From bcbb27f9ae8951caef80c88e2e2bdad8c5bc2a8e Mon Sep 17 00:00:00 2001
From: Julian Schacher <julian@jsts.xyz>
Date: Sat, 10 Aug 2024 20:40:03 +0200
Subject: [PATCH 01/31] testing

---
 .woodpecker/penpot.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.woodpecker/penpot.yaml b/.woodpecker/penpot.yaml
index 4ff29eb..6bb8e0a 100644
--- a/.woodpecker/penpot.yaml
+++ b/.woodpecker/penpot.yaml
@@ -44,6 +44,7 @@ steps:
       # https://github.com/penpot/penpot/pull/4945
       # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
       - curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
+      - curl https://github.com/june128/penpot/commit/4d5c787478ddc612aec4d25b2f059d63a226a6d1.patch > 0002-testing.patch
       - git config user.name "Woodpecker"
       - git config user.email "woodpecker@woodpecker.invalid"
       - git am *.patch

From 98175014f99bf722405b0dcf64084b6b7ebb37cc Mon Sep 17 00:00:00 2001
From: Julian Schacher <julian@jsts.xyz>
Date: Sat, 10 Aug 2024 20:40:03 +0200
Subject: [PATCH 02/31] penpot: add patch disallow. reg. with invite, if pass.
 login is disabled

---
 .woodpecker/penpot.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.woodpecker/penpot.yaml b/.woodpecker/penpot.yaml
index 4ff29eb..9e79d1b 100644
--- a/.woodpecker/penpot.yaml
+++ b/.woodpecker/penpot.yaml
@@ -44,6 +44,10 @@ steps:
       # https://github.com/penpot/penpot/pull/4945
       # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
       - curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
+      # Get patch disallowing registration with invitation token, when disable-login-with-password flag is set.
+      # https://github.com/penpot/penpot/issues/4975
+      # https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0
+      - curl https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-is-disabled.patch
       - git config user.name "Woodpecker"
       - git config user.email "woodpecker@woodpecker.invalid"
       - git am *.patch

From 8dbb9c64b3b25769ae86c0e93d7f482f82c0ed6f Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Fri, 4 Oct 2024 16:19:02 +0200
Subject: [PATCH 03/31] Build Keycloak image with version 26

---
 .woodpecker/keycloak.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index 06eed66..b507779 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -20,6 +20,7 @@ workspace:
 matrix:
   KEYCLOAK_VERSION:
     - 25.0
+    - 26.0
   IMAGE_NAME:
   - git.hamburg.ccc.de/ccchh/oci-images/keycloak
 
@@ -64,7 +65,7 @@ steps:
     image: alpine
     when:
       - branch: main
-        evaluate: 'KEYCLOAK_VERSION == "25.0"'
+        evaluate: 'KEYCLOAK_VERSION == "26.0"'
     secrets:
       - GIT_API_TOKEN
     commands:

From 6023af9f0ffe06ddd23b19b9e3982ab316c5256c Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Thu, 31 Oct 2024 23:22:48 +0100
Subject: [PATCH 04/31] nextcloud: Remove version 28 add version 30

---
 .woodpecker/nextcloud.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.woodpecker/nextcloud.yaml b/.woodpecker/nextcloud.yaml
index feea22e..5aa788f 100644
--- a/.woodpecker/nextcloud.yaml
+++ b/.woodpecker/nextcloud.yaml
@@ -19,8 +19,8 @@ workspace:
 # Also because global environment variables aren't a thing.
 matrix:
   NEXTCLOUD_VERSION:
-    - 28
     - 29
+    - 30
   IMAGE_NAME:
     - git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 

From 8eb83415d9c8420d804050a7310126f223c60456 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 26 Jan 2025 03:17:11 +0100
Subject: [PATCH 05/31] keycloak: drop version 25.0 and add 26.1

---
 .woodpecker/keycloak.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index b507779..0057312 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -19,8 +19,8 @@ workspace:
 # Also because global environment variables aren't a thing.
 matrix:
   KEYCLOAK_VERSION:
-    - 25.0
     - 26.0
+    - 26.1
   IMAGE_NAME:
   - git.hamburg.ccc.de/ccchh/oci-images/keycloak
 

From d0b7c324749e71d3bf376e74dde0800de95ac282 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 20 May 2025 20:11:59 +0200
Subject: [PATCH 06/31] updates ci files

---
 .woodpecker/keycloak.yaml  | 16 ++++++++++------
 .woodpecker/nextcloud.yaml | 18 +++++++++++-------
 2 files changed, 21 insertions(+), 13 deletions(-)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index 0057312..dc64f11 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -21,6 +21,7 @@ matrix:
   KEYCLOAK_VERSION:
     - 26.0
     - 26.1
+    - 26.2
   IMAGE_NAME:
   - git.hamburg.ccc.de/ccchh/oci-images/keycloak
 
@@ -43,8 +44,9 @@ steps:
 
   - name: publish-image
     image: alpine
-    secrets:
-      - GIT_API_TOKEN
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
@@ -54,8 +56,9 @@ steps:
     image: alpine
     when:
       - branch: main
-    secrets:
-      - GIT_API_TOKEN
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
@@ -66,8 +69,9 @@ steps:
     when:
       - branch: main
         evaluate: 'KEYCLOAK_VERSION == "26.0"'
-    secrets:
-      - GIT_API_TOKEN
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
diff --git a/.woodpecker/nextcloud.yaml b/.woodpecker/nextcloud.yaml
index 5aa788f..a9b3fa2 100644
--- a/.woodpecker/nextcloud.yaml
+++ b/.woodpecker/nextcloud.yaml
@@ -21,6 +21,7 @@ matrix:
   NEXTCLOUD_VERSION:
     - 29
     - 30
+    - 31
   IMAGE_NAME:
     - git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 
@@ -43,8 +44,9 @@ steps:
 
   - name: publish-image
     image: docker.io/library/alpine
-    secrets:
-      - GIT_API_TOKEN
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
@@ -54,8 +56,9 @@ steps:
     image: docker.io/library/alpine
     when:
       - branch: main
-    secrets:
-      - GIT_API_TOKEN
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
@@ -65,9 +68,10 @@ steps:
     image: docker.io/library/alpine
     when:
       - branch: main
-        evaluate: 'NEXTCLOUD_VERSION == "28"'
-    secrets:
-      - GIT_API_TOKEN
+        evaluate: 'NEXTCLOUD_VERSION == "29"'
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN

