Skip to content

Commit 1a4c613

Browse files
committed
Merge branch 'release/1.6.0'
2 parents 60e3520 + f94564f commit 1a4c613

19 files changed

Lines changed: 722 additions & 132 deletions

.gitattributes

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
*.cmd eol=crlf

.github/dependabot.yml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,9 @@ updates:
77
day: "monday"
88
time: "06:00"
99
timezone: "Etc/UTC"
10+
ignore:
11+
- dependency-name: "org.apache.maven.plugins:maven-surefire-plugin"
12+
versions: [ "3.5.4" ] # incompatible with junit-tree reporter
1013
groups:
1114
java-test-dependencies:
1215
patterns:

.github/workflows/build.yml

Lines changed: 174 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@ on:
44
pull_request_target:
55
types: [labeled]
66

7+
env:
8+
JAVA_VERSION: 25
9+
710
defaults:
811
run:
912
shell: bash
@@ -12,43 +15,191 @@ jobs:
1215
build:
1316
name: Build and Test
1417
runs-on: windows-latest
18+
permissions:
19+
contents: read
20+
id-token: write # OIDC token for the attestations step
21+
attestations: write # Required for the attestations step
22+
outputs:
23+
sha256: ${{ steps.checksums.outputs.sha256 }}
1524
steps:
16-
- uses: actions/checkout@v5
17-
- uses: actions/setup-java@v5
25+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
26+
with:
27+
fetch-depth: 0 # deep fetch for better sonarcloud analysis
28+
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
1829
with:
1930
distribution: 'temurin'
20-
java-version: 24
31+
java-version: ${{ env.JAVA_VERSION }}
2132
cache: 'maven'
2233
- name: Ensure to use tagged version
2334
if: startsWith(github.ref, 'refs/tags/')
24-
shell: bash
25-
run: mvn -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
35+
run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
2636
- name: Build and Test
27-
id: buildAndTest
28-
run: mvn -B clean test -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}"
29-
- name: Codesign DLL on release
37+
run: ./mvnw -B test --no-transfer-progress -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}"
38+
- name: Sign DLLs with Azure Trusted Signing
39+
if: startsWith(github.ref, 'refs/tags/')
40+
uses: azure/artifact-signing-action@db7a3a6bd3912025c705162fb7475389f5b69ec6 # v1.0.0
41+
with:
42+
files: |
43+
${{ github.workspace }}\src\main\resources\integrations-x64.dll
44+
${{ github.workspace }}\src\main\resources\integrations-arm64.dll
45+
append-signature: false
46+
description: Cryptomator Windows Integrations DLL
47+
description-url: https://github.com/cryptomator/integrations-win
48+
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
49+
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
50+
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
51+
signing-account-name: cryptomatorSigning
52+
certificate-profile-name: production
53+
endpoint: https://weu.codesigning.azure.net/
54+
timestamp-rfc3161: http://timestamp.acs.microsoft.com
55+
timestamp-digest: SHA256
56+
exclude-environment-credential: false
57+
exclude-workload-identity-credential: true
58+
exclude-managed-identity-credential: true
59+
exclude-shared-token-cache-credential: true
60+
exclude-visual-studio-credential: true
61+
exclude-visual-studio-code-credential: true
62+
exclude-azure-cli-credential: true
63+
exclude-azure-powershell-credential: true
64+
exclude-azure-developer-cli-credential: true
65+
exclude-interactive-browser-credential: true
66+
- name: Create JAR
67+
run: ./mvnw -B verify --no-transfer-progress -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}"
68+
- name: Calculate Checksums
69+
id: checksums
70+
shell: pwsh
71+
run: |
72+
$sha256 = Get-FileHash -Algorithm SHA256 -Path (Get-ChildItem -Path "target" -Filter "*.jar").FullName | `
73+
ForEach-Object { $_.Hash.ToString() + " ." + $_.Path.Substring($_.Path.LastIndexOf("\")) }
74+
$sha256Lines = $sha256 -join "`n"
75+
@"
76+
sha256<<EOF
77+
$sha256Lines
78+
EOF
79+
"@ | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
80+
- name: Attest
3081
if: startsWith(github.ref, 'refs/tags/')
31-
uses: skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f
32-
with:
33-
base-dir: src/main/resources
34-
file-extensions: dll
35-
username: ${{ secrets.WIN_CODESIGN_USERNAME }}
36-
password: ${{ secrets.WIN_CODESIGN_PW }}
37-
sign-description: 'Cryptomator'
38-
sign-url: 'https://cryptomator.org'
39-
- name: Package and Install
40-
id: packAndInstall
41-
run: mvn -B install -DskipNativeCompile
42-
- uses: actions/upload-artifact@v4
82+
uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
83+
with:
84+
subject-path: |
85+
target/*.jar
86+
target/*.pom
87+
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
4388
