Chocolatey update workflow (#873)

Author: jakub-tldr

.github/workflows/update-chocolatey.yml

@@ -0,0 +1,77 @@
+name: Update Chocolatey package
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  update-chocolatey:
+    if: github.event.release.prerelease == false
+    runs-on: windows-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Set release version
+        shell: pwsh
+        run: |
+          $version = "${{ github.event.release.tag_name }}".TrimStart('v').Split('-')[0]
+          "VERSION=$version" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+      - name: Set MSI variables
+        shell: pwsh
+        run: |
+          $msiName = "Defguard_${env:VERSION}_x64_en-US.msi"
+          $msiUrl = "https://github.com/DefGuard/client/releases/download/v${env:VERSION}/Defguard_${env:VERSION}_x64_en-US.msi"
+          "MSI_NAME=$msiName" | Out-File -FilePath $env:GITHUB_ENV -Append
+          "MSI_URL=$msiUrl" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+      - name: Download MSI asset
+        shell: pwsh
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          gh release download "${{ github.event.release.tag_name }}" --pattern $env:MSI_NAME --dir "$pwd"
+
+      - name: Calculate MSI checksum
+        shell: pwsh
+        run: |
+          $hash = (Get-FileHash -Algorithm SHA256 -Path $env:MSI_NAME).Hash.ToLower()
+          "MSI_SHA256=$hash" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+      - name: Update Chocolatey package files
+        shell: pwsh
+        working-directory: chocolatey/defguard
+        run: |
+          $nuspecPath = "defguard.nuspec"
+          $installPath = "tools\chocolateyinstall.ps1"
+
+          (Get-Content -Raw $nuspecPath) `
+            -replace '<version>[^<]+</version>', "<version>$env:VERSION</version>" |
+            Set-Content -NoNewline -Encoding UTF8 $nuspecPath
+
+          $content = Get-Content -Raw $installPath
+          $content = $content -replace '__MSI_URL__',      $env:MSI_URL
+          $content = $content -replace '__MSI_CHECKSUM__', $env:MSI_SHA256
+          $content | Set-Content -NoNewline -Encoding UTF8 $installPath
+
+      - name: Refresh local nupkg
+        shell: pwsh
+        working-directory: chocolatey/defguard
+        run: |
+          $old = Get-ChildItem -Filter "defguard.*.nupkg" | Where-Object { $_.Name -ne "defguard.$env:VERSION.nupkg" }
+          if ($old) { $old | Remove-Item -Force }
+
+      - name: Pack Chocolatey package
+        shell: pwsh
+        working-directory: chocolatey/defguard
+        run: choco pack
+
+      - name: Push Chocolatey package
+        shell: pwsh
+        working-directory: chocolatey/defguard
+        env:
+          CHOCO_API_KEY: ${{ secrets.CHOCO_API_KEY }}
+        run: |
+          $nupkg = "defguard.$env:VERSION.nupkg"
+          choco push $nupkg --source "https://push.chocolatey.org/" -k="$env:CHOCO_API_KEY"

.trivyignore.yaml

@@ -1,4 +1,4 @@
 vulnerabilities:
   - id: GHSA-wrw7-89jp-8q8g
-    expired_at: 2026-05-16
+    expired_at: 2026-08-18
     statement: 'glib is a transitive dependency of Tauri which we cannot update ourselves. Waiting for tauri to finish migration to gtk4-rs: https://github.com/tauri-apps/tauri/issues/12563'

chocolatey/defguard/README.md

@@ -0,0 +1,27 @@
+# Defguard Chocolatey package
+
+This directory contains the Chocolatey package source for Defguard.
+The GitHub Actions workflow updates version, MSI URL, and checksum after a release is published.
+
+## Workflow behavior
+
+- Trigger: GitHub release `published` (non-prerelease).
+- Source MSI: Release asset named `Defguard_<version>_x64_en-US.msi`.
+- Updated files:
+  - `defguard.nuspec` (`<version>`, `<packageSourceUrl>`)
+  - `tools/chocolateyinstall.ps1` (`$url`, `checksum`)
+- Package build: `choco pack`.
+- Package push: `choco push` to `https://push.chocolatey.org/`.
+
+## Required secret
+
+- `CHOCO_API_KEY` in GitHub repo secrets.
+
+## Local testing (Windows)
+
+From this directory:
+
+```
+choco pack
+choco install defguard --source .
+```