From f4bfd374f92bbe817f672d4454cf3d9e78f5a2bb Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Mon, 2 Jun 2025 19:24:35 +0200
Subject: [PATCH 07/31] alertmanager-ntfy

---
 .woodpecker/alertmanager-ntfy.yaml | 73 ++++++++++++++++++++++++++++++
 alertmanager-ntfy/Containerfile    | 14 ++++++
 2 files changed, 87 insertions(+)
 create mode 100644 .woodpecker/alertmanager-ntfy.yaml
 create mode 100644 alertmanager-ntfy/Containerfile

diff --git a/.woodpecker/alertmanager-ntfy.yaml b/.woodpecker/alertmanager-ntfy.yaml
new file mode 100644
index 0000000..d92a169
--- /dev/null
+++ b/.woodpecker/alertmanager-ntfy.yaml
@@ -0,0 +1,73 @@
+when:
+  - event: push
+    path:
+      - 'alertmanager-ntfy/**'
+      - '.woodpecker/alertmanager-ntfy.yaml'
+  - event: cron
+    cron: daily
+
+# Manually set a workspace path, so we can use it literally, without using
+# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
+# https://github.com/woodpecker-ci/woodpecker/issues/3982
+workspace:
+  path: src
+
+matrix:
+  ALERTMANAGER-NTFY_VERSION:
+    - 76d5f772f70d6915c89da00414c20009b03cc361
+  IMAGE_NAME:
+  - git.hamburg.ccc.de/ccchh/oci-images/alertmanager-ntfy
+
+steps:
+  - name: setup
+    image: alpine
+    commands:
+      - apk -u add git
+      - mkdir /woodpecker/images
+      - git clone --revision=${ALERTMANAGER-NTFY_VERSION} https://github.com/alexbakker/alertmanager-ntfy.git
+      - ls
+
+#  - name: build-image
+#    image: gcr.io/kaniko-project/executor
+#    entrypoint:
+#      - /kaniko/executor
+#      - --context=dir:///woodpecker/src/alertmanager-ntfy
+#      - --dockerfile=./Containerfile
+#      - --destination=${IMAGE_NAME}:${ALERTMANAGER-NTFY_VERSION}
+#      - --no-push
+#      - --tar-path=/woodpecker/images/alertmanager-ntfy.tar
+#
+#  - name: publish-image
+#    image: alpine
+#    environment:
+#      GIT_API_TOKEN:
+#        from_secret: GIT_API_TOKEN
+#    commands:
+#      - apk -u add crane
+#      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+#      - crane push /woodpecker/images/keycloak.tar $IMAGE_NAME:$ALERTMANAGER-NTFY_VERSION-$CI_COMMIT_BRANCH
+#
+#  - name: tag-version
+#    image: alpine
+#    when:
+#      - branch: main
+#    environment:
+#      GIT_API_TOKEN:
+#        from_secret: GIT_API_TOKEN
+#    commands:
+#      - apk -u add crane
+#      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+#      - crane tag $IMAGE_NAME:$ALERTMANAGER-NTFY_VERSION-$CI_COMMIT_BRANCH $ALERTMANAGER-NTFY_VERSION
+#
+#  - name: tag-latest
+#    image: alpine
+#    when:
+#      - branch: main
+#        evaluate: 'KEYCLOAK_VERSION == "26.0"'
+#    environment:
+#      GIT_API_TOKEN:
+#        from_secret: GIT_API_TOKEN
+#    commands:
+#      - apk -u add crane
+#      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
+#      - crane tag $IMAGE_NAME:$ALERTMANAGER-NTFY_VERSION-$CI_COMMIT_BRANCH latest
diff --git a/alertmanager-ntfy/Containerfile b/alertmanager-ntfy/Containerfile
new file mode 100644
index 0000000..8f45f75
--- /dev/null
+++ b/alertmanager-ntfy/Containerfile
@@ -0,0 +1,14 @@
+ARG TAG=latest
+FROM docker.io/golang:${TAG} as builder
+ARG CGO_ENABLED=0
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+COPY . .
+
+RUN go build
+
+FROM scratch
+COPY --from=builder /app/alertmanager-ntfy /alertmanager-ntfy
+ENTRYPOINT ["/alertmanager-ntfy"]
\ No newline at end of file

From 1e323bfa923aac17a8b21bfb775e19017b868777 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 24 Jun 2025 22:51:06 +0200
Subject: [PATCH 08/31] remove never used image build

---
 .woodpecker/alertmanager-ntfy.yaml | 73 ------------------------------
 alertmanager-ntfy/Containerfile    | 14 ------
 2 files changed, 87 deletions(-)
 delete mode 100644 .woodpecker/alertmanager-ntfy.yaml
 delete mode 100644 alertmanager-ntfy/Containerfile

