Merge branch 'release/2.10.0'

Author: infeo

.github/dependabot.yml

@@ -7,6 +7,10 @@ updates:
       day: "monday"
       time: "06:00"
       timezone: "Etc/UTC"
+    ignore:
+      # due to https://github.com/fabriciorby/maven-surefire-junit5-tree-reporter/issues/68
+      - dependency-name: "org.apache.maven.plugins:maven-surefire-plugin"
+        versions: ["3.5.4", "3.5.5"]
     groups:
       java-test-dependencies:
         patterns:
@@ -19,6 +23,7 @@ updates:
           - "org.apache.maven.plugins:*"
           - "org.jacoco:jacoco-maven-plugin"
           - "org.owasp:dependency-check-maven"
+          - "org.sonatype.central:central-publishing-maven-plugin"
           - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
       java-production-dependencies:
         patterns:
@@ -27,11 +32,12 @@ updates:
           - "org.apache.maven.plugins:*"
           - "org.jacoco:jacoco-maven-plugin"
           - "org.owasp:dependency-check-maven"
+          - "org.sonatype.central:central-publishing-maven-plugin"
+          - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
           - "org.junit.jupiter:*"
           - "org.mockito:*"
           - "org.hamcrest:*"
           - "com.google.jimfs:jimfs"
-          - "me.fabriciorby:maven-surefire-junit5-tree-reporter"
 
 
   - package-ecosystem: "github-actions"

.github/workflows/build.yml

@@ -3,32 +3,43 @@ on:
   push:
   pull_request_target:
     types: [labeled]
+
+env:
+  JAVA_VERSION: 25
+
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # OIDC token for the attestations step
+      attestations: write # Required for the attestations step
+      artifact-metadata: write # Required for the attestations step
+    outputs:
+      sha256: ${{ steps.checksums.outputs.sha256 }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
-           fetch-depth: 0
-           show-progress: false
-      - uses: actions/setup-java@v4
+          fetch-depth: 0 # deep fetch for better sonarcloud analysis
+          show-progress: false
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
-          java-version: 21
           distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@v4
+        uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
           restore-keys: ${{ runner.os }}-sonar
       - name: Ensure to use tagged version
         if: startsWith(github.ref, 'refs/tags/')
-        run: mvn -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
+        run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
         run: >
-          mvn -B verify
+          ./mvnw -B verify --no-transfer-progress
           jacoco:report
           org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
           -Pcoverage
@@ -38,14 +49,123 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
-      - uses: actions/upload-artifact@v4
+      - name: Calculate Checksums
+        id: checksums
+        run: |
+          {
+            echo 'sha256<<EOF'
+            shasum -a256 target/*.jar
+            echo EOF
+          } >> $GITHUB_OUTPUT
+      - name: Attest
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-path: |
+            target/*.jar
+            target/*.pom
+      - uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
         with:
           name: artifacts
-          path: target/*.jar
-      - name: Create release
+          path: |
+            target/*.jar
+
+
+  deploy-central:
+    name: Deploy to Maven Central
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write # OIDC token for sigstore signing
+      contents: read # Required for sigstore signing
+    needs: [build]
+    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
+        with:
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+          server-id: central
+          server-username: MAVEN_CENTRAL_USERNAME
+          server-password: MAVEN_CENTRAL_PASSWORD
+      - name: Enforce to use tagged version
         if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v2
+        run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
+      - name: Verify project version is -SNAPSHOT
+        if: startsWith(github.ref, 'refs/tags/') == false
+        run: |
+          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
+      - name: Deploy to Maven Central
+        run: ./mvnw deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
+        env:
+          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
+
+  deploy-github:
+    name: Deploy to GitHub Packages
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write # Required for the deploy to GitHub Packages step
+      id-token: write # OIDC token for sigstore signing
+      contents: read # Required for sigstore signing
+    needs: [build]
+    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
         with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: 'temurin'
+          cache: 'maven'
+      - name: Enforce to use tagged version 
+        if: startsWith(github.ref, 'refs/tags/')
+        run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
+      - name: Verify project version is -SNAPSHOT
+        if: startsWith(github.ref, 'refs/tags/') == false
+        run: |
+          PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
+      - name: Deploy to GitHub Packages
+        run: ./mvnw deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required for the release step
+    needs: [build, deploy-central, deploy-github]
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Create Release
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
+        with:
+          prerelease: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
           generate_release_notes: true
-          prerelease: true
+          body: |-
+            ### Changelog
+            For a list of all notable changes, read the [changelog](/CHANGELOG.md).
+            
+            ### Maven Coordinates
+            ```xml
+              <dependency>
+                <groupId>org.cryptomator</groupId>
+                <artifactId>cryptofs</artifactId>
+                <version>${{ github.ref_name }}</version>
+              </dependency>
+            ```
+
+            ### Artifact Checksums
+            ```txt
+            ${{ needs.build.outputs.sha256 }}
+            ```