with:
4489
name: artifacts
4590
path: target/*.jar
46-
- name: Create Release
47-
uses: softprops/action-gh-release@v2
91+
92+
deploy-central:
93+
name: Deploy to Maven Central
94+
runs-on: windows-latest
95+
permissions:
96+
id-token: write # OIDC token for sigstore signing
97+
contents: read # Required for sigstore signing
98+
needs: [build]
99+
if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
100+
steps:
101+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
102+
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
103+
with:
104+
distribution: 'temurin'
105+
java-version: ${{ env.JAVA_VERSION }}
106+
cache: 'maven'
107+
server-id: central
108+
server-username: MAVEN_CENTRAL_USERNAME
109+
server-password: MAVEN_CENTRAL_PASSWORD
110+
- name: Enforce to use tagged version
48111
if: startsWith(github.ref, 'refs/tags/')
112+
run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
113+
- name: Verify project version is -SNAPSHOT
114+
if: startsWith(github.ref, 'refs/tags/') == false
115+
run: |
116+
PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
117+
test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
118+
- name: Download JAR with signed DLLs
119+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
120+
with:
121+
name: artifacts
122+
- name: Extract DLLs from JAR
123+
run: |
124+
JAR_PATH=$(ls ./*.jar | grep -v -E '(-sources|-javadoc)\.jar$' | head -n1)
125+
jar --extract --file="$JAR_PATH" --dir ./src/main/resources integrations-x64.dll integrations-arm64.dll
126+
- name: Deploy to Maven Central
127+
run: ./mvnw deploy -B -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}" -Psign,deploy-central --no-transfer-progress
128+
env:
129+
MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
130+
MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
131+
MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
132+
MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
133+
MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
134+
135+
deploy-github:
136+
name: Deploy to GitHub Packages
137+
runs-on: windows-latest
138+
permissions:
139+
packages: write # Required for the deploy to GitHub Packages step
140+
id-token: write # OIDC token for sigstore signing
141+
contents: read # Required for sigstore signing
142+
needs: [build]
143+
if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
144+
steps:
145+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
146+
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
147+
with:
148+
java-version: ${{ env.JAVA_VERSION }}
149+
distribution: 'temurin'
150+
cache: 'maven'
151+
- name: Enforce to use tagged version
152+
if: startsWith(github.ref, 'refs/tags/')
153+
run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
154+
- name: Verify project version is -SNAPSHOT
155+
if: startsWith(github.ref, 'refs/tags/') == false
156+
run: |
157+
PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
158+
test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
159+
- name: Download JAR with signed DLLs
160+
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
161+
with:
162+
name: artifacts
163+
- name: Extract DLLs from JAR
164+
run: |
165+
JAR_PATH=$(ls ./*.jar | grep -v -E '(-sources|-javadoc)\.jar$' | head -n1)
166+
jar --extract --file="$JAR_PATH" --dir ./src/main/resources integrations-x64.dll integrations-arm64.dll
167+
- name: Deploy to GitHub Packages
168+
run: ./mvnw deploy -B -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}" -Psign,deploy-github --no-transfer-progress
169+
env:
170+
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
171+
MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
172+
MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
173+
MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
174+
175+
release:
176+
name: Release
177+
runs-on: ubuntu-latest
178+
permissions:
179+
contents: write # Required for the release step
180+
needs: [build, deploy-central, deploy-github]
181+
if: startsWith(github.ref, 'refs/tags/')
182+
steps:
183+
- name: Create Release
184+
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
49185
with:
50186
prerelease: true
51187
token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
52188
generate_release_notes: true
53-
body: |
189+
body: |-
190+
### Changelog
54191
For a list of all notable changes, read the [changelog](/CHANGELOG.md).
192+
193+
### Maven Coordinates
194+
```xml
195+
<dependency>
196+
<groupId>org.cryptomator</groupId>
197+
<artifactId>integrations-win</artifactId>
198+
<version>${{ github.ref_name }}</version>
199+
</dependency>
200+
```
201+
202+
### Artifact Checksums
203+
```txt
204+
${{ needs.build.outputs.sha256 }}
205+
```