diff --git a/.woodpecker/alertmanager-ntfy.yaml b/.woodpecker/alertmanager-ntfy.yaml
deleted file mode 100644
index d92a169..0000000
--- a/.woodpecker/alertmanager-ntfy.yaml
+++ /dev/null
@@ -1,73 +0,0 @@
-when:
-  - event: push
-    path:
-      - 'alertmanager-ntfy/**'
-      - '.woodpecker/alertmanager-ntfy.yaml'
-  - event: cron
-    cron: daily
-
-# Manually set a workspace path, so we can use it literally, without using
-# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
-# https://github.com/woodpecker-ci/woodpecker/issues/3982
-workspace:
-  path: src
-
-matrix:
-  ALERTMANAGER-NTFY_VERSION:
-    - 76d5f772f70d6915c89da00414c20009b03cc361
-  IMAGE_NAME:
-  - git.hamburg.ccc.de/ccchh/oci-images/alertmanager-ntfy
-
-steps:
-  - name: setup
-    image: alpine
-    commands:
-      - apk -u add git
-      - mkdir /woodpecker/images
-      - git clone --revision=${ALERTMANAGER-NTFY_VERSION} https://github.com/alexbakker/alertmanager-ntfy.git
-      - ls
-
-#  - name: build-image
-#    image: gcr.io/kaniko-project/executor
-#    entrypoint:
-#      - /kaniko/executor
-#      - --context=dir:///woodpecker/src/alertmanager-ntfy
-#      - --dockerfile=./Containerfile
-#      - --destination=${IMAGE_NAME}:${ALERTMANAGER-NTFY_VERSION}
-#      - --no-push
-#      - --tar-path=/woodpecker/images/alertmanager-ntfy.tar
-#
-#  - name: publish-image
-#    image: alpine
-#    environment:
-#      GIT_API_TOKEN:
-#        from_secret: GIT_API_TOKEN
-#    commands:
-#      - apk -u add crane
-#      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-#      - crane push /woodpecker/images/keycloak.tar $IMAGE_NAME:$ALERTMANAGER-NTFY_VERSION-$CI_COMMIT_BRANCH
-#
-#  - name: tag-version
-#    image: alpine
-#    when:
-#      - branch: main
-#    environment:
-#      GIT_API_TOKEN:
-#        from_secret: GIT_API_TOKEN
-#    commands:
-#      - apk -u add crane
-#      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-#      - crane tag $IMAGE_NAME:$ALERTMANAGER-NTFY_VERSION-$CI_COMMIT_BRANCH $ALERTMANAGER-NTFY_VERSION
-#
-#  - name: tag-latest
-#    image: alpine
-#    when:
-#      - branch: main
-#        evaluate: 'KEYCLOAK_VERSION == "26.0"'
-#    environment:
-#      GIT_API_TOKEN:
-#        from_secret: GIT_API_TOKEN
-#    commands:
-#      - apk -u add crane
-#      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-#      - crane tag $IMAGE_NAME:$ALERTMANAGER-NTFY_VERSION-$CI_COMMIT_BRANCH latest
diff --git a/alertmanager-ntfy/Containerfile b/alertmanager-ntfy/Containerfile
deleted file mode 100644
index 8f45f75..0000000
--- a/alertmanager-ntfy/Containerfile
+++ /dev/null
@@ -1,14 +0,0 @@
-ARG TAG=latest
-FROM docker.io/golang:${TAG} as builder
-ARG CGO_ENABLED=0
-WORKDIR /app
-
-COPY go.mod go.sum ./
-RUN go mod download
-COPY . .
-
-RUN go build
-
-FROM scratch
-COPY --from=builder /app/alertmanager-ntfy /alertmanager-ntfy
-ENTRYPOINT ["/alertmanager-ntfy"]
\ No newline at end of file

From 1f3e972fbd036a38131cefdf7d283780c31648f3 Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 29 Jun 2025 20:33:09 +0200
Subject: [PATCH 09/31] fix secrets

---
 .woodpecker/penpot.yaml | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/.woodpecker/penpot.yaml b/.woodpecker/penpot.yaml
index 9e79d1b..8cedcbe 100644
--- a/.woodpecker/penpot.yaml
+++ b/.woodpecker/penpot.yaml
@@ -64,8 +64,9 @@ steps:
 
   - name: publish-image
     image: docker.io/library/alpine
-    secrets:
-      - GIT_API_TOKEN
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
@@ -75,8 +76,9 @@ steps:
     image: docker.io/library/alpine
     when:
       - branch: main
-    secrets:
-      - GIT_API_TOKEN
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
@@ -87,8 +89,9 @@ steps:
     when:
       - branch: main
         evaluate: 'PENPOT_VERSION == "2.1.2"'
-    secrets:
-      - GIT_API_TOKEN
+    environment:
+      GIT_API_TOKEN:
+        from_secret: GIT_API_TOKEN
     commands:
       - apk -u add crane
       - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN

From b722397a8be291c9dd8631092a4b22257d11111f Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Sun, 29 Jun 2025 20:34:53 +0200
Subject: [PATCH 10/31] do not build eol keycloak and nextcloud

---
 .woodpecker/keycloak.yaml  | 1 -
 .woodpecker/nextcloud.yaml | 1 -
 2 files changed, 2 deletions(-)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index dc64f11..5c3433a 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -19,7 +19,6 @@ workspace:
 # Also because global environment variables aren't a thing.
 matrix:
   KEYCLOAK_VERSION:
-    - 26.0
     - 26.1
     - 26.2
   IMAGE_NAME:
diff --git a/.woodpecker/nextcloud.yaml b/.woodpecker/nextcloud.yaml
index a9b3fa2..d570293 100644
--- a/.woodpecker/nextcloud.yaml
+++ b/.woodpecker/nextcloud.yaml
@@ -19,7 +19,6 @@ workspace:
 # Also because global environment variables aren't a thing.
 matrix:
   NEXTCLOUD_VERSION:
-    - 29
     - 30
     - 31
   IMAGE_NAME:

From e354b26d08f921a395f26747b4b77d9dab8ff9ca Mon Sep 17 00:00:00 2001
From: c6ristian <c6ristian@christian.moe>
Date: Tue, 7 Oct 2025 22:03:06 +0200
Subject: [PATCH 11/31] Build newer images

---
 .woodpecker/keycloak.yaml  | 3 ++-
 .woodpecker/nextcloud.yaml | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index 5c3433a..bbf0eff 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -19,8 +19,9 @@ workspace:
 # Also because global environment variables aren't a thing.
 matrix:
   KEYCLOAK_VERSION:
-    - 26.1
     - 26.2
+    - 26.3
+    - 26.4
   IMAGE_NAME:
   - git.hamburg.ccc.de/ccchh/oci-images/keycloak
 
diff --git a/.woodpecker/nextcloud.yaml b/.woodpecker/nextcloud.yaml
index d570293..4639448 100644
--- a/.woodpecker/nextcloud.yaml
+++ b/.woodpecker/nextcloud.yaml
@@ -21,6 +21,7 @@ matrix:
   NEXTCLOUD_VERSION:
     - 30
     - 31
+    - 32
   IMAGE_NAME:
     - git.hamburg.ccc.de/ccchh/oci-images/nextcloud
 

From b4386b09fa380a8f690b8aa90fb5a57d894ca57b Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Wed, 4 Mar 2026 22:32:12 +0100
Subject: [PATCH 12/31] build Keycloak version 26.5

---
 .woodpecker/keycloak.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index bbf0eff..0afe319 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -22,6 +22,7 @@ matrix:
     - 26.2
     - 26.3
     - 26.4
+    - 26.5
   IMAGE_NAME:
   - git.hamburg.ccc.de/ccchh/oci-images/keycloak
 

From f39027a54ef9e39745bb22e4f7c5cdb0b8155919 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 5 Apr 2026 01:00:34 +0200
Subject: [PATCH 13/31] set only one and one specific Keycloak version

