44 pull_request_target :
55 types : [labeled]
66
7+ env :
8+ JAVA_VERSION : 25
9+
710defaults :
811 run :
912 shell : bash
@@ -12,43 +15,191 @@ jobs:
1215 build :
1316 name : Build and Test
1417 runs-on : windows-latest
18+ permissions :
19+ contents : read
20+ id-token : write # OIDC token for the attestations step
21+ attestations : write # Required for the attestations step
22+ outputs :
23+ sha256 : ${{ steps.checksums.outputs.sha256 }}
1524 steps :
16- - uses : actions/checkout@v5
17- - uses : actions/setup-java@v5
25+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
26+ with :
27+ fetch-depth : 0 # deep fetch for better sonarcloud analysis
28+ - uses : actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
1829 with :
1930 distribution : ' temurin'
20- java-version : 24
31+ java-version : ${{ env.JAVA_VERSION }}
2132 cache : ' maven'
2233 - name : Ensure to use tagged version
2334 if : startsWith(github.ref, 'refs/tags/')
24- shell : bash
25- run : mvn -B versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
35+ run : ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
2636 - name : Build and Test
27- id : buildAndTest
28- run : mvn -B clean test -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}"
29- - name : Codesign DLL on release
37+ run : ./mvnw -B test --no-transfer-progress -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}"
38+ - name : Sign DLLs with Azure Trusted Signing
39+ if : startsWith(github.ref, 'refs/tags/')
40+ uses : azure/artifact-signing-action@db7a3a6bd3912025c705162fb7475389f5b69ec6 # v1.0.0
41+ with :
42+ files : |
43+ ${{ github.workspace }}\src\main\resources\integrations-x64.dll
44+ ${{ github.workspace }}\src\main\resources\integrations-arm64.dll
45+ append-signature : false
46+ description : Cryptomator Windows Integrations DLL
47+ description-url : https://github.com/cryptomator/integrations-win
48+ azure-tenant-id : ${{ secrets.AZURE_TENANT_ID }}
49+ azure-client-id : ${{ secrets.AZURE_CLIENT_ID }}
50+ azure-client-secret : ${{ secrets.AZURE_CLIENT_SECRET }}
51+ signing-account-name : cryptomatorSigning
52+ certificate-profile-name : production
53+ endpoint : https://weu.codesigning.azure.net/
54+ timestamp-rfc3161 : http://timestamp.acs.microsoft.com
55+ timestamp-digest : SHA256
56+ exclude-environment-credential : false
57+ exclude-workload-identity-credential : true
58+ exclude-managed-identity-credential : true
59+ exclude-shared-token-cache-credential : true
60+ exclude-visual-studio-credential : true
61+ exclude-visual-studio-code-credential : true
62+ exclude-azure-cli-credential : true
63+ exclude-azure-powershell-credential : true
64+ exclude-azure-developer-cli-credential : true
65+ exclude-interactive-browser-credential : true
66+ - name : Create JAR
67+ run : ./mvnw -B verify --no-transfer-progress -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}"
68+ - name : Calculate Checksums
69+ id : checksums
70+ shell : pwsh
71+ run : |
72+ $sha256 = Get-FileHash -Algorithm SHA256 -Path (Get-ChildItem -Path "target" -Filter "*.jar").FullName | `
73+ ForEach-Object { $_.Hash.ToString() + " ." + $_.Path.Substring($_.Path.LastIndexOf("\")) }
74+ $sha256Lines = $sha256 -join "`n"
75+ @"
76+ sha256<<EOF
77+ $sha256Lines
78+ EOF
79+ "@ | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
80+ - name : Attest
3081 if : startsWith(github.ref, 'refs/tags/')
31- uses : skymatic/workflows/.github/actions/win-sign-action@450e322ff2214d0be0b079b63343c894f3ef735f
32- with :
33- base-dir : src/main/resources
34- file-extensions : dll
35- username : ${{ secrets.WIN_CODESIGN_USERNAME }}
36- password : ${{ secrets.WIN_CODESIGN_PW }}
37- sign-description : ' Cryptomator'
38- sign-url : ' https://cryptomator.org'
39- - name : Package and Install
40- id : packAndInstall
41- run : mvn -B install -DskipNativeCompile
42- - uses : actions/upload-artifact@v4
82+ uses : actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
83+ with :
84+ subject-path : |
85+ target/*.jar
86+ target/*.pom
87+ - uses : actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
4388 with :
4489 name : artifacts
4590 path : target/*.jar
46- - name : Create Release
47- uses : softprops/action-gh-release@v2
91+
92+ deploy-central :
93+ name : Deploy to Maven Central
94+ runs-on : windows-latest
95+ permissions :
96+ id-token : write # OIDC token for sigstore signing
97+ contents : read # Required for sigstore signing
98+ needs : [build]
99+ if : github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
100+ steps :
