, 8.0, 8, and 8.0.5-YYYYMMDD to owncloud/ocis.

Note for reviewer

Both matrix entries (8.1.0-rc.1 and 8.0.5) carry the bare 8 tag. With push now enabled they will both publish 8, so whichever job's manifest is created last wins — and that could be the RC. This is pre-existing in the matrix but only becomes live now that push is on. If 8 should track the latest stable only, drop 8 from the 8.1.0-rc.1 entry. Left as-is here to keep the change scoped; happy to adjust.

🤖 Generated with Claude Code

[DeepDiver1975]

Applied the rule RC never updates higher-order version tags: dropped the floating 8.1 / 8 tags from the 8.1.0-rc.1 matrix entry, so the RC now publishes only 8.1.0-rc.1 (plus its per-build date tag). The 8 / 8.0 floating tags now resolve to the latest stable (8.0.5) only. README Supported Tags table updated to match. (commit 7727495)

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Summary

Replaces the 8.0.4 matrix entry with 8.0.5, adds a version-qualified date tag, removes the floating 8.1/8 tags from the 8.1.0-rc.1 RC entry, enables Docker Hub push (PR-gated), and re-enables the update-docker-hub-description job. The change is well-scoped and the workflow edits look correct and internally consistent.

Correctness — looks good

• Tag scheme is consistent with the existing matrix. Notably this PR fixes the bare-8/8.1 collision the author flagged: the RC entry now publishes only its exact 8.1.0-rc.1 tag (extra-tags: ""), and 8.0.5 carries 8.0 + 8. Good call — stable now owns the floating tags. (README "Note for reviewer" mentions the collision as left-as-is, but the diff actually removes it; minor doc/body mismatch, not blocking.)
• Date tag ${{ matrix.release.version }}-${{ needs.prepare.outputs.date }} is well-formed (8.0.5-YYYYMMDD), the prepare job + needs: [lint, prepare] wiring is correct, and prepare passed in CI.
• Push gate push: ${{ github.event_name != 'pull_request' }} mirrors rolling.yml — no publishing on PRs, no accidental exposure. update-docker-hub-description is correctly gated on refs/heads/master.
• README "Supported Tags" table matches the new tag layout.

Required checks — FAILING (blocking)

mergeStateStatus: BLOCKED. Both matrix builds fail at the Trivy scan step (build + smoke test pass; prepare/lint pass):

usr/bin/ocis (gobinary)  Total: 8 (HIGH: 8, CRITICAL: 0)
golang.org/x/crypto v0.51.0  (fixed in 0.52.0)
  CVE-2026-39827 / CVE-2026-39828 (SSH: discarded permissions → unauthorized command execution) + 6 more

These 8 HIGH findings are in golang.org/x/crypto bundled inside the upstream ocis binary of the v8.0.5 release — not anything this Dockerfile builds or can apk upgrade away. They affect the 8.1.0-rc.1 job too (same vendored dep), so this is an upstream-image issue, not a defect in this PR. Resolving it needs either an upstream oCIS build with x/crypto >= 0.52.0, or a .trivyignore entry for CVE-2026-39827/39828 (with the usual expiry, if the team accepts the risk for these tags). Cannot merge while required checks are red regardless.

CHANGELOG — MISSING

CHANGELOG.md exists with a ## [Unreleased] section (currently empty) and this PR does not touch it. Per repo convention an entry should be added under ## [Unreleased]:

### Changed

- Update oCIS image to 8.0.5 and enable Docker Hub publishing with date-based per-build tags

Verdict

Changes requested — non-blocking nits aside, required checks are red (upstream Trivy HIGH findings) and the changelog entry is missing. Hold merge until checks are green (upstream fix or an accepted .trivyignore) and add the [Unreleased] entry.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Verdict: changes-requested — the change itself is well-formed, but required CI is red and a CHANGELOG entry is missing.

Diff correctness — looks good

• Matrix update 8.0.4 → 8.0.5 (dir v8, floating 8.0/8) is consistent with the existing tag scheme; dropping the 8.1.0-rc.1 entry is intentional and scoped.
• prepare job + date tag — date -u +%Y%m%d → <version>-YYYYMMDD appended via the multiline docker-extra-tags block is correct YAML and mirrors rolling.yml. build correctly gains needs: [lint, prepare].
• Push gate push: ${{ github.event_name \!= 'pull_request' }} is well-formed and matches rolling.yml (publishes on push/tag/schedule, not PRs).
• update-docker-hub-description re-enabled, still guarded by if: github.ref == 'refs/heads/master'. Sane.
• Floating 8 tag: with only the 8.0.5 entry remaining, 8 now tracks stable, which resolves the RC-vs-stable concern raised in the PR description. Good.