---
 .woodpecker/keycloak.yaml | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index 0afe319..e47798e 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -19,10 +19,7 @@ workspace:
 # Also because global environment variables aren't a thing.
 matrix:
   KEYCLOAK_VERSION:
-    - 26.2
-    - 26.3
-    - 26.4
-    - 26.5
+    - 26.5.7
   IMAGE_NAME:
   - git.hamburg.ccc.de/ccchh/oci-images/keycloak
 

From 195d947c6acd090b5112e0d26ee75e08637ea2c2 Mon Sep 17 00:00:00 2001
From: Renovate <no-reply@git.hamburg.ccc.de>
Date: Sat, 4 Apr 2026 23:04:51 +0000
Subject: [PATCH 14/31] Add renovate.json

---
 renovate.json | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 renovate.json

diff --git a/renovate.json b/renovate.json
new file mode 100644
index 0000000..5db72dd
--- /dev/null
+++ b/renovate.json
@@ -0,0 +1,6 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ]
+}

From ddefd6b5e3934561af8908fb138c3ccf25694c88 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 5 Apr 2026 01:20:12 +0200
Subject: [PATCH 15/31] add custom manager for letting Renovate find deps in
 woodpecker matrix

---
 renovate.json | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/renovate.json b/renovate.json
index 5db72dd..7f0cc8d 100644
--- a/renovate.json
+++ b/renovate.json
@@ -2,5 +2,17 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "extends": [
     "config:recommended"
+  ],
+  "customManagers": [
+    // Custom manager using regex for letting Renovate find dependencies in woodpecker Matrix variables.
+    {
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/^\\.woodpecker/.*\\.ya?ml$/"
+      ],
+      "matchStrings": [
+        "# renovate: datasource=(?<datasource>[a-zA-Z0-9-._]+?) depName=(?<depName>[^\\s]+?)(?: packageName=(?<packageName>[^\\s]+?))?(?: versioning=(?<versioning>[^\\s]+?))?\\s*-\\s*[\"']?(?<currentValue>.+?)[\"']?\\s"
+      ]
+    }
   ]
 }

From d0cad32eaa931d09105c7ad0955f1baede2d7199 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 5 Apr 2026 01:21:48 +0200
Subject: [PATCH 16/31] add Renovate annotation for Keycloak

---
 .woodpecker/keycloak.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index e47798e..7625db6 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -19,6 +19,7 @@ workspace:
 # Also because global environment variables aren't a thing.
 matrix:
   KEYCLOAK_VERSION:
+    # renovate: datasource=docker depName=quay.io/keycloak/keycloak
     - 26.5.7
   IMAGE_NAME:
   - git.hamburg.ccc.de/ccchh/oci-images/keycloak

From 0032c7447ba84d54a8f8dc04a3e6018dd59c8424 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 5 Apr 2026 01:30:31 +0200
Subject: [PATCH 17/31] always tag latest

---
 .woodpecker/keycloak.yaml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index 7625db6..051b42d 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -65,9 +65,6 @@ steps:
 
   - name: tag-latest
     image: alpine
-    when:
-      - branch: main
-        evaluate: 'KEYCLOAK_VERSION == "26.0"'
     environment:
       GIT_API_TOKEN:
         from_secret: GIT_API_TOKEN

From a14f114d0f861427f996c580488f151a3f165b93 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 5 Apr 2026 16:41:35 +0200
Subject: [PATCH 18/31] only tag latest on main

---
 .woodpecker/keycloak.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index 051b42d..99e4df9 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -65,6 +65,8 @@ steps:
 
   - name: tag-latest
     image: alpine
+    when:
+      - branch: main
     environment:
       GIT_API_TOKEN:
         from_secret: GIT_API_TOKEN

From 07bcd8cd163790fb375d53aa04fe467a60fd6068 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 5 Apr 2026 16:57:29 +0200
Subject: [PATCH 19/31] add attribute-endpoints-provider plugin to keycloak

---
 .woodpecker/keycloak.yaml | 9 +++++++++
 keycloak/Containerfile    | 2 ++
 2 files changed, 11 insertions(+)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index 99e4df9..1414999 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -30,6 +30,15 @@ steps:
     commands:
       - mkdir /woodpecker/images
 
+  - name: build-attribute-endpoints-provider
+    image: alpine
+    commands:
+      - apk -u add maven git
+      - git clone https://git.hamburg.ccc.de/CCCHH/keycloak-attribute-endpoints-provider.git
+      - cd keycloak-attribute-endpoints-provider
+      - mvn -f attribute-endpoints-provider verify
+      - cp attribute-endpoints-provider/target/attribute-endpoints-provider-1.0-SNAPSHOT.jar /woodpecker/src/keycloak/attribute-endpoints-provider.jar
+
   - name: build-image
     image: gcr.io/kaniko-project/executor
     entrypoint:
diff --git a/keycloak/Containerfile b/keycloak/Containerfile
index 7f5fa4c..f3f6c1e 100644
--- a/keycloak/Containerfile
+++ b/keycloak/Containerfile
@@ -2,8 +2,10 @@ ARG TAG=latest
 FROM quay.io/keycloak/keycloak:${TAG} as builder
 
 ENV KC_DB=postgres
+ENV KC_FEATURES=declarative-ui
 
 WORKDIR /opt/keycloak
+ADD --chown=keycloak:keycloak --chmod=644 attribute-endpoints-provider.jar /opt/keycloak/providers/attribute-endpoints-provider.jar
 RUN /opt/keycloak/bin/kc.sh build
 
 FROM quay.io/keycloak/keycloak:${TAG}

From 873d51c7b94238481b818601e3a636ae5140e267 Mon Sep 17 00:00:00 2001
From: Renovate <no-reply@git.hamburg.ccc.de>
Date: Wed, 8 Apr 2026 09:31:25 +0000
Subject: [PATCH 20/31] Update quay.io/keycloak/keycloak Docker tag to v26.6.0

---
 .woodpecker/keycloak.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
index 1414999..2f76bd8 100644
--- a/.woodpecker/keycloak.yaml
+++ b/.woodpecker/keycloak.yaml
@@ -20,7 +20,7 @@ workspace:
 matrix:
   KEYCLOAK_VERSION:
     # renovate: datasource=docker depName=quay.io/keycloak/keycloak
-    - 26.5.7
+    - 26.6.0
   IMAGE_NAME:
   - git.hamburg.ccc.de/ccchh/oci-images/keycloak
 

From 897ed8581369d0ea3cb3cd22dfa87686d84e71aa Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:06:44 +0200
Subject: [PATCH 21/31] replace nextcloud image building with forgejo-actions

