test workflow

Author: jakub-tldr

.github/workflows/update-chocolatey-dry-run.yml

@@ -0,0 +1,84 @@
+name: Chocolatey update dry run
+
+on:
+  push:
+    branches:
+      - chocolatey-update
+
+jobs:
+  chocolatey-dry-run:
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+        with:
+          submodules: recursive
+
+      - name: Resolve latest release tag
+        shell: pwsh
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          $tag = gh release list --limit 20 --exclude-drafts --json tagName,isPrerelease --jq '.[] | select(.isPrerelease==false) | .tagName' | Select-Object -First 1
+          if (-not $tag) { throw "No non-prerelease tags found." }
+          "RELEASE_TAG=$tag" | Out-File -FilePath $env:GITHUB_ENV -Append
+          $version = $tag.TrimStart('v').Split('-')[0]
+          "VERSION=$version" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+      - name: Download MSI asset
+        shell: pwsh
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          $msiName = "Defguard_${env:VERSION}_x64_en-US.msi"
+          gh release download "$env:RELEASE_TAG" --pattern $msiName --dir "$pwd"
+
+      - name: Calculate MSI checksum
+        shell: pwsh
+        run: |
+          $msiName = "Defguard_${env:VERSION}_x64_en-US.msi"
+          $hash = (Get-FileHash -Algorithm SHA256 -Path $msiName).Hash.ToLower()
+          "MSI_SHA256=$hash" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+      - name: Update Chocolatey package files
+        shell: pwsh
+        working-directory: chocolatey/defguard
+        run: |
+          $msiUrl = "https://github.com/DefGuard/client/releases/download/v$env:VERSION/Defguard_$env:VERSION_x64_en-US.msi"
+          $nuspecPath = "defguard.nuspec"
+          $installPath = "tools\chocolateyinstall.ps1"
+
+          (Get-Content -Raw $nuspecPath) `
+            -replace '<version>[^<]+</version>', "<version>$env:VERSION</version>" `
+            -replace '<packageSourceUrl>[^<]+</packageSourceUrl>', "<packageSourceUrl>$msiUrl</packageSourceUrl>" |
+            Set-Content -NoNewline -Encoding UTF8 $nuspecPath
+
+          (Get-Content -Raw $installPath) `
+            -replace "^\$url\s*=\s*'.*'$", "`$url        = '$msiUrl'" `
+            -replace "checksum\s*=\s*'[^']+'", "checksum      = '$env:MSI_SHA256'" |
+            Set-Content -NoNewline -Encoding UTF8 $installPath
+
+      - name: Debug updated files
+        shell: pwsh
+        working-directory: chocolatey/defguard
+        run: |
+          Write-Output "=== defguard.nuspec ==="
+          Get-Content defguard.nuspec
+          Write-Output "=== tools\chocolateyinstall.ps1 ==="
+          Get-Content tools\chocolateyinstall.ps1
+
+      - name: Refresh local nupkg
+        shell: pwsh
+        working-directory: chocolatey/defguard
+        run: |
+          $old = Get-ChildItem -Filter "defguard.*.nupkg" | Where-Object { $_.Name -ne "defguard.$env:VERSION.nupkg" }
+          if ($old) { $old | Remove-Item -Force }
+
+      - name: Pack Chocolatey package
+        shell: pwsh
+        working-directory: chocolatey/defguard
+        run: choco pack
+
+      - name: Dry run complete
+        shell: pwsh
+        run: Write-Output "Dry run finished successfully. No push executed."

