docs(ospo): community health rollout v2 — README, agents.md, health files

CODE_OF_CONDUCT.md

@@ -0,0 +1,8 @@
+# Code of Conduct
+
+This project follows the ownCloud Code of Conduct.
+
+Please read the full Code of Conduct at:
+**<https://owncloud.com/contribute/code-of-conduct/>**
+
+By participating in this project, you agree to abide by its terms.

CONTRIBUTING.md

@@ -0,0 +1,9 @@
+# Contributing
+
+Thank you for your interest in contributing to this project!
+
+Please read the full contributing guidelines at:
+**<https://owncloud.com/contribute/>**
+
+For development setup, coding standards, and pull request process,
+see the README in this repository.

README.md

@@ -1 +1,101 @@
-# reusable-workflows
+# Reusable Workflows
+
+<!-- OSPO-managed README | Generated: 2026-04-16 | v2 -->
+
+[![License](https://img.shields.io/badge/License-See%20Repository-blue.svg)](LICENSE) [![ownCloud OSPO](https://img.shields.io/badge/OSPO-ownCloud-blue)](https://kiteworks.com/opensource)
+
+A collection of reusable GitHub Actions workflow definitions for the ownCloud organization. These shared workflows standardize CI/CD patterns -- such as linting, testing, building, and deploying -- across multiple ownCloud repositories, reducing duplication and ensuring consistent automation practices.
+
+## Getting Started
+
+Follow the steps below to use these workflows in your repository.
+
+### Using a Workflow
+
+Reference a workflow from this repository in your GitHub Actions configuration:
+
+```yaml
+jobs:
+  build:
+    uses: owncloud/reusable-workflows/.github/workflows/<workflow-name>.yml@main
+    with:
+      # workflow-specific inputs
+    secrets:
+      # workflow-specific secrets
+```
+
+See the `.github/workflows/` directory for available workflow definitions.
+
+## Documentation
+
+- [GitHub Reusable Workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows)
+
+## Part of ownCloud Infrastructure
+
+These reusable workflows are referenced by repositories across the [ownCloud GitHub organization](https://github.com/owncloud) using the `uses: owncloud/reusable-workflows/.github/workflows/<name>@<ref>` syntax.
+
+## Community & Support
+
+**[Star](https://github.com/owncloud/reusable-workflows)** this repo and **Watch** for release notifications!
+
+- [ownCloud Website](https://owncloud.com)
+- [Community Discussions](https://github.com/orgs/owncloud/discussions)
+- [Matrix Chat](https://app.element.io/#/room/#owncloud:matrix.org)
+- [Documentation](https://doc.owncloud.com)
+- [Enterprise Support](https://owncloud.com/contact-us/)
+- [OSPO Home](https://kiteworks.com/opensource)
+
+## Contributing
+
+We welcome contributions! Please read the [Contributing Guidelines](CONTRIBUTING.md)
+and our [Code of Conduct](CODE_OF_CONDUCT.md) before getting started.
+
+### Workflow
+
+- **Rebase Early, Rebase Often!** We use a rebase workflow. Always rebase on the target branch before submitting a PR.
+- **Dependabot**: Automated dependency updates are managed via Dependabot. Review and merge dependency PRs promptly.
+- **Signed Commits**: All commits **must** be PGP/GPG signed. See [GitHub's signing guide](https://docs.github.com/en/authentication/managing-commit-signature-verification).
+- **DCO Sign-off**: Every commit must carry a `Signed-off-by` line:
+  ```
+  git commit -s -S -m "your commit message"
+  ```
+- **GitHub Actions Policy**: Workflows may only use actions that are (a) owned by `owncloud`, (b) created by GitHub (`actions/*`), or (c) verified in the GitHub Marketplace.
+
+## Security
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Report vulnerabilities at **<https://security.owncloud.com>** -- see [SECURITY.md](SECURITY.md).
+
+Bug bounty: [YesWeHack ownCloud Program](https://yeswehack.com/programs/owncloud-bug-bounty-program)
+
+## License
+
+See [LICENSE](LICENSE) for license details.
+
+## About the ownCloud OSPO
+
+The [Kiteworks Open Source Program Office](https://kiteworks.com/opensource), operating under
+the [ownCloud](https://owncloud.com) brand, launched on May 5, 2026, to steward the open source
+ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance,
+community health, and sustainable collaboration between the open source community and
+[Kiteworks](https://www.kiteworks.com), which acquired ownCloud in 2023.
+
+- **OSPO Home**: <https://kiteworks.com/opensource>
+- **GitHub**: <https://github.com/owncloud>
+- **ownCloud**: <https://owncloud.com>
+
+For questions about the OSPO or licensing, contact ospo@kiteworks.com.
+
+### License Migration to Apache 2.0
+
+The OSPO is driving a strategic relicensing of ownCloud repositories toward the
+[Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0), following
+the [Apache Software Foundation's third-party license policy](https://www.apache.org/legal/resolved.html).
+
+Individual repositories will migrate as their audit is completed. The LICENSE file
+in each repo reflects its **current** license status (not the target).
+
+**Current license: Not detected.** The OSPO will determine the current license status of this
+repository before planning any migration steps. If you know the intended license, please open an
+issue or contact ospo@kiteworks.com.

SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Please report security issues responsibly via:
+**<https://security.owncloud.com>**
+
+You can also report vulnerabilities through our YesWeHack bug bounty program:
+**<https://yeswehack.com/programs/owncloud-bug-bounty-program>**

SUPPORT.md

@@ -0,0 +1,10 @@
+# Support
+
+For support with this project, please use the following channels:
+
+- **Enterprise Support**: <https://owncloud.com/contact-us/>
+- **Community discussions**: https://github.com/orgs/owncloud/discussions
+- **Matrix Chat**: <https://app.element.io/#/room/#owncloud:matrix.org>
+- **Documentation**: <https://doc.owncloud.com>
+
+Please do not use GitHub issues for general support questions.

agents.md

@@ -0,0 +1,54 @@
+# agents.md -- Reusable Workflows
+
+## Repository Overview
+
+Collection of reusable GitHub Actions workflow definitions for the ownCloud organization. No license file detected. Used across multiple repositories for standardized CI/CD.
+
+- **Product family:** Infrastructure / Tooling
+- **Primary language(s):** YAML
+
+## Architecture & Key Paths
+
+- `.github/workflows/` -- Reusable workflow definitions
+- Each workflow file is a standalone reusable unit called by other repositories.
+- Inputs and secrets are declared at the top of each workflow file.
+
+## Development Conventions
+
+- GitHub Actions YAML workflow syntax
+- Called via `uses: owncloud/reusable-workflows/.github/workflows/<name>@<ref>`
+- Pin callers to a specific commit SHA or tag for reproducibility.
+
+## Build & Test Commands
+
+No build commands -- these are declarative YAML workflow definitions.
+
+## Important Constraints
+
+- No license file detected. The OSPO is reviewing licensing for all repositories, with a goal of migrating to Apache 2.0 where possible. Repos with copyleft dependencies require auditing first.
+- Do not introduce new **copyleft-licensed dependencies** (GPL, AGPL, LGPL, MPL) without explicit discussion in an issue first. This is especially important for repos that are migrating to or already under Apache 2.0, as copyleft dependencies would block or complicate that migration.
+- Changes affect all repositories that reference these workflows.
+- All contributions require a DCO sign-off.
+
+
+## OSPO Policy Constraints
+
+### GitHub Actions
+- **Only** use actions owned by `owncloud`, created by GitHub (`actions/*`), verified on the GitHub Marketplace, or verified by the ownCloud Maintainers.
+- Pin all actions to their full commit SHA (not tags): `uses: actions/checkout@<SHA> # vX.Y.Z`
+- Never introduce actions from unverified third parties.
+
+### Dependency Management
+- Dependabot is configured for automated dependency updates.
+- Review and merge Dependabot PRs as part of regular maintenance.
+- Do not introduce new dependencies without discussion in an issue first.
+
+### Git Workflow
+- **Rebase policy**: Always rebase; never create merge commits. Use `git pull --rebase` and `git rebase` before pushing.
+- **Signed commits**: All commits **must** be PGP/GPG signed (`git commit -S -s`).
+- **DCO sign-off**: Every commit needs a `Signed-off-by` line (`git commit -s`).
+- **Conventional Commits & Squash Merge**: Use the [Conventional Commits](https://www.conventionalcommits.org/) format where the repository enforces it. Many repos use squash merge, where the PR title becomes the commit message on the default branch — apply Conventional Commits format to PR titles as well. A reusable GitHub Actions workflow enforces this.
+
+## Context for AI Agents
+
+This repository contains shared GitHub Actions workflows. Modifying a workflow here may affect CI/CD across the entire ownCloud organization. Changes should be tested carefully and versioned.