chocolatey/defguard/defguard.nuspec

@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
+  <metadata>
+    <id>defguard</id>
+    <version>1.6.8</version>
+    <title>Defguard</title>
+    <authors>Defguard</authors>
+    <projectUrl>https://defguard.net</projectUrl>
+    <iconUrl>http://rawcdn.githack.com/defguard/client/main/src/shared/images/png/logo_256-256.png</iconUrl>
+    <copyright>Copyright 2026 Defguard Sp. z o.o.</copyright>
+    <licenseUrl>https://github.com/DefGuard/client/blob/main/LICENSE.md</licenseUrl>
+    <requireLicenseAcceptance>true</requireLicenseAcceptance>
+    <projectSourceUrl>https://github.com/DefGuard/client</projectSourceUrl>
+    <docsUrl>https://docs.defguard.net/</docsUrl>
+    <bugTrackerUrl>https://github.com/DefGuard/client/issues</bugTrackerUrl>
+    <tags>defguard vpn wireguard sso mfa</tags>
+    <summary>Desktop client for Defguard - Wireguard VPN with MFA</summary>
+    <description>Desktop client provides an easy way to access VPN locations of multiple Defguard instances via user-friendly UI.</description>
+    <releaseNotes>https://github.com/DefGuard/client/releases</releaseNotes>
+  </metadata>
+  <files>
+    <file src="tools\**" target="tools" />
+  </files>
+</package>

chocolatey/defguard/tools/chocolateyinstall.ps1

@@ -0,0 +1,23 @@
+$ErrorActionPreference = 'Stop'
+$toolsDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
+$url      = '__MSI_URL__'
+$checksum = '__MSI_CHECKSUM__'
+
+$packageArgs = @{
+  packageName   = $env:ChocolateyPackageName
+  unzipLocation = $toolsDir
+  fileType      = 'msi'
+  url           = $url
+
+  softwareName  = 'defguard*'
+
+  checksum      = $checksum
+  checksumType  = 'sha256'
+
+  silentArgs    = "/qn /norestart /l*v `"$($env:TEMP)\$($packageName).$($env:chocolateyPackageVersion).MsiInstall.log`""
+  validExitCodes= @(0, 3010, 1641)
+}
+
+Install-ChocolateyPackage @packageArgs
+Write-Warning "IMPORTANT: Reboot or Re-login Required: On initial install the user is added to the defguard group.A reboot or logging out and back in is required for group membership changes to take effect. This is not required on subsequent updates."
+ 

chocolatey/defguard/tools/chocolateyuninstall.ps1

@@ -0,0 +1,32 @@
+$ErrorActionPreference = 'Stop'
+$packageArgs = @{
+  packageName   = $env:ChocolateyPackageName
+  softwareName  = 'defguard*'
+  fileType      = 'msi'
+  silentArgs    = "/qn /norestart"
+  validExitCodes= @(0, 3010, 1605, 1614, 1641)
+}
+
+[array]$key = Get-UninstallRegistryKey -SoftwareName $packageArgs['softwareName']
+
+if ($key.Count -eq 1) {
+  $key | % {
+    $packageArgs['file'] = "$($_.UninstallString)"
+
+    if ($packageArgs['fileType'] -eq 'MSI') {
+      $packageArgs['silentArgs'] = "$($_.PSChildName) $($packageArgs['silentArgs'])"
+
+      $packageArgs['file'] = ''
+    } else {
+    }
+
+    Uninstall-ChocolateyPackage @packageArgs
+  }
+} elseif ($key.Count -eq 0) {
+  Write-Warning "$packageName has already been uninstalled by other means."
+} elseif ($key.Count -gt 1) {
+  Write-Warning "$($key.Count) matches found!"
+  Write-Warning "To prevent accidental data loss, no programs will be uninstalled."
+  Write-Warning "Please alert package maintainer the following keys were matched:"
+  $key | % {Write-Warning "- $($_.DisplayName)"}
+}