.github/workflows/update-chocolatey.yml

@@ -0,0 +1,73 @@
+# name: Update Chocolatey package
+
+# on:
+#   release:
+#     types: [published]
+
+# jobs:
+#   update-chocolatey:
+#     if: github.event.release.prerelease == false
+#     runs-on: windows-latest
+#     steps:
+#       - name: Checkout
+#         uses: actions/checkout@v6
+
+#       - name: Set release version
+#         shell: pwsh
+#         run: |
+#           $version = "${{ github.event.release.tag_name }}".TrimStart('v').Split('-')[0]
+#           "VERSION=$version" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+#       - name: Download MSI asset
+#         shell: pwsh
+#         env:
+#           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+#         run: |
+#           $msiName = "Defguard_${env:VERSION}_x64_en-US.msi"
+#           gh release download "${{ github.event.release.tag_name }}" --pattern $msiName --dir "$pwd"
+
+#       - name: Calculate MSI checksum
+#         shell: pwsh
+#         run: |
+#           $msiName = "Defguard_${env:VERSION}_x64_en-US.msi"
+#           $hash = (Get-FileHash -Algorithm SHA256 -Path $msiName).Hash.ToLower()
+#           "MSI_SHA256=$hash" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+#       - name: Update Chocolatey package files
+#         shell: pwsh
+#         working-directory: chocolatey/defguard
+#         run: |
+#           $msiUrl = "https://github.com/DefGuard/client/releases/download/v$env:VERSION/Defguard_$env:VERSION_x64_en-US.msi"
+#           $nuspecPath = "defguard.nuspec"
+#           $installPath = "tools\chocolateyinstall.ps1"
+
+#           (Get-Content -Raw $nuspecPath) `
+#             -replace '<version>[^<]+</version>', "<version>$env:VERSION</version>" `
+#             -replace '<packageSourceUrl>[^<]+</packageSourceUrl>', "<packageSourceUrl>$msiUrl</packageSourceUrl>" |
+#             Set-Content -NoNewline -Encoding UTF8 $nuspecPath
+
+#           (Get-Content -Raw $installPath) `
+#             -replace "^\$url\s*=\s*'.*'$", "`$url        = '$msiUrl'" `
+#             -replace "checksum\s*=\s*'[^']+'", "checksum      = '$env:MSI_SHA256'" |
+#             Set-Content -NoNewline -Encoding UTF8 $installPath
+
+#       - name: Refresh local nupkg
+#         shell: pwsh
+#         working-directory: chocolatey/defguard
+#         run: |
+#           $old = Get-ChildItem -Filter "defguard.*.nupkg" | Where-Object { $_.Name -ne "defguard.$env:VERSION.nupkg" }
+#           if ($old) { $old | Remove-Item -Force }
+
+#       - name: Pack Chocolatey package
+#         shell: pwsh
+#         working-directory: chocolatey/defguard
+#         run: choco pack
+
+#       - name: Push Chocolatey package
+#         shell: pwsh
+#         working-directory: chocolatey/defguard
+#         env:
+#           CHOCO_API_KEY: ${{ secrets.CHOCO_API_KEY }}
+#         run: |
+#           $nupkg = "defguard.$env:VERSION.nupkg"
+#           choco push $nupkg --source "https://push.chocolatey.org/" -k="$env:CHOCO_API_KEY"

chocolatey/defguard/README.md

@@ -0,0 +1,27 @@
+# Defguard Chocolatey package
+
+This directory contains the Chocolatey package source for Defguard.
+The GitHub Actions workflow updates version, MSI URL, and checksum after a release is published.
+
+## Workflow behavior
+
+- Trigger: GitHub release `published` (non-prerelease).
+- Source MSI: Release asset named `Defguard_<version>_x64_en-US.msi`.
+- Updated files:
+  - `defguard.nuspec` (`<version>`, `<packageSourceUrl>`)
+  - `tools/chocolateyinstall.ps1` (`$url`, `checksum`)
+- Package build: `choco pack`.
+- Package push: `choco push` to `https://push.chocolatey.org/`.
+
+## Required secret
+
+- `CHOCO_API_KEY` in GitHub repo secrets.
+
+## Local testing (Windows)
+
+From this directory:
+
+```
+choco pack
+choco install defguard --source .
+```