---
 .forgejo/workflows/build_nextcloud.yml | 39 +++++++++++++
 .woodpecker/nextcloud.yaml             | 78 --------------------------
 2 files changed, 39 insertions(+), 78 deletions(-)
 create mode 100644 .forgejo/workflows/build_nextcloud.yml
 delete mode 100644 .woodpecker/nextcloud.yaml

diff --git a/.forgejo/workflows/build_nextcloud.yml b/.forgejo/workflows/build_nextcloud.yml
new file mode 100644
index 0000000..e69aaeb
--- /dev/null
+++ b/.forgejo/workflows/build_nextcloud.yml
@@ -0,0 +1,39 @@
+name: Build Nextcloud
+
+on:
+  workflow_dispatch: {}
+  push: {}
+  schedule:
+    - cron: "@daily"
+
+jobs:
+  build-container:
+    name: Build Container
+    runs-on: docker
+    container:
+      image: ghcr.io/osscontainertools/kaniko:alpine
+    strategy:
+      matrix:
+        nextcloud-version: [ 30, 31, 32 ]
+    steps:
+      - name: Install required system packages
+        run: apk add --no-cache nodejs
+
+      - name: Build Container
+        uses: actions/checkout@v6
+
+      - name: Build Container
+        env:
+          KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
+          KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
+          KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
+        run: /kaniko/executor
+          --dockerfile="${{forgejo.workspace }}/Containerfile"
+          --context="dir://${{ forgejo.workspace }}/nextcloud"
+          --build-arg=TAG=${{ matrix.nextcloud-version }}
+          --destination=git.hamburg.ccc.de/ccchh/oci-images/nextcloud:${{ matrix.nextcloud-version }}
+          --no-push-cache
+          --credential-helpers=env
+          --annotation=org.opencontainers.image.ref.name=nextcloud
+          --annotation=org.opencontainers.image.url=${{ forgejo.server_url }}/${{ forgejo.repository }}
+          --annotation=org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}
diff --git a/.woodpecker/nextcloud.yaml b/.woodpecker/nextcloud.yaml
deleted file mode 100644
index 4639448..0000000
--- a/.woodpecker/nextcloud.yaml
+++ /dev/null
@@ -1,78 +0,0 @@
-when:
-  - event: push
-    path: 
-      - 'nextcloud/**'
-      - '.woodpecker/nextcloud.yaml'
-  - event: cron
-    cron: daily
-
-# Manually set a workspace path, so we can use it literally, without using
-# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
-# https://github.com/woodpecker-ci/woodpecker/issues/3982
-workspace:
-  path: src
-
-# Use matrix to set NEXTCLOUD_VERSION instead of setting the NEXTCLOUD_VERSION as
-# an environment variable in the build-images step, since string substitution
-# doesn't work for custom environment variables.
-# https://github.com/woodpecker-ci/woodpecker/issues/3983
-# Also because global environment variables aren't a thing.
-matrix:
-  NEXTCLOUD_VERSION:
-    - 30
-    - 31
-    - 32
-  IMAGE_NAME:
-    - git.hamburg.ccc.de/ccchh/oci-images/nextcloud
-
-steps:
-  - name: setup-image-path
-    image: docker.io/library/alpine
-    commands:
-      - mkdir /woodpecker/images
-
-  - name: build-image
-    image: gcr.io/kaniko-project/executor
-    entrypoint:
-      - /kaniko/executor
-      - --context=dir:///woodpecker/src/nextcloud
-      - --dockerfile=./Containerfile
-      - --build-arg=TAG=${NEXTCLOUD_VERSION}
-      - --destination=${IMAGE_NAME}:${NEXTCLOUD_VERSION}
-      - --no-push
-      - --tar-path=/woodpecker/images/nextcloud.tar
-
-  - name: publish-image
-    image: docker.io/library/alpine
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane push /woodpecker/images/nextcloud.tar $IMAGE_NAME:$NEXTCLOUD_VERSION-$CI_COMMIT_BRANCH
-
-  - name: tag-version
-    image: docker.io/library/alpine
-    when:
-      - branch: main
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane tag $IMAGE_NAME:$NEXTCLOUD_VERSION-$CI_COMMIT_BRANCH $NEXTCLOUD_VERSION
-
-  - name: tag-latest
-    image: docker.io/library/alpine
-    when:
-      - branch: main
-        evaluate: 'NEXTCLOUD_VERSION == "29"'
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane tag $IMAGE_NAME:$NEXTCLOUD_VERSION-$CI_COMMIT_BRANCH latest

From 1f89b8f89a23d30e23c3c1dcb9e02fefb13a82a0 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:10:12 +0200
Subject: [PATCH 22/31] fix nextcloud ci not specifying containerfile path
 correctly

---
 .forgejo/workflows/build_nextcloud.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build_nextcloud.yml b/.forgejo/workflows/build_nextcloud.yml
index e69aaeb..c9a60cf 100644
--- a/.forgejo/workflows/build_nextcloud.yml
+++ b/.forgejo/workflows/build_nextcloud.yml
@@ -28,7 +28,7 @@ jobs:
           KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
           KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
         run: /kaniko/executor
-          --dockerfile="${{forgejo.workspace }}/Containerfile"
+          --dockerfile="${{forgejo.workspace }}/nextcloud/Containerfile"
           --context="dir://${{ forgejo.workspace }}/nextcloud"
           --build-arg=TAG=${{ matrix.nextcloud-version }}
           --destination=git.hamburg.ccc.de/ccchh/oci-images/nextcloud:${{ matrix.nextcloud-version }}

From dde5375ab53b99a0dee42758cf4eeb145ef0029c Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:10:55 +0200
Subject: [PATCH 23/31] use more descriptive CI job names for nextcloud image
 building

---
 .forgejo/workflows/build_nextcloud.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/build_nextcloud.yml b/.forgejo/workflows/build_nextcloud.yml
index c9a60cf..0f0619c 100644
--- a/.forgejo/workflows/build_nextcloud.yml
+++ b/.forgejo/workflows/build_nextcloud.yml
@@ -8,7 +8,7 @@ on:
 
 jobs:
   build-container:
-    name: Build Container
+    name: Build Nextcloud ${{ matrix.nextcloud-version }} Image
     runs-on: docker
     container:
       image: ghcr.io/osscontainertools/kaniko:alpine
@@ -19,7 +19,7 @@ jobs:
       - name: Install required system packages
         run: apk add --no-cache nodejs
 