Blocking: required checks RED

build (amd64) and build (arm64) both fail at the Trivy scan step (run 28009435355):

usr/bin/ocis (gobinary)  Total: 8 (HIGH: 8, CRITICAL: 0)
golang.org/x/crypto  v0.51.0 → fixed in 0.52.0
  CVE-2026-39827/39828/39829/39830/39835/42508/46595/46597  (SSH)

These are HIGH, status: fixed, and not covered by the current .trivyignore expiry list — Trivy exits non-zero and fails the build. This is an upstream problem in the bundled oCIS 8.0.5 binary (x/crypto/ssh), not fixable from this repo's Dockerfile. The image cannot publish until either upstream ships an 8.0.x with x/crypto ≥ 0.52.0, or these CVEs are added to v8/.trivyignore with an expiry (a maintainer/security decision). merge, update-docker-hub-description correctly skipping. mergeStateStatus = BLOCKED.

CHANGELOG: missing

CHANGELOG.md (with an ## [Unreleased] section) is not touched by this PR. Suggested entry under ## [Unreleased]:

### Added
- oCIS 8.0.5 image with immutable date-based tags (`<version>-YYYYMMDD`)

### Changed
- Enable Docker Hub publishing on push/tag/schedule

Once CI is green (upstream bump or an explicit trivyignore decision) and a CHANGELOG entry is added, this is good to go.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Re-review of HEAD 222d89f (changed since my last review: file count 2→3, +37/-21).

What changed since the prior review

1. Trivy (prior blocker B) — RESOLVED. The 3rd file is v8/.trivyignore, which now adds the 8 golang.org/x/crypto v0.51.0 HIGH SSH CVEs (CVE-2026-39827/39828/39829/39830/39835/42508/46595/46597) under a clear comment header # golang.org/x/crypto v0.51.0 (fixed in 0.52.0) — will be fixed in oCIS 8.0.6. The entries match the existing file convention exactly (one CVE per line, exp:2026-10-22, grouped by upstream module). These are genuinely upstream-image CVEs bundled in the oCIS 8.0.5 Go binary, unfixable by this packaging repo until oCIS 8.0.6 — suppressing them with a dated expiry here is the right call and consistent with the rest of the file. All checks are now green (build amd64/arm64 pass, lint pass, prepare pass; Trivy runs inside the passing build job). ✅

2. Matrix simplified. The 8.1.0-rc.1 entry was dropped; the matrix now carries a single 8.0.5 entry with 8.0, 8, and the new date tag. This also resolves the 8-tag collision the PR body warns about — with only one entry left, 8 unambiguously tracks 8.0.5. Note the PR body's "Note for reviewer" paragraph about the RC also carrying 8 is now stale and could be trimmed.

Core change assessment

• Date tag ${{ matrix.release.version }}-${{ needs.prepare.outputs.date }} via the new prepare job (UTC date +%Y%m%d) is sound and mirrors the rolling workflow. build correctly gains needs: [lint, prepare].
• Push gating push: ${{ github.event_name \!= 'pull_request' }} matches rolling.yml — publishes on push/tag/schedule, never on PRs. Correct.
• update-docker-hub-description re-enabled, gated on refs/heads/master. Fine.
• README "Supported Tags" table refreshed to document 8.0.5/8.0/8 and the <version>-YYYYMMDD immutable tag. Consistent.

Remaining issue

(A) CHANGELOG.md entry — STILL MISSING. This repo maintains a plain CHANGELOG.md with a ## [Unreleased] section (currently it contains only the # Changelog / ## [Unreleased] headers and no entries yet). This PR adds no changelog entry. The Unreleased section should record this user-visible change. Suggested entry:

## [Unreleased]

### Added

- oCIS 8.0.5 image with version-qualified date tags (`<version>-YYYYMMDD`)

### Changed

- Enable Docker Hub publishing (push on master/tag/schedule, not on PRs)

(There are no existing entries to mirror category style against, so ### Added / ### Changed per Keep a Changelog conventions is the safe choice.)

Verdict

Functionally correct and the previously-blocking Trivy scan is now green. Only nit is the missing CHANGELOG entry (and the now-stale RC note in the PR body). approve-with-nits — add the changelog entry before merge.