From 65f0f5f2ea110ec6756a4c5c5dd0868030aa0fd8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20M=C3=BCller?= <1005065+DeepDiver1975@users.noreply.github.com> Date: Fri, 12 Jun 2026 10:50:04 +0200 Subject: [PATCH] docs(ospo): add community health files and Apache-2.0 license MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Apply the Kiteworks OSPO community health rollout v2 to this repository (modeled on owncloud/web#13815), adapted to the static, PR-based marketplace: - LICENSE: Apache-2.0 (adopt the OSPO migration target directly) - README.md: OSPO v2 rewrite describing the marketplace, publishing workflow, generated API, OSPO contributing policy and OSPO section - agents.md: AI-agent context file with architecture, build/test commands and OSPO policy constraints - CODE_OF_CONDUCT.md, CONTRIBUTING.md, SECURITY.md, SUPPORT.md: standard health files pointing to ownCloud channels and YesWeHack - Pin all GitHub Actions to full commit SHAs (with version comments) per OSPO policy, keeping the current major versions - Declare "license": "Apache-2.0" in tools/ and website/ package.json Co-Authored-By: Claude Opus 4.8 Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com> --- .github/workflows/deploy.yml | 10 +- .github/workflows/tools-ci.yml | 4 +- .github/workflows/validate.yml | 4 +- CODE_OF_CONDUCT.md | 8 ++ CONTRIBUTING.md | 25 ++++ LICENSE | 202 +++++++++++++++++++++++++++++++++ README.md | 145 ++++++++++++++++++++--- SECURITY.md | 11 ++ SUPPORT.md | 10 ++ agents.md | 113 ++++++++++++++++++ tools/package.json | 1 + website/package.json | 1 + 12 files changed, 510 insertions(+), 24 deletions(-) create mode 100644 CODE_OF_CONDUCT.md create mode 100644 CONTRIBUTING.md create mode 100644 LICENSE create mode 100644 SECURITY.md create mode 100644 SUPPORT.md create mode 100644 agents.md diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index e3fbc00..06e6a96 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -22,17 +22,17 @@ jobs: name: github-pages url: ${{ steps.deploy.outputs.page_url }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: .nvmrc # Derive the published origin/base path from the running repo, so URLs are # correct in any account or org without hardcoding a host. - id: pages - uses: actions/configure-pages@v5 + uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5.0.0 - name: Install deps run: | (cd tools && npm ci) @@ -46,8 +46,8 @@ jobs: MARKETPLACE_SITE_URL: ${{ steps.pages.outputs.origin }} MARKETPLACE_BASE_PATH: ${{ steps.pages.outputs.base_path }} run: cd website && npm run build - - uses: actions/upload-pages-artifact@v3 + - uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1 with: path: _site - id: deploy - uses: actions/deploy-pages@v4 + uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4.0.5 diff --git a/.github/workflows/tools-ci.yml b/.github/workflows/tools-ci.yml index 6ca060a..c81cdf8 100644 --- a/.github/workflows/tools-ci.yml +++ b/.github/workflows/tools-ci.yml @@ -13,10 +13,10 @@ jobs: tools: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: .nvmrc - name: Install diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml index 4612454..bbd5ccb 100644 --- a/.github/workflows/validate.yml +++ b/.github/workflows/validate.yml @@ -7,11 +7,11 @@ jobs: validate: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: lfs: true fetch-depth: 0 - - uses: actions/setup-node@v4 + - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0 with: node-version-file: .nvmrc - name: Install tools deps diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md new file mode 100644 index 0000000..ce144bf --- /dev/null +++ b/CODE_OF_CONDUCT.md @@ -0,0 +1,8 @@ +# Code of Conduct + +This project follows the ownCloud Code of Conduct. + +Please read the full Code of Conduct at: +**** + +By participating in this project, you agree to abide by its terms. diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md new file mode 100644 index 0000000..1fc9480 --- /dev/null +++ b/CONTRIBUTING.md @@ -0,0 +1,25 @@ +# Contributing + +Thank you for your interest in contributing to this project! + +Please read the full contributing guidelines at: +**** + +## Publishing an app + +This is a marketplace catalog. To publish an app, open a pull request that adds a +single file: + +``` +apps//releases//package.tar.gz +``` + +All metadata is read from the `appinfo/info.xml` inside