docs(ospo): community health rollout v2 — README, agents.md, health files

CODE_OF_CONDUCT.md

@@ -0,0 +1,8 @@
+# Code of Conduct
+
+This project follows the ownCloud Code of Conduct.
+
+Please read the full Code of Conduct at:
+**<https://owncloud.com/contribute/code-of-conduct/>**
+
+By participating in this project, you agree to abide by its terms.

CONTRIBUTING.md

@@ -0,0 +1,9 @@
+# Contributing
+
+Thank you for your interest in contributing to this project!
+
+Please read the full contributing guidelines at:
+**<https://owncloud.com/contribute/>**
+
+For development setup, coding standards, and pull request process,
+see the README in this repository.

README.md

@@ -1,42 +1,104 @@
-# Update Testing
+# Android Update Testing
 
-This project verifies that upgrading from an older version of the app to a newer one does not cause crashes or break functionality.
+<!-- OSPO-managed README | Generated: 2026-04-16 | v2 -->
 
-The tests in this repository are designed to run within a CI workflow that builds both the older and newer versions for every pull request.
+[![License](https://img.shields.io/badge/License-GPL--3.0-blue.svg)](LICENSE) [![ownCloud OSPO](https://img.shields.io/badge/OSPO-ownCloud-blue)](https://kiteworks.com/opensource)
 
-## Setup
+This repository provides automated tests that verify the ownCloud Android app upgrade path does not cause crashes or break functionality. The test suite installs an older version of the app, performs setup operations (login, file listing, passcode setup), then installs a newer version over the top and verifies that data and settings are preserved. It is designed to run within CI workflows that build both versions for every pull request.
 
-In the `local.properties` file
+## Part of Mobile (Android)
 
-- Name of the file containing older and newer version. By default: `owncloudSigned1.apk` and `owncloudSigned2.apk`.
-- Passcode to set in the app (4 digits)
-- Package name
-- Appium URL
+This repository is part of the QA infrastructure for the [ownCloud Android app](https://github.com/owncloud/android). It ensures that app updates do not introduce regressions in user data or settings persistence.
 
-## Execution
+## Getting Started
 
-The gradlew process launchs the tests with the following parameters:
+1. Configure `local.properties` with APK filenames, passcode, package name, and Appium URL
+2. Run the tests with Gradle:
 
