Skip to content
Build

switch to powershell for computing checksums #638

Sign in to view logs

switch to powershell for computing checksums

switch to powershell for computing checksums #638

Workflow file for this run

.github/workflows/build.yml at 7915df5
name: Build
on:
push:
pull_request_target:
types: [labeled]
env:
JAVA_VERSION: 25
defaults:
run:
shell: bash
jobs:
build:
name: Build and Test
runs-on: windows-latest
permissions:
contents: read
id-token: write # OIDC token for the attestations step
attestations: write # Required for the attestations step
outputs:
sha256: ${{ steps.checksums.outputs.sha256 }}
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
fetch-depth: 0 # deep fetch for better sonarcloud analysis
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin'
java-version: ${{ env.JAVA_VERSION }}
cache: 'maven'
- name: Ensure to use tagged version
if: startsWith(github.ref, 'refs/tags/')
run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
- name: Build and Test
run: ./mvnw -B test --no-transfer-progress -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}"
- name: Sign DLLs with Azure Trusted Signing
if: startsWith(github.ref, 'refs/tags/')
uses: azure/artifact-signing-action@fc390cf8ed0f14e248a542af1d838388a47c7a7c # v0.5.10
with:
files: |
${{ github.workspace }}\main\resources\integrations-x64.dll
${{ github.workspace }}\main\resources\integrations-arm64.dll
append-signature: false
description: Cryptomator Windows Integrations DLL
description-url: https://github.com/cryptomator/integrations-win
azure-tenant-id: ${{ secrets.AZURE_TENANT_ID }}
azure-client-id: ${{ secrets.AZURE_CLIENT_ID }}
azure-client-secret: ${{ secrets.AZURE_CLIENT_SECRET }}
trusted-signing-account-name: cryptomatorSigning
certificate-profile-name: production
endpoint: https://weu.codesigning.azure.net/
timestamp-rfc3161: http://timestamp.acs.microsoft.com
timestamp-digest: SHA256
exclude-environment-credential: false
exclude-workload-identity-credential: true
exclude-managed-identity-credential: true
exclude-shared-token-cache-credential: true
exclude-visual-studio-credential: true
exclude-visual-studio-code-credential: true
exclude-azure-cli-credential: true
exclude-azure-powershell-credential: true
exclude-azure-developer-cli-credential: true
exclude-interactive-browser-credential: true
- name: Create JAR
run: ./mvnw -B verify --no-transfer-progress -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}"
- name: Calculate Checksums
id: checksums
shell: pwsh
run: |
$sha256 = Get-FileHash -Algorithm SHA256 -Path (Get-ChildItem -Path "target" -Filter "*.jar").FullName | `
ForEach-Object { $_.Hash.ToString() + " ." + $_.Path.Substring($_.Path.LastIndexOf("\")) }
Write-Output $sha256 | Out-File -FilePath $env:GITHUB_OUTPUT -Encoding utf8 -Append
- name: Attest
if: startsWith(github.ref, 'refs/tags/')
uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
with:
subject-path: |
target/*.jar
target/*.pom
- uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
with:
name: artifacts
path: target/*.jar
deploy-central:
name: Deploy to Maven Central
runs-on: windows-latest
permissions:
id-token: write # OIDC token for sigstore signing
contents: read # Required for sigstore signing
needs: [build]
if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
distribution: 'temurin'
java-version: ${{ env.JAVA_VERSION }}
cache: 'maven'
server-id: central
server-username: MAVEN_CENTRAL_USERNAME
server-password: MAVEN_CENTRAL_PASSWORD
- name: Enforce to use tagged version
if: startsWith(github.ref, 'refs/tags/')
run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
- name: Verify project version is -SNAPSHOT
if: startsWith(github.ref, 'refs/tags/') == false
run: |
PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
- name: Download JAR with signed DLLs
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: artifacts
- name: Extract DLLs from JAR
run: |
JAR_PATH=$(ls ./*.jar | grep -v -E '(-sources|-javadoc)\.jar$' | head -n1)
jar --extract --file="$JAR_PATH" -C ./src/main/resources integrations-x64.dll integrations-arm64.dll
- name: Deploy to Maven Central
run: ./mvnw deploy -B -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}" -Psign,deploy-central --no-transfer-progress
env:
MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
deploy-github:
name: Deploy to GitHub Packages
runs-on: windows-latest
permissions:
packages: write # Required for the deploy to GitHub Packages step
id-token: write # OIDC token for sigstore signing
contents: read # Required for sigstore signing
needs: [build]
if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
steps:
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
with:
java-version: ${{ env.JAVA_VERSION }}
distribution: 'temurin'
cache: 'maven'
- name: Enforce to use tagged version
if: startsWith(github.ref, 'refs/tags/')
run: ./mvnw versions:set -B -DnewVersion="${GITHUB_REF##*/}"
- name: Verify project version is -SNAPSHOT
if: startsWith(github.ref, 'refs/tags/') == false
run: |
PROJECT_VERSION=$(./mvnw help:evaluate "-Dexpression=project.version" -q -DforceStdout)
test "${PROJECT_VERSION: -9}" = "-SNAPSHOT"
- name: Download JAR with signed DLLs
uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
with:
name: artifacts
- name: Extract DLLs from JAR
run: |
JAR_PATH=$(ls ./*.jar | grep -v -E '(-sources|-javadoc)\.jar$' | head -n1)
jar --extract --file="$JAR_PATH" -C ./src/main/resources integrations-x64.dll integrations-arm64.dll
- name: Deploy to GitHub Packages
run: ./mvnw deploy -B -DskipTests -DskipNativeCompile -DdevCommandFileDir="${{ vars.MSVC_DEV_FILES_DIR }}" -Psign,deploy-github --no-transfer-progress
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
release:
name: Release
runs-on: ubuntu-latest
permissions:
contents: write # Required for the release step
needs: [build, deploy-central, deploy-github]
if: startsWith(github.ref, 'refs/tags/')
steps:
- name: Create Release
uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
with:
prerelease: true
token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
generate_release_notes: true
body: |-
### Changelog
For a list of all notable changes, read the [changelog](/CHANGELOG.md).
### Maven Coordinates
```xml
<dependency>
<groupId>org.cryptomator</groupId>
<artifactId>integrations-win</artifactId>
<version>${{ github.ref_name }}</version>
</dependency>
```
### Artifact Checksums
```txt
${{ needs.build.outputs.sha256 }}
```