chocolatey/defguard/defguard.nuspec

@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Read this before creating packages: https://docs.chocolatey.org/en-us/create/create-packages -->
+<!-- It is especially important to read the above link to understand additional requirements when publishing packages to the community feed aka dot org (https://community.chocolatey.org/packages). -->
+
+<!-- Test your packages in a test environment: https://github.com/chocolatey/chocolatey-test-environment -->
+
+<!--
+This is a nuspec. It mostly adheres to https://docs.nuget.org/create/Nuspec-Reference. Chocolatey uses a special version of NuGet.Core that allows us to do more than was initially possible. As such there are certain things to be aware of:
+
+* the package xmlns schema url may cause issues with nuget.exe
+* Any of the following elements can ONLY be used by choco tools - projectSourceUrl, docsUrl, mailingListUrl, bugTrackerUrl, packageSourceUrl, provides, conflicts, replaces
+* nuget.exe can still install packages with those elements but they are ignored. Any authoring tools or commands will error on those elements
+-->
+
+<!-- You can embed software files directly into packages, as long as you are not bound by distribution rights. -->
+<!-- * If you are an organization making private packages, you probably have no issues here -->
+<!-- * If you are releasing to the community feed, you need to consider distribution rights. -->
+<!-- Do not remove this test for UTF-8: if “Ω” doesn’t appear as greek uppercase omega letter enclosed in quotation marks, you should use an editor that supports UTF-8, not this one. -->
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <!-- == PACKAGE SPECIFIC SECTION == -->
+    <!-- This section is about this package, although id and version have ties back to the software -->
+    <!-- id is lowercase and if you want a good separator for words, use '-', not '.'. Dots are only acceptable as suffixes for certain types of packages, e.g. .install, .portable, .extension, .template -->
+    <!-- If the software is cross-platform, attempt to use the same id as the debian/rpm package(s) if possible. -->
+    <id>defguard</id>
+    <!-- version should MATCH as closely as possible with the underlying software -->
+    <!-- Is the version a prerelease of a version? https://docs.nuget.org/create/versioning#creating-prerelease-packages -->
+    <!-- Note that unstable versions like 0.0.1 can be considered a released version, but it's possible that one can release a 0.0.1-beta before you release a 0.0.1 version. If the version number is final, that is considered a released version and not a prerelease. -->
+    <version>1.6.5</version>
+    <packageSourceUrl>https://github.com/DefGuard/client/releases/download/v1.6.5/Defguard_1.6.5_x64_en-US.msi</packageSourceUrl>
+    <!-- owners is a poor name for maintainers of the package. It sticks around by this name for compatibility reasons. It basically means you. -->
+    <!--<owners>Defguard</owners>-->
+    <!-- ============================== -->
+
+    <!-- == SOFTWARE SPECIFIC SECTION == -->
+    <!-- This section is about the software itself -->
+    <title>Defguard</title>
+    <authors>Defguard</authors>
+    <!-- projectUrl is required for the community feed -->
+    <projectUrl>https://defguard.net</projectUrl>
+    <!-- There are a number of CDN Services that can be used for hosting the Icon for a package. More information can be found here: https://docs.chocolatey.org/en-us/create/create-packages#package-icon-guidelines -->
+    <!-- Here is an example using Githack -->
+    <iconUrl>http://rawcdn.githack.com/defguard/client/main/src/shared/images/png/logo_256-256.png</iconUrl>
+    <copyright>2026</copyright>
+    <!-- If there is a license Url available, it is required for the community feed -->
+    <licenseUrl>https://github.com/DefGuard/client/blob/main/LICENSE.md</licenseUrl>
+    <requireLicenseAcceptance>true</requireLicenseAcceptance>
+    <projectSourceUrl>https://github.com/DefGuard/client</projectSourceUrl>
+    <docsUrl>https://docs.defguard.net/</docsUrl>
+    <!--<mailingListUrl></mailingListUrl>-->
+    <bugTrackerUrl>https://github.com/DefGuard/client/issues</bugTrackerUrl>
+    <tags>defguard vpn wireguard sso mfa</tags>
+    <summary>Desktop client for Defguard - Wireguard VPN with MFA</summary>
+    <description>Desktop client provides an easy way to access VPN locations of multiple Defguard instances via user-friendly UI.</description>
+    <releaseNotes>https://github.com/DefGuard/client/releases</releaseNotes>
+    <!-- =============================== -->
+
+    <!-- Specifying dependencies and version ranges? https://docs.nuget.org/create/versioning#specifying-version-ranges-in-.nuspec-files -->
+    <!--<dependencies>
+      <dependency id="" version="__MINIMUM_VERSION__" />
+      <dependency id="" version="[__EXACT_VERSION__]" />
+      <dependency id="" version="[_MIN_VERSION_INCLUSIVE, MAX_VERSION_INCLUSIVE]" />
+      <dependency id="" version="[_MIN_VERSION_INCLUSIVE, MAX_VERSION_EXCLUSIVE)" />
+      <dependency id="" />
+      <dependency id="chocolatey-core.extension" version="1.1.0" />
+    </dependencies>-->
+    <!-- chocolatey-core.extension - https://community.chocolatey.org/packages/chocolatey-core.extension -->
+
+    <!--<provides>NOT YET IMPLEMENTED</provides>-->
+    <!--<conflicts>NOT YET IMPLEMENTED</conflicts>-->
+    <!--<replaces>NOT YET IMPLEMENTED</replaces>-->
+  </metadata>
+  <files>
+    <!-- this section controls what actually gets packaged into the Chocolatey package -->
+    <file src="tools\**" target="tools" />
+  </files>
+</package>