.github/workflows/codeql-analysis.yml

@@ -16,20 +16,20 @@ jobs:
     # dependeabot has on push events only read-only access, but codeql requires write access
     if: ${{ !(github.actor == 'dependabot[bot]' && contains(fromJSON('["push"]'), github.event_name)) }}
     steps:
-    - uses: actions/checkout@v4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       with:
         fetch-depth: 2
         show-progress: false
-    - uses: actions/setup-java@v4
+    - uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
       with:
-        java-version: 21
+        java-version: 25
         distribution: 'temurin'
         cache: 'maven'
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v3
+      uses: github/codeql-action/init@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
       with:
         languages: java
     - name: Build
-      run: mvn -B install -DskipTests
+      run: ./mvnw -B install -DskipTests
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v3
+      uses: github/codeql-action/analyze@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5

.github/workflows/dependency-check.yml

@@ -5,16 +5,19 @@ on:
   push:
     branches:
       - 'release/**'
+      - 'hotfix/**'
   workflow_dispatch:
 
 
 jobs:
   check-dependencies:
-    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1
+    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # v3.0.3
     with:
       runner-os: 'ubuntu-latest'
       java-distribution: 'temurin'
-      java-version: 21
+      java-version: 25
     secrets:
       nvd-api-key: ${{ secrets.NVD_API_KEY }}
-      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+      ossindex-username: ${{ secrets.OSSINDEX_USERNAME }}
+      ossindex-token: ${{ secrets.OSSINDEX_API_TOKEN }}
+      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}

.github/workflows/publish-central.yml

@@ -0,0 +1,4 @@
+wrapperVersion=3.3.4
+distributionType=only-script
+distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.12/apache-maven-3.9.12-bin.zip
+distributionSha256Sum=305773a68d6ddfd413df58c82b3f8050e89778e777f3a745c8e5b8cbea4018ef

.github/workflows/publish-github.yml

@@ -0,0 +1,29 @@
+ # Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+The changelog starts with version 2.10.0.
+Changes to prior versions can be found on the [GitHub release page](https://github.com/cryptomator/cryptofs/releases).
+
+## [2.10.0](https://github.com/cryptomator/cryptofs/releases/tag/2.10.0) - 2026-03-05
+
+### Added
+* Files-in-Use: Optional feature to indicate for external parties if an encrypted file is currently opened by this filesystem ([#312](https://github.com/cryptomator/cryptofs/pull/312), [#338](https://github.com/cryptomator/cryptofs/pull/338))
+* Changelog file
+
+### Changed
+* Use JDK 25 for build (bf26d6c9cd15a2489126ee0409a8ec9eca59da0c)
+* Pin external ci actions ([#320](https://github.com/cryptomator/cryptofs/pull/320))
+* Use Maven wrapper ([#341](https://github.com/cryptomator/cryptofs/pull/341))
+* Updated dependencies:
+  * `com.github.ben-manes.caffeine:caffeine` from 3.2.0 to 3.2.3 ([#323](https://github.com/cryptomator/cryptofs/pull/323))
+  * `org.cryptomator:cryptolib` from 2.2.1 to 2.2.2
+  * `com.auth0:java-jwt` from 4.5.0 to 4.5.1
+* Removed dependencies:
+  * `com.google.guava:guava`
+
+### Fixed
+* Replacing internal path class `CryptoPath` with strings in `FilesystemEvent`s ([#319](https://github.com/cryptomator/cryptofs/pull/319))
+* Make DOS file attribute class immutable ([#305](https://github.com/cryptomator/cryptofs/pull/305))