101+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
102+ - uses : actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
103+ with :
104+ distribution : ' temurin'
105+ java-version : ${{ env.JAVA_VERSION }}
106+ cache : ' maven'
107+ server-id : central
108+ server-username : MAVEN_CENTRAL_USERNAME
109+ server-password : MAVEN_CENTRAL_PASSWORD
110+ - name : Enforce to use tagged version
48111 if : startsWith(github.ref, 'refs/tags/')
112+ run : ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
113+ - name : Verify project version is -SNAPSHOT
114+ if : startsWith(github.ref, 'refs/tags/') == false
115+ run : |
116+ PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
117+ test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
118+ - name : Download JAR with signed DLLs
119+ uses : actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
120+ with :
121+ name : artifacts
122+ - name : Extract DLLs from JAR
123+ run : |
124+ JAR_PATH=$(ls ./*.jar | grep -v -E '(-sources|-javadoc)\.jar$' | head -n1)
125+ jar --extract --file="$JAR_PATH" --dir ./src/main/resources integrations-x64.dll integrations-arm64.dll
126+ - name : Deploy to Maven Central
127+ run : ./mvnw deploy -B -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}" -Psign,deploy-central --no-transfer-progress
128+ env :
129+ MAVEN_CENTRAL_USERNAME : ${{ secrets.MAVEN_CENTRAL_USERNAME }}
130+ MAVEN_CENTRAL_PASSWORD : ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
131+ MAVEN_GPG_PASSPHRASE : ${{ secrets.RELEASES_GPG_PASSPHRASE }}
132+ MAVEN_GPG_KEY : ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
133+ MAVEN_GPG_KEY_FINGERPRINT : ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
134+
135+ deploy-github :
136+ name : Deploy to GitHub Packages
137+ runs-on : windows-latest
138+ permissions :
139+ packages : write # Required for the deploy to GitHub Packages step
140+ id-token : write # OIDC token for sigstore signing
141+ contents : read # Required for sigstore signing
142+ needs : [build]
143+ if : github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
144+ steps :
145+ - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
146+ - uses : actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
147+ with :
148+ java-version : ${{ env.JAVA_VERSION }}
149+ distribution : ' temurin'
150+ cache : ' maven'
151+ - name : Enforce to use tagged version
152+ if : startsWith(github.ref, 'refs/tags/')
153+ run : ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
154+ - name : Verify project version is -SNAPSHOT
155+ if : startsWith(github.ref, 'refs/tags/') == false
156+ run : |
157+ PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
158+ test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
159+ - name : Download JAR with signed DLLs
160+ uses : actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
161+ with :
162+ name : artifacts
163+ - name : Extract DLLs from JAR
164+ run : |
165+ JAR_PATH=$(ls ./*.jar | grep -v -E '(-sources|-javadoc)\.jar$' | head -n1)
166+ jar --extract --file="$JAR_PATH" --dir ./src/main/resources integrations-x64.dll integrations-arm64.dll
167+ - name : Deploy to GitHub Packages
168+ run : ./mvnw deploy -B -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}" -Psign,deploy-github --no-transfer-progress
169+ env :
170+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
171+ MAVEN_GPG_PASSPHRASE : ${{ secrets.RELEASES_GPG_PASSPHRASE }}
172+ MAVEN_GPG_KEY : ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
173+ MAVEN_GPG_KEY_FINGERPRINT : ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
174+
175+ release :
176+ name : Release
177+ runs-on : ubuntu-latest
178+ permissions :
179+ contents : write # Required for the release step
180+ needs : [build, deploy-central, deploy-github]
181+ if : startsWith(github.ref, 'refs/tags/')
182+ steps :
183+ - name : Create Release
184+ uses : softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
49185 with :
50186 prerelease : true
51187 token : ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
52188 generate_release_notes : true
53- body : |
189+ body : |-
190+ ### Changelog
54191 For a list of all notable changes, read the [changelog](/CHANGELOG.md).
192+
193+ ### Maven Coordinates
194+ ```xml
195+ <dependency>
196+ <groupId>org.cryptomator</groupId>
197+ <artifactId>integrations-win</artifactId>
198+ <version>${{ github.ref_name }}</version>
199+ </dependency>
200+ ```
201+
202+ ### Artifact Checksums
203+ ```txt
204+ ${{ needs.build.outputs.sha256 }}
205+ ```
0 commit comments