chocolatey/defguard/tools/LICENSE.txt

@@ -0,0 +1,11 @@
+
+Note: Include this file if including binaries you have the right to distribute.
+Otherwise delete. this file.
+
+===DELETE ABOVE THIS LINE AND THIS LINE===
+
+From: <insert applicable license url here>
+
+LICENSE
+
+<Insert License Here>

chocolatey/defguard/tools/chocolateybeforemodify.ps1

@@ -0,0 +1,9 @@
+# This runs before upgrade or uninstall.
+# Use this file to do things like stop services prior to upgrade or uninstall.
+# NOTE: It is an anti-pattern to call chocolateyUninstall.ps1 from here. If you
+#  need to uninstall an MSI prior to upgrade, put the functionality in this
+#  file without calling the uninstall script. Make it idempotent in the
+#  uninstall script so that it doesn't fail when it is already uninstalled.
+# NOTE: For upgrades - like the uninstall script, this script always runs from
+#  the currently installed version, not from the new upgraded package version.
+

chocolatey/defguard/tools/chocolateyinstall.ps1

@@ -0,0 +1,23 @@
+$ErrorActionPreference = 'Stop'
+$toolsDir   = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
+$url        = 'https://github.com/DefGuard/client/releases/download/v1.6.5/Defguard_1.6.5_x64_en-US.msi'
+
+
+$packageArgs = @{
+  packageName   = $env:ChocolateyPackageName
+  unzipLocation = $toolsDir
+  fileType      = 'msi'
+  url           = $url
+
+  softwareName  = 'defguard*'
+
+  checksum      = 'be99afe71ab88e0add4905721471d0d40935c33ae7cdb47084ba53a91d675cc7'
+  checksumType  = 'sha256'
+
+
+  silentArgs    = "/qn /norestart /l*v `"$($env:TEMP)\$($packageName).$($env:chocolateyPackageVersion).MsiInstall.log`""
+  validExitCodes= @(0, 3010, 1641)
+}
+
+Install-ChocolateyPackage @packageArgs
+Write-Warning "IMPORTANT: Reboot or Re-login Required: On initial install the user is added to the defguard group.A reboot or logging out and back in is required for group membership changes to take effect. This is not required on subsequent updates."

chocolatey/defguard/tools/chocolateyuninstall.ps1

@@ -0,0 +1,32 @@
+$ErrorActionPreference = 'Stop'
+$packageArgs = @{
+  packageName   = $env:ChocolateyPackageName
+  softwareName  = 'defguard*'
+  fileType      = 'msi'
+  silentArgs    = "/qn /norestart"
+  validExitCodes= @(0, 3010, 1605, 1614, 1641)
+}
+
+[array]$key = Get-UninstallRegistryKey -SoftwareName $packageArgs['softwareName']
+
+if ($key.Count -eq 1) {
+  $key | % {
+    $packageArgs['file'] = "$($_.UninstallString)"
+
+    if ($packageArgs['fileType'] -eq 'MSI') {
+      $packageArgs['silentArgs'] = "$($_.PSChildName) $($packageArgs['silentArgs'])"
+
+      $packageArgs['file'] = ''
+    } else {
+    }
+
+    Uninstall-ChocolateyPackage @packageArgs
+  }
+} elseif ($key.Count -eq 0) {
+  Write-Warning "$packageName has already been uninstalled by other means."
+} elseif ($key.Count -gt 1) {
+  Write-Warning "$($key.Count) matches found!"
+  Write-Warning "To prevent accidental data loss, no programs will be uninstalled."
+  Write-Warning "Please alert package maintainer the following keys were matched:"
+  $key | % {Write-Warning "- $($_.DisplayName)"}
+}