.github/workflows/codeql-analysis.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,7 @@ defaults:
1414
shell: bash
1515

1616
env:
17+
JAVA_VERSION: 25
1718
MSVC_DEV_FILES_DIR: ${{ vars.MSVC_DEV_FILES_DIR ||'C:\\Program Files\\Microsoft Visual Studio\\2022\\Enterprise\\VC\\Auxiliary\\Build\\' }}
1819

1920
jobs:
@@ -22,19 +23,19 @@ jobs:
2223
runs-on: windows-latest
2324
if: ${{ !(github.actor == 'dependabot[bot]' && contains(fromJSON('["push"]'), github.event_name)) }}
2425
steps:
25-
- uses: actions/checkout@v5
26+
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
2627
with:
2728
fetch-depth: 2
28-
- uses: actions/setup-java@v5
29+
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
2930
with:
3031
distribution: 'temurin'
31-
java-version: 24
32+
java-version: ${{ env.JAVA_VERSION }}
3233
cache: 'maven'
3334
- name: Initialize CodeQL
34-
uses: github/codeql-action/init@v3
35+
uses: github/codeql-action/init@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1
3536
with:
3637
languages: java
3738
- name: Build
38-
run: mvn -B compile -DdevCommandFileDir="${{ env.MSVC_DEV_FILES_DIR }}"
39+
run: ./mvnw -B compile -DskipTests -DdevCommandFileDir="${{ env.MSVC_DEV_FILES_DIR }}"
3940
- name: Perform CodeQL Analysis
40-
uses: github/codeql-action/analyze@v3
41+
uses: github/codeql-action/analyze@6bc82e05fd0ea64601dd4b465378bbcf57de0314 # v4.32.1

.github/workflows/dependency-check.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -5,16 +5,18 @@ on:
55
push:
66
branches:
77
- 'release/**'
8+
- 'hotfix/**'
89
workflow_dispatch:
910

10-
1111
jobs:
1212
check-dependencies:
13-
uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1
13+
uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@957d3c2c08c56855fdac41e5afb9a7aca8c30dd9 # v3.0.3
1414
with:
1515
runner-os: 'windows-latest'
1616
java-distribution: 'temurin'
17-
java-version: 24
17+
java-version: 25
1818
secrets:
1919
nvd-api-key: ${{ secrets.NVD_API_KEY }}
20-
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
20+
ossindex-username: ${{ secrets.OSSINDEX_USERNAME }}
21+
ossindex-token: ${{ secrets.OSSINDEX_API_TOKEN }}
22+
slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }}

.github/workflows/publish-central.yml

Lines changed: 0 additions & 40 deletions
This file was deleted.

.github/workflows/publish-github.yml

Lines changed: 0 additions & 29 deletions
This file was deleted.

.idea/misc.xml

Lines changed: 1 addition & 1 deletion
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
wrapperVersion=3.3.4
2+
distributionType=only-script
3+
distributionUrl=https://repo.maven.apache.org/maven2/org/apache/maven/apache-maven/3.9.12/apache-maven-3.9.12-bin.zip
4+
distributionSha256Sum=305773a68d6ddfd413df58c82b3f8050e89778e777f3a745c8e5b8cbea4018ef

0 commit comments

Comments
 (0)