the tarball. See the +[pull request template](.github/PULL_REQUEST_TEMPLATE/publish-app.md) for the +full checklist. + +## Code contributions + +For development setup, coding standards, and the pull request process, see the +[README](README.md). All commits must be PGP/GPG signed and carry a DCO +`Signed-off-by` line (`git commit -s -S`). diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..01b3d46 --- /dev/null +++ b/LICENSE @@ -0,0 +1,202 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright 2026 ownCloud / Kiteworks Open Source Program Office + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + diff --git a/README.md b/README.md index 0d46aea..ebe2800 100644 --- a/README.md +++ b/README.md @@ -1,23 +1,138 @@ -# ownCloud Marketplace (static) +# ownCloud Marketplace + + + +[![License](https://img.shields.io/badge/License-Apache--2.0-blue.svg)](LICENSE) [![ownCloud OSPO](https://img.shields.io/badge/OSPO-ownCloud-blue)](https://kiteworks.com/opensource) A backend-free replacement for marketplace.owncloud.com. Publishers submit apps -via pull request; CI validates them; a static website + JSON API are generated -and hosted on GitHub Pages. +via pull request; CI validates each submission; a static website and a JSON API +are generated from the catalog and hosted on GitHub Pages. There is no server and +no database — the Git repository itself is the source of truth. + +## Getting Started + +This repository contains two independent npm packages: `tools/` (the TypeScript +validator and API generator) and `website/` (the Astro site). Each is installed +and built on its own. + +### Prerequisites + +- [Node.js](https://nodejs.org/) 20 (see [`.nvmrc`](.nvmrc)) +- npm +- [Git LFS](https://git-lfs.com/) (app tarballs are stored via LFS) + +### Development Setup + +```bash +git clone https://github.com/owncloud/marketplace.git +cd marketplace + +# Validator + API generator +cd tools +npm install +npm test +npm run typecheck + +# Static website +cd ../website +npm install +npm run build +``` + +### Repository Structure + +- **apps/** — the catalog and source of truth (one folder per app/release): + `apps//releases//package.tar.gz`. Metadata is read from the + `appinfo/info.xml` inside each tarball. +- **tools/** — TypeScript validator and API generator (run with `tsx`, tested + with Vitest). See [`tools/README.md`](tools/README.md). +- **website/** — Astro static site that renders the catalog. +- **.github/** — CI workflows, the publish-app pull request template, and + Dependabot configuration. + +## Publishing an App + +Open a pull request that adds a single file: + +``` +apps//releases//package.tar.gz +``` -## Publishing an app -Open a PR adding a single file: -`apps//releases//package.tar.gz` All metadata is read from the `appinfo/info.xml` inside the tarball. Optionally -add a `CHANGELOG.md` next to it. See the PR template for the checklist. +add a `CHANGELOG.md` next to it. CI validates the submission; once merged to +`main`, the catalog, API and website are regenerated and deployed automatically. +See the pull request template for the full checklist. + +## Generated API -## Layout -- `apps/` — the catalog source of truth (one folder per app/release) -- `tools/` — TypeScript validator + API generator (see `tools/README.md`) -- `website/` — Astro site -- `.github/workflows/` — validate, deploy, tools-ci +Served as static JSON from GitHub Pages: -## Generated API (served from GitHub Pages) - `GET /api/v1/categories.json` -- `GET /api/v1/apps.json` (full catalog) -- `GET /api/v1/platform/{ocVersion}/apps.json` (back-compat with the `market` app) +- `GET /api/v1/apps.json` — full catalog +- `GET /api/v1/platform/{ocVersion}/apps.json` — back-compat with the `market` app - `GET /api/v1/bundles.json` + +## Documentation + +- Publishing workflow and catalog layout — this README and the + [pull request template](.github/PULL_REQUEST_TEMPLATE/publish-app.md) +- Validator and API generator internals — [`tools/README.md`](tools/README.md) + +## Community & Support + +**[Star](https://github.com/owncloud/marketplace)** this repo and **Watch** for +release notifications! + +- [ownCloud Website](https://owncloud.com) +- [Community Discussions](https://github.com/orgs/owncloud/discussions) +- [Matrix Chat](https://app.element.io/#/room/#owncloud:matrix.org) +- [Documentation](https://doc.owncloud.com) +- [Enterprise Support](https://owncloud.com/contact-us/) +- [OSPO Home](https://kiteworks.com/opensource) + +## Contributing + +We welcome contributions! Please read the [Contributing Guidelines](CONTRIBUTING.md) +and our [Code of Conduct](CODE_OF_CONDUCT.md) before getting started. + +### Workflow + +- **Rebase Early, Rebase Often!