-      - name: Build Container
+      - name: Checkout Source Code
         uses: actions/checkout@v6
 
       - name: Build Container

From c741c9defcf5e04ece4f5b2b37c4c9979dfa26f3 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:13:06 +0200
Subject: [PATCH 24/31] migrate penpot image building to forgejo actions

---
 .forgejo/workflows/build_penpot.yml | 62 ++++++++++++++++++
 .woodpecker/penpot.yaml             | 98 -----------------------------
 2 files changed, 62 insertions(+), 98 deletions(-)
 create mode 100644 .forgejo/workflows/build_penpot.yml
 delete mode 100644 .woodpecker/penpot.yaml

diff --git a/.forgejo/workflows/build_penpot.yml b/.forgejo/workflows/build_penpot.yml
new file mode 100644
index 0000000..fd219db
--- /dev/null
+++ b/.forgejo/workflows/build_penpot.yml
@@ -0,0 +1,62 @@
+name: Build Penpot
+
+on:
+  workflow_dispatch: {}
+  push: {}
+  schedule:
+    - cron: "@daily"
+
+jobs:
+  build-container:
+    name: Build Image penpot-${{ matrix.image-type }}:${{ matrix.penpot-version }}
+    runs-on: docker
+    container:
+      image: ghcr.io/osscontainertools/kaniko:alpine
+    strategy:
+      matrix:
+        penpot-version: [ "2.1.2" ]
+        image-type: [ frontend, backend, exporter ]
+    steps:
+      - name: Install required system packages
+        run: apk add --no-cache nodejs
+
+      - name: Setup penpot repo
+        uses: actions/checkout@v6
+        with:
+          github-server-url: github.com
+          repository: penpot/penpot
+          ref: ${{ matrix.image-penpot-version }}
+          submodules: recursive
+          path: penpot
+
+      - name: Patch penpot to work with kaniko
+        run: |
+          # Get build system patch allowing for building images with kaniko.
+          # https://github.com/penpot/penpot/pull/4945
+          # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
+          curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
+
+          # Get patch disallowing registration with invitation token, when disable-login-with-password flag is set.
+          # https://github.com/penpot/penpot/issues/4975
+          # https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0
+          curl https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-
+
+          # apply patches
+          git config user.name "Woodpecker"
+          git config user.email "woodpecker@woodpecker.invalid"
+          git am *.patch
+
+      - name: Build Container
+        env:
+          KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
+          KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
+          KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
+        run: /kaniko/executor
+          --dockerfile="${{forgejo.workspace }}/penpot/Containerfile"
+          --context="dir://${{ forgejo.workspace }}/penpot/docker/images/Dockerfile.${{ matrix.image-type }}"
+          --destination=git.hamburg.ccc.de/ccchh/oci-images/penpot-${{ matrix.image-type }}:${{ matrix.penpot-version }}
+          --no-push-cache
+          --credential-helpers=env
+          --annotation=org.opencontainers.image.ref.name=penpot-${{ matrix.image-type }}
+          --annotation=org.opencontainers.image.url=${{ forgejo.server_url }}/${{ forgejo.repository }}
+          --annotation=org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}
diff --git a/.woodpecker/penpot.yaml b/.woodpecker/penpot.yaml
deleted file mode 100644
index 8cedcbe..0000000
--- a/.woodpecker/penpot.yaml
+++ /dev/null
@@ -1,98 +0,0 @@
-when:
-  - event: push
-    path: 
-      - 'penpot/**'
-      - '.woodpecker/penpot.yaml'
-  - event: cron
-    cron: daily
-
-# Manually set a workspace path, so we can use it literally, without using
-# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
-# https://github.com/woodpecker-ci/woodpecker/issues/3982
-workspace:
-  path: src
-
-# Use matrix to set PENPOT_VERSION instead of setting the PENPOT_VERSION as an
-# environment variable in the build-images step, since string substitution
-# doesn't work for custom environment variables.
-# https://github.com/woodpecker-ci/woodpecker/issues/3983
-# Also because global environment variables aren't a thing.
-matrix:
-  PENPOT_VERSION:
-    - 2.1.2
-  IMAGE_BASE_NAME:
-    - git.hamburg.ccc.de/ccchh/oci-images/penpot
-  IMAGE_TYPE:
-    - frontend
-    - backend
-    - exporter
-
-steps:
-  - name: setup-image-path
-    image: alpine
-    commands:
-      - mkdir /woodpecker/images
-
-  - name: setup-penpot-repo
-    image: alpine
-    commands:
-      - apk -u add git curl
-      - git clone --branch $PENPOT_VERSION https://github.com/penpot/penpot.git /woodpecker/penpot
-      - cd /woodpecker/penpot
-      - git submodule update --init --recursive
-      # Get build system patch allowing for building images with kaniko.
-      # https://github.com/penpot/penpot/pull/4945
-      # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
-      - curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
-      # Get patch disallowing registration with invitation token, when disable-login-with-password flag is set.
-      # https://github.com/penpot/penpot/issues/4975
-      # https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0
-      - curl https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-is-disabled.patch
-      - git config user.name "Woodpecker"
-      - git config user.email "woodpecker@woodpecker.invalid"
-      - git am *.patch
-
-  - name: build-image
-    image: gcr.io/kaniko-project/executor
-    entrypoint:
-      - /kaniko/executor
-      - --context=dir:///woodpecker/penpot
-      - --dockerfile=./docker/images/Dockerfile.${IMAGE_TYPE}
-      - --destination=${IMAGE_BASE_NAME}/${IMAGE_TYPE}:${PENPOT_VERSION}
-      - --no-push
-      - --tar-path=/woodpecker/images/penpot-${IMAGE_TYPE}.tar
-
-  - name: publish-image
-    image: docker.io/library/alpine
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane push /woodpecker/images/penpot-$IMAGE_TYPE.tar $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH
-
-  - name: tag-version
-    image: docker.io/library/alpine
-    when:
-      - branch: main
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane tag $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH $PENPOT_VERSION
-
-  - name: tag-latest
-    image: docker.io/library/alpine
-    when:
-      - branch: main
-        evaluate: 'PENPOT_VERSION == "2.1.2"'
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane tag $IMAGE_BASE_NAME/$IMAGE_TYPE:$PENPOT_VERSION-$CI_COMMIT_BRANCH latest

From 2b43002c9b28ca93186c352c09acbf812a5d3f03 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:23:10 +0200
Subject: [PATCH 25/31] fix penpot repo checkout in CICD