-- Server URL: ownCloud server to test. Basic auth as 1st auth method.
-- Username: available in the server.
-- Password: for the username to access.
-- Commit: hash to compare against `latest` tag in CI.
-
-Command:
-
-```
+```bash
 ./gradlew clean test -Dserver="https://myserver:9200" -Dusername=john -Dpassword=mypass -Dcommit=87a6f33
 ```
 
-## Process
+### Test Process
+
+1. Adds example files to the given account
+2. Installs the older version (`owncloudSigned1.apk`)
+3. Logs in with the given credentials
+4. Checks list of files and adds a passcode
+5. Installs the newer version over the older one (without reinstalling)
+6. Verifies the passcode, file list, and commit hash
+
+## Documentation
+
+- See this README for usage instructions
+- [ownCloud Android app](https://github.com/owncloud/android)
+
+## Community & Support
+
+**[Star](https://github.com/owncloud/android-update-testing)** this repo and **Watch** for release notifications!
+
+- [ownCloud Website](https://owncloud.com)
+- [Community Discussions](https://github.com/orgs/owncloud/discussions)
+- [Matrix Chat](https://app.element.io/#/room/#owncloud:matrix.org)
+- [Documentation](https://doc.owncloud.com)
+- [Enterprise Support](https://owncloud.com/contact-us/)
+- [OSPO Home](https://kiteworks.com/opensource)
+
+## Contributing
+
+We welcome contributions! Please read the [Contributing Guidelines](CONTRIBUTING.md)
+and our [Code of Conduct](CODE_OF_CONDUCT.md) before getting started.
+
+### Workflow
+
+- **Rebase Early, Rebase Often!** We use a rebase workflow. Always rebase on the target branch before submitting a PR.
+- **Dependabot**: Automated dependency updates are managed via Dependabot. Review and merge dependency PRs promptly.
+- **Signed Commits**: All commits **must** be PGP/GPG signed. See [GitHub's signing guide](https://docs.github.com/en/authentication/managing-commit-signature-verification).
+- **DCO Sign-off**: Every commit must carry a `Signed-off-by` line:
+  ```
+  git commit -s -S -m "your commit message"
+  ```
+- **GitHub Actions Policy**: Workflows may only use actions that are (a) owned by `owncloud`, (b) created by GitHub (`actions/*`), or (c) verified in the GitHub Marketplace.
+
+## Security
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Report vulnerabilities at **<https://security.owncloud.com>** -- see [SECURITY.md](SECURITY.md).
+
+Bug bounty: [YesWeHack ownCloud Program](https://yeswehack.com/programs/owncloud-bug-bounty-program)
+
+## License
+
+This project is licensed under the [GPL-3.0](LICENSE).
+
+## About the ownCloud OSPO
+
+The [Kiteworks Open Source Program Office](https://kiteworks.com/opensource), operating under
+the [ownCloud](https://owncloud.com) brand, launched on May 5, 2026, to steward the open source
+ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance,
+community health, and sustainable collaboration between the open source community and
+[Kiteworks](https://www.kiteworks.com), which acquired ownCloud in 2023.
+
+- **OSPO Home**: <https://kiteworks.com/opensource>
+- **GitHub**: <https://github.com/owncloud>
+- **ownCloud**: <https://owncloud.com>
+
+For questions about the OSPO or licensing, contact ospo@kiteworks.com.
+
+### License Migration to Apache 2.0
+
+The OSPO is driving a strategic relicensing of ownCloud repositories toward the
+[Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0), following
+the [Apache Software Foundation's third-party license policy](https://www.apache.org/legal/resolved.html).
+
+Individual repositories will migrate as their audit is completed. The LICENSE file
+in each repo reflects its **current** license status (not the target).
 
-1. Add some example files to the given account
-2. Install the older version `owncloudSigned1.apk`
-3. Log in by using the given credentials
-4. Check list of files
-5. Add a passcode to the app
-6. Install the newest version over the older (without reinstalling)
-7. Verifies the passcode, the list of files, and the commit hash
+**Current license: GPL-3.0** (Category X per Apache policy -- cannot be included in Apache-2.0 works).
 
-(open to add more checks)
+Migration prerequisites for this repository:
 
+- **CLA/DCO coverage**: All past contributors must have signed agreements permitting relicensing
+- **Copyleft dependency audit**: All GPL dependencies must be replaced or isolated
+- **Complete relicensing**: GPL-3.0 is a strong copyleft license; migration requires full relicensing of all files

SECURITY.md

@@ -0,0 +1,11 @@
+# Security Policy
+
+## Reporting a Vulnerability
+
+**Do NOT open a public GitHub issue for security vulnerabilities.**
+
+Please report security issues responsibly via:
+**<https://security.owncloud.com>**
+
+You can also report vulnerabilities through our YesWeHack bug bounty program:
+**<https://yeswehack.com/programs/owncloud-bug-bounty-program>**

SUPPORT.md

@@ -0,0 +1,10 @@
+# Support
+
+For support with this project, please use the following channels:
+
+- **Enterprise Support**: <https://owncloud.com/contact-us/>
+- **Community discussions**: https://github.com/orgs/owncloud/discussions
+- **Matrix Chat**: <https://app.element.io/#/room/#owncloud:matrix.org>
+- **Documentation**: <https://doc.owncloud.com>
+
+Please do not use GitHub issues for general support questions.

agents.md

@@ -0,0 +1,66 @@
+# AI Agent Guidelines for Android Update Testing
+
+This file provides context for AI coding agents (Claude Code, GitHub Copilot, Cursor, etc.) working in this repository.
+
+## Repository Overview
+- **Product family:** Mobile (Android)
+- **Primary language(s):** Java
+- **Build system:** Gradle
+- **Test framework:** JUnit, Appium
+- **CI system:** GitHub Actions
+
+## Architecture & Key Paths
+- `src/` - Test source code
+- `server/` - Server setup scripts
+- `build.gradle` - Gradle build configuration
+- `gradle/` - Gradle wrapper
+- `runAppium.sh` - Appium server launcher
+- `local.properties` - Local configuration (APK names, passcode, package name, Appium URL)
+
+## Development Conventions
+- **Branching:** main
+- **Commit messages:** DCO sign-off required (`git commit -s`)
+- **Code style:** No specific linter configured
+- **PR process:** Open a PR against main. All CI checks must pass.
+
+## Build & Test Commands
+```bash
+# Build
+./gradlew build
+
+# Test
+./gradlew clean test -Dserver="https://myserver:9200" -Dusername=john -Dpassword=mypass -Dcommit=87a6f33
+```
+
+## Important Constraints
+- All code contributions must be compatible with the **GPL-3.0** license
+- Do not introduce new **copyleft-licensed dependencies** (GPL, AGPL, LGPL, MPL) without explicit discussion in an issue first. This is especially important for repos migrating to Apache 2.0.
+- Do not introduce new dependencies without discussion in an issue first
+- Tests require a running Appium server and an Android device/emulator
+- Tests require two APK files (older and newer versions) and a running ownCloud server
+
+
+## OSPO Policy Constraints
+
+### GitHub Actions
+- **Only** use actions owned by `owncloud`, created by GitHub (`actions/*`), verified on the GitHub Marketplace, or verified by the ownCloud Maintainers.
+- Pin all actions to their full commit SHA (not tags): `uses: actions/checkout@<SHA> # vX.Y.Z`
+- Never introduce actions from unverified third parties.
+
+### Dependency Management
+- Dependabot is configured for automated dependency updates.
+- Review and merge Dependabot PRs as part of regular maintenance.
+- Do not introduce new dependencies without discussion in an issue first.
+
+### Git Workflow
+- **Rebase policy**: Always rebase; never create merge commits. Use `git pull --rebase` and `git rebase` before pushing.
+- **Signed commits**: All commits **must** be PGP/GPG signed (`git commit -S -s`).
+- **DCO sign-off**: Every commit needs a `Signed-off-by` line (`git commit -s`).
+- **Conventional Commits & Squash Merge**: Use the [Conventional Commits](https://www.conventionalcommits.org/) format where the repository enforces it. Many repos use squash merge, where the PR title becomes the commit message on the default branch — apply Conventional Commits format to PR titles as well. A reusable GitHub Actions workflow enforces this.
+
+## Context for AI Agents
+- Match existing code style
+- Do not refactor unrelated code in the same PR
+- Write tests for new functionality
+- Keep PRs focused and atomic
+- This is a focused test repo - changes should relate to update/upgrade testing only