** We use a rebase workflow. Always rebase on the + target branch before submitting a PR. +- **Dependabot**: Automated dependency updates are managed via Dependabot. Review + and merge dependency PRs promptly. +- **Signed Commits**: All commits **must** be PGP/GPG signed. See + [GitHub's signing guide](https://docs.github.com/en/authentication/managing-commit-signature-verification). +- **DCO Sign-off**: Every commit must carry a `Signed-off-by` line: + ``` + git commit -s -S -m "your commit message" + ``` +- **GitHub Actions Policy**: Workflows may only use actions that are (a) owned by + `owncloud`, (b) created by GitHub (`actions/*`), or (c) verified in the GitHub + Marketplace. All actions are pinned to a full commit SHA. + +## Security + +**Do not open a public GitHub issue for security vulnerabilities.** + +Report vulnerabilities at **** — see [SECURITY.md](SECURITY.md). + +Bug bounty: [YesWeHack ownCloud Program](https://yeswehack.com/programs/owncloud-bug-bounty-program) + +## License + +This project is licensed under the [Apache License 2.0](LICENSE). + +## About the ownCloud OSPO + +The [Kiteworks Open Source Program Office](https://kiteworks.com/opensource), operating under +the [ownCloud](https://owncloud.com) brand, launched on May 5, 2026, to steward the open source +ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance, +community health, and sustainable collaboration between the open source community and +[Kiteworks](https://www.kiteworks.com), which acquired ownCloud in 2023. + +- **OSPO Home**: +- **GitHub**: +- **ownCloud**: + +For questions about the OSPO or licensing, contact ospo@kiteworks.com. diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..78094ae --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,11 @@ +# Security Policy + +## Reporting a Vulnerability + +**Do NOT open a public GitHub issue for security vulnerabilities.** + +Please report security issues responsibly via: +**** + +You can also report vulnerabilities through our YesWeHack bug bounty program: +**** diff --git a/SUPPORT.md b/SUPPORT.md new file mode 100644 index 0000000..d87c0ca --- /dev/null +++ b/SUPPORT.md @@ -0,0 +1,10 @@ +# Support + +For support with this project, please use the following channels: + +- **Enterprise Support**: +- **Community discussions**: https://github.com/orgs/owncloud/discussions +- **Matrix Chat**: +- **Documentation**: + +Please do not use GitHub issues for general support questions. diff --git a/agents.md b/agents.md new file mode 100644 index 0000000..5f750c9 --- /dev/null +++ b/agents.md @@ -0,0 +1,113 @@ +# agents.md — marketplace + +## Repository Overview + +A backend-free replacement for marketplace.owncloud.com. Publishers submit +ownCloud apps via pull request; CI validates each submission against the catalog +rules; a static website and a JSON API are generated and deployed to GitHub +Pages. There is no runtime server and no database — the Git repository is the +source of truth. + +- **Classification:** Tooling / infrastructure +- **Activity Status:** Active +- **License:** Apache-2.0 +- **Language:** TypeScript (tools), Astro (website) + +## Architecture & Key Paths + +- `apps/` — catalog source of truth. One folder per app and release: + `apps//releases//package.tar.gz`. Metadata lives in the + `appinfo/info.xml` inside each tarball; an optional `CHANGELOG.md` may sit + alongside it. Tarballs are stored via Git LFS. +- `tools/` — TypeScript validator + API generator (run with `tsx`, tested with + Vitest): + - `tools/src/info-xml.ts` — parse and validate `appinfo/info.xml` + - `tools/src/package-reader.ts` — extract `info.xml` from a `.tar.gz` + - `tools/src/scan.ts` — walk `apps//releases//` + - `tools/src/validate.ts` — per-release and cross-release validation rules + - `tools/src/generate.ts` — build the catalog and write `api/v1/**` + - `tools/src/categories.ts` — category list + - `tools/src/cli/` — entrypoints: `validate.ts`, `generate-api.ts`, + `check-changeset.ts` +- `website/` — Astro