---
 .forgejo/workflows/build_penpot.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build_penpot.yml b/.forgejo/workflows/build_penpot.yml
index fd219db..6a24fac 100644
--- a/.forgejo/workflows/build_penpot.yml
+++ b/.forgejo/workflows/build_penpot.yml
@@ -24,7 +24,7 @@ jobs:
         uses: actions/checkout@v6
         with:
           github-server-url: github.com
-          repository: penpot/penpot
+          repository: penpot/penpot.git
           ref: ${{ matrix.image-penpot-version }}
           submodules: recursive
           path: penpot

From 5ab9c077c25733844d759aca72aa32dbdaaf845e Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:25:33 +0200
Subject: [PATCH 26/31] use manual git pull in penpot ci

---
 .forgejo/workflows/build_penpot.yml | 17 +++++++----------
 1 file changed, 7 insertions(+), 10 deletions(-)

diff --git a/.forgejo/workflows/build_penpot.yml b/.forgejo/workflows/build_penpot.yml
index 6a24fac..69afc3c 100644
--- a/.forgejo/workflows/build_penpot.yml
+++ b/.forgejo/workflows/build_penpot.yml
@@ -18,19 +18,16 @@ jobs:
         image-type: [ frontend, backend, exporter ]
     steps:
       - name: Install required system packages
-        run: apk add --no-cache nodejs
+        run: apk add --no-cache nodejs git curl
 
-      - name: Setup penpot repo
-        uses: actions/checkout@v6
-        with:
-          github-server-url: github.com
-          repository: penpot/penpot.git
-          ref: ${{ matrix.image-penpot-version }}
-          submodules: recursive
-          path: penpot
+      - name: Clone penpot repo
+        run: |
+          git clone --branch="${{ matrix.penpot-version }}" https://github.com/penpot/penpot.git "${{ forgejo.workspace }}/penpot"
+          cd "${{ forgejo.workspace }}/penpot"
+          git submodule update --init --recursive
 
       - name: Patch penpot to work with kaniko
-        run: |
+        run: |          
           # Get build system patch allowing for building images with kaniko.
           # https://github.com/penpot/penpot/pull/4945
           # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d

From 909739102df14e5e82d11916406ee92c04ee0b8a Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:27:20 +0200
Subject: [PATCH 27/31] fix penpot working directory for source patching in CI

---
 .forgejo/workflows/build_penpot.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build_penpot.yml b/.forgejo/workflows/build_penpot.yml
index 69afc3c..8630df5 100644
--- a/.forgejo/workflows/build_penpot.yml
+++ b/.forgejo/workflows/build_penpot.yml
@@ -27,7 +27,9 @@ jobs:
           git submodule update --init --recursive
 
       - name: Patch penpot to work with kaniko
-        run: |          
+        run: |
+          cd "${{ forgejo.workspace }}/penpot"
+          
           # Get build system patch allowing for building images with kaniko.
           # https://github.com/penpot/penpot/pull/4945
           # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d

From 7174feb4dfeb52fe2309c036ec1ced9b509874a1 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:29:05 +0200
Subject: [PATCH 28/31] fix penpot kaniko excecutor being passed wrong path to
 Containerfile

---
 .forgejo/workflows/build_penpot.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/build_penpot.yml b/.forgejo/workflows/build_penpot.yml
index 8630df5..f11ce23 100644
--- a/.forgejo/workflows/build_penpot.yml
+++ b/.forgejo/workflows/build_penpot.yml
@@ -51,8 +51,8 @@ jobs:
           KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
           KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
         run: /kaniko/executor
-          --dockerfile="${{forgejo.workspace }}/penpot/Containerfile"
-          --context="dir://${{ forgejo.workspace }}/penpot/docker/images/Dockerfile.${{ matrix.image-type }}"
+          --dockerfile="${{forgejo.workspace }}/penpot/docker/images/Dockerfile.${{ matrix.image-type }}"
+          --context="dir://${{ forgejo.workspace }}/penpot/"
           --destination=git.hamburg.ccc.de/ccchh/oci-images/penpot-${{ matrix.image-type }}:${{ matrix.penpot-version }}
           --no-push-cache
           --credential-helpers=env

From f5be174cff01cc8e20b2207a777953f218ceecab Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:35:33 +0200
Subject: [PATCH 29/31] silence curl progress bar in penpot CI

---
 .forgejo/workflows/build_penpot.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/build_penpot.yml b/.forgejo/workflows/build_penpot.yml
index f11ce23..c067263 100644
--- a/.forgejo/workflows/build_penpot.yml
+++ b/.forgejo/workflows/build_penpot.yml
@@ -33,12 +33,12 @@ jobs:
           # Get build system patch allowing for building images with kaniko.
           # https://github.com/penpot/penpot/pull/4945
           # https://github.com/penpot/penpot/pull/4945/commits/752574bac789cc90cc218004bb9545cc6239895d
-          curl https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
+          curl -sSL https://github.com/penpot/penpot/commit/752574bac789cc90cc218004bb9545cc6239895d.patch > 0001-move-entire-image-build-process-into-Dockerfiles.patch
 
           # Get patch disallowing registration with invitation token, when disable-login-with-password flag is set.
           # https://github.com/penpot/penpot/issues/4975
           # https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0
-          curl https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-
+          curl -sSL https://github.com/june128/penpot/commit/f799da132bf5a51015859031f45154172fbf7cd0.patch > 0002-hotfix-dont-allow-registration-with-invite-if-password-login-
 
           # apply patches
           git config user.name "Woodpecker"

From 9d5d81854fd04aabe549e864ab2672fe728383d7 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Fri, 15 May 2026 09:40:53 +0200
Subject: [PATCH 30/31] migrate keycloak workflows to forgejo actions