static site rendering the catalog. +- `.github/workflows/` — `validate.yml` (PR validation of `apps/**`), + `tools-ci.yml` (lint/test/build for `tools/**` and `website/**`), + `deploy.yml` (regenerate API + build site + deploy to Pages on push to `main`). +- `.github/PULL_REQUEST_TEMPLATE/publish-app.md` — submission checklist. +- `.github/dependabot.yml` — github-actions + npm (`/tools`, `/website`), weekly. +- `.nvmrc` — Node version (20). + +## Development Conventions + +- Two independent npm packages (`tools/`, `website/`), each with its own + `package-lock.json`. Not a workspace/monorepo — install in each separately. +- ESLint + Prettier for the tools package. +- Vitest for unit tests (tools); the website is validated via a build smoke test. +- App releases are **immutable**: once a `package.tar.gz` is merged it must not + change. `check-changeset.ts` enforces this over changed paths in a PR. + +## Build & Test Commands + +```bash +# tools/ (validator + API generator) +cd tools +npm ci # install (clean) +npm test # Vitest unit tests +npm run typecheck # tsc --noEmit +npm run lint # ESLint +npm run format:check # Prettier --check +npx tsx src/cli/validate.ts ../apps # validate all releases +npx tsx src/cli/generate-api.ts --apps ../apps --out ../_site # generate API + +# website/ (Astro) +cd website +npm ci +npm run dev # local dev server +npm run build # production build +npm run typecheck # astro check +``` + +## Important Constraints + +- **Static only:** no backend or database. All output is static JSON + HTML + served from GitHub Pages. Do not introduce server-side runtime dependencies. +- **Immutable releases:** never modify or delete an already-published + `package.tar.gz`. Publish a new version instead. +- **Metadata source:** app metadata comes exclusively from `appinfo/info.xml` + inside the tarball — not from files in the PR outside the tarball. +- **Git LFS:** tarballs are LFS-tracked; CI checks out with `lfs: true`. + +## OSPO Policy Constraints + +### GitHub Actions +- **Only** use actions owned by `owncloud`, created by GitHub (`actions/*`), + verified on the GitHub Marketplace, or verified by the ownCloud Maintainers. +- Pin all actions to their full commit SHA (not tags): `uses: actions/checkout@ # vX.Y.Z` +- Never introduce actions from unverified third parties. + +### Dependency Management +- Dependabot is configured for automated dependency updates. +- Review and merge Dependabot PRs as part of regular maintenance. +- Do not introduce new dependencies without discussion in an issue first. + +### Git Workflow +- **Rebase policy**: Always rebase; never create merge commits. Use + `git pull --rebase` and `git rebase` before pushing. +- **Signed commits**: All commits **must** be PGP/GPG signed (`git commit -S -s`). +- **DCO sign-off**: Every commit needs a `Signed-off-by` line (`git commit -s`). +- **Conventional Commits & Squash Merge**: Use the + [Conventional Commits](https://www.conventionalcommits.org/) format where the + repository enforces it. Many repos use squash merge, where the PR title becomes + the commit message on the default branch — apply Conventional Commits format to + PR titles as well. + +## Context for AI Agents + +- The data flow is: PR adds `package.tar.gz` → `scan.ts` discovers it → + `package-reader.ts` extracts `info.xml` → `info-xml.ts` parses/validates → + `validate.ts` applies catalog rules → `generate.ts` writes `api/v1/**` → + Astro builds the site → deployed to GitHub Pages. +- There is no application runtime; everything is build-time generation. +- App releases are immutable and LFS-tracked. Treat the `apps/` tree as + append-only. +- Keep `tools/` and `website/` independent — they do not share a lockfile. diff --git a/tools/package.json b/tools/package.json index 690b6c1..c29c272 100644 --- a/tools/package.json +++ b/tools/package.json @@ -2,6 +2,7 @@ "name": "@owncloud/marketplace-tools", "version": "0.0.0", "private": true, + "license": "Apache-2.0", "type": "module", "scripts": { "validate": "tsx src/cli/validate.ts", diff --git a/website/package.json b/website/package.json index 0e17196..985b444 100644 --- a/website/package.json +++ b/website/package.json @@ -2,6 +2,7 @@ "name": "@owncloud/marketplace-website", "version": "0.0.0", "private": true, + "license": "Apache-2.0", "type": "module", "scripts": { "dev": "astro dev",