---
 .forgejo/workflows/build_keycloak.yml | 47 +++++++++++++++
 .woodpecker/keycloak.yaml             | 85 ---------------------------
 2 files changed, 47 insertions(+), 85 deletions(-)
 create mode 100644 .forgejo/workflows/build_keycloak.yml
 delete mode 100644 .woodpecker/keycloak.yaml

diff --git a/.forgejo/workflows/build_keycloak.yml b/.forgejo/workflows/build_keycloak.yml
new file mode 100644
index 0000000..7403007
--- /dev/null
+++ b/.forgejo/workflows/build_keycloak.yml
@@ -0,0 +1,47 @@
+name: Build Keycloak
+
+on:
+  workflow_dispatch: {}
+  push: {}
+  schedule:
+    - cron: "@daily"
+
+jobs:
+  build-container:
+    name: Build Keycloak Image
+    runs-on: docker
+    container:
+      image: ghcr.io/osscontainertools/kaniko:alpine
+    strategy:
+      matrix:
+         # renovate: datasource=docker depName=quay.io/keycloak/keycloak
+        keycloak-version: [ 26.6.0 ]
+    steps:
+      - name: Install required system packages
+        run: apk add --no-cache nodejs maven git
+
+      - name: Checkout Source Code
+        uses: actions/checkout@v6
+
+      - name: Build attribute-endpoints-provider
+        run: |
+          git clone https://git.hamburg.ccc.de/CCCHH/keycloak-attribute-endpoints-provider.git
+          cd keycloak-attribute-endpoints-provider
+          mvn -f attribute-endpoints-provider verify
+          cp attribute-endpoints-provider/target/attribute-endpoints-provider-1.0-SNAPSHOT.jar ${{ forgejo.workspace }}/keycloak/attribute-endpoints-provider.jar
+
+      - name: Build Container
+        env:
+          KANIKO_NO_PUSH: ${{ forgejo.ref_name != 'main' }}
+          KANIKO_GIT_HAMBURG_CCC_DE_USER: forgejo-actions
+          KANIKO_GIT_HAMBURG_CCC_DE_PASSWORD: ${{ secrets.PACKAGES_TOKEN }}
+        run: /kaniko/executor
+          --dockerfile="${{forgejo.workspace }}/keycloak/Containerfile"
+          --context="dir://${{ forgejo.workspace }}/keycloak"
+          --build-arg=TAG=${{ matrix.keycloak-version }}
+          --destination=git.hamburg.ccc.de/ccchh/oci-images/keycloak:${{ matrix.keycloak-version }}
+          --no-push-cache
+          --credential-helpers=env
+          --annotation=org.opencontainers.image.ref.name=keycloak
+          --annotation=org.opencontainers.image.url=${{ forgejo.server_url }}/${{ forgejo.repository }}
+          --annotation=org.opencontainers.image.source=${{ forgejo.server_url }}/${{ forgejo.repository }}
diff --git a/.woodpecker/keycloak.yaml b/.woodpecker/keycloak.yaml
deleted file mode 100644
index 2f76bd8..0000000
--- a/.woodpecker/keycloak.yaml
+++ /dev/null
@@ -1,85 +0,0 @@
-when:
-  - event: push
-    path: 
-      - 'keycloak/**'
-      - '.woodpecker/keycloak.yaml'
-  - event: cron
-    cron: daily
-
-# Manually set a workspace path, so we can use it literally, without using
-# ${CI_WORKSPACE}, when running kaniko, since using ${CI_WORKSPACE} doesn't work.
-# https://github.com/woodpecker-ci/woodpecker/issues/3982
-workspace:
-  path: src
-
-# Use matrix to set KEYCLOAK_VERSION instead of setting the KEYCLOAK_VERSION as
-# an environment variable in the build-images step, since string substitution
-# doesn't work for custom environment variables.
-# https://github.com/woodpecker-ci/woodpecker/issues/3983
-# Also because global environment variables aren't a thing.
-matrix:
-  KEYCLOAK_VERSION:
-    # renovate: datasource=docker depName=quay.io/keycloak/keycloak
-    - 26.6.0
-  IMAGE_NAME:
-  - git.hamburg.ccc.de/ccchh/oci-images/keycloak
-
-steps:
-  - name: setup-image-path
-    image: alpine
-    commands:
-      - mkdir /woodpecker/images
-
-  - name: build-attribute-endpoints-provider
-    image: alpine
-    commands:
-      - apk -u add maven git
-      - git clone https://git.hamburg.ccc.de/CCCHH/keycloak-attribute-endpoints-provider.git
-      - cd keycloak-attribute-endpoints-provider
-      - mvn -f attribute-endpoints-provider verify
-      - cp attribute-endpoints-provider/target/attribute-endpoints-provider-1.0-SNAPSHOT.jar /woodpecker/src/keycloak/attribute-endpoints-provider.jar
-
-  - name: build-image
-    image: gcr.io/kaniko-project/executor
-    entrypoint:
-      - /kaniko/executor
-      - --context=dir:///woodpecker/src/keycloak
-      - --dockerfile=./Containerfile
-      - --build-arg=TAG=${KEYCLOAK_VERSION}
-      - --destination=${IMAGE_NAME}:${KEYCLOAK_VERSION}
-      - --no-push
-      - --tar-path=/woodpecker/images/keycloak.tar
-
-  - name: publish-image
-    image: alpine
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane push /woodpecker/images/keycloak.tar $IMAGE_NAME:$KEYCLOAK_VERSION-$CI_COMMIT_BRANCH
-
-  - name: tag-version
-    image: alpine
-    when:
-      - branch: main
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane tag $IMAGE_NAME:$KEYCLOAK_VERSION-$CI_COMMIT_BRANCH $KEYCLOAK_VERSION
-
-  - name: tag-latest
-    image: alpine
-    when:
-      - branch: main
-    environment:
-      GIT_API_TOKEN:
-        from_secret: GIT_API_TOKEN
-    commands:
-      - apk -u add crane
-      - crane auth login git.hamburg.ccc.de -u woodpecker -p $GIT_API_TOKEN
-      - crane tag $IMAGE_NAME:$KEYCLOAK_VERSION-$CI_COMMIT_BRANCH latest

From a1aec149aaf5abf0e15782c49c0acb09a1626f48 Mon Sep 17 00:00:00 2001
From: chris <c6ristian@christian.moe>
Date: Tue, 19 May 2026 21:28:11 +0200
Subject: [PATCH 31/31] nextcloud: also build version 33 of nextcloud

---
 .forgejo/workflows/build_nextcloud.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.forgejo/workflows/build_nextcloud.yml b/.forgejo/workflows/build_nextcloud.yml
index 0f0619c..e2538a9 100644
--- a/.forgejo/workflows/build_nextcloud.yml
+++ b/.forgejo/workflows/build_nextcloud.yml
@@ -14,7 +14,7 @@ jobs:
       image: ghcr.io/osscontainertools/kaniko:alpine
     strategy:
       matrix:
-        nextcloud-version: [ 30, 31, 32 ]
+        nextcloud-version: [ 32, 33 ]
     steps:
       - name: Install required system packages
         run: apk add --no-cache nodejs