From bca20a7a6631df2a8e73f28a805b184eab9fdb6f Mon Sep 17 00:00:00 2001
From: Armin Schrenk <armin.schrenk@skymatic.de>
Date: Tue, 27 Feb 2024 18:55:14 +0100
Subject: [PATCH] [ci skip] seperate av whitelisting into own workflow to be
 able to upload assets on failure

---
 .github/workflows/av-whitelist.yml | 40 ++++++++++++++++++++
 .github/workflows/win-exe.yml      | 59 ++++++++++--------------------
 2 files changed, 60 insertions(+), 39 deletions(-)
 create mode 100644 .github/workflows/av-whitelist.yml

diff --git a/.github/workflows/av-whitelist.yml b/.github/workflows/av-whitelist.yml
new file mode 100644
index 000000000..102f1bee0
--- /dev/null
+++ b/.github/workflows/av-whitelist.yml
@@ -0,0 +1,40 @@
+name: AntiVirus Whitelisting
+
+on:
+  workflow_call:
+    inputs:
+      url:
+        description: "Url to the file to upload"
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      url:
+        description: "Url to the file to upload"
+        required: true
+        type: string
+
+jobs:
+  allowlist:
+    name: Anti Virus Allowlisting
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download file
+        run: |
+          curl --remote-name ${{ inputs.url }} -L
+      - name: Upload to Kaspersky
+        uses: SamKirkland/FTP-Deploy-Action@v4.3.4
+        with:
+          protocol: ftps
+          server: allowlist.kaspersky-labs.com
+          port: 990
+          username: ${{ secrets.ALLOWLIST_KASPERSKY_USERNAME }}
+          password: ${{ secrets.ALLOWLIST_KASPERSKY_PASSWORD }}
+      - name: Upload to Avast
+        uses: SamKirkland/FTP-Deploy-Action@v4.3.4
+        with:
+          protocol: ftp
+          server: whitelisting.avast.com
+          port: 21
+          username: ${{ secrets.ALLOWLIST_AVAST_USERNAME }}
+          password: ${{ secrets.ALLOWLIST_AVAST_PASSWORD }}
\ No newline at end of file
diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml
index d3720c76b..cca158468 100644
--- a/.github/workflows/win-exe.yml
+++ b/.github/workflows/win-exe.yml
@@ -39,6 +39,8 @@ jobs:
     env:
       LOOPBACK_ALIAS: 'cryptomator-vault'
       WIN_CONSOLE_FLAG: ''
+    outputs:
+      download-url: ${{ fromJSON(steps.publish.outputs.assets)[0].browser_download_url }} #ónly set on a release
     steps:
       - uses: actions/checkout@v4
       - name: Setup Java
@@ -255,19 +257,29 @@ jobs:
             Cryptomator-*.asc
           if-no-files-found: error
       - name: Publish .msi on GitHub Releases
+        id: publish
         if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
         uses: softprops/action-gh-release@v1
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          # do not change ordering of filelist, required for correct job output
           files: |
             *.msi
             *.asc
 
+  allowlist-msi:
+    uses: ./.github/workflows/av-whitelist.yml
+    needs: [build-msi]
+    with:
+      url: ${{ needs.build-msi.outputs.download-url }}
+
   build-exe:
     name: Build .exe installer
     runs-on: windows-latest
     needs: [get-version, build-msi]
+    outputs:
+      download-url: ${{ fromJSON(steps.publish.outputs.assets)[0].browser_download_url }} #ónly set on a release
     steps:
       - uses: actions/checkout@v4
       - name: Download .msi
@@ -366,54 +378,23 @@ jobs:
             Cryptomator-*.asc
           if-no-files-found: error
       - name: Publish .msi on GitHub Releases
+        id: publish
         if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
         uses: softprops/action-gh-release@v1
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          # do not change ordering of filelist, required for correct job output
           files: |
             Cryptomator-*.exe
             Cryptomator-*.asc
 
-  allowlist:
-    name: Anti Virus Allowlisting
-    if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
-    runs-on: ubuntu-latest
-    needs: [build-msi, build-exe]
-    steps:
-      - name: Download .msi
-        uses: actions/download-artifact@v4
-        with:
-          name: msi
-          path: msi
-      - name: Download .exe
-        uses: actions/download-artifact@v4
-        with:
-          name: exe
-          path: exe
-      - name: Collect files
-        run: |
-          mkdir files
-          cp msi/*.msi files
-          cp exe/*.exe files
-      - name: Upload to Kaspersky
-        uses: SamKirkland/FTP-Deploy-Action@v4.3.4
-        with:
-          protocol: ftps
-          server: allowlist.kaspersky-labs.com
-          port: 990
-          username: ${{ secrets.ALLOWLIST_KASPERSKY_USERNAME }}
-          password: ${{ secrets.ALLOWLIST_KASPERSKY_PASSWORD }}
-          local-dir: files/
-      - name: Upload to Avast
-        uses: SamKirkland/FTP-Deploy-Action@v4.3.4
-        with:
-          protocol: ftp
-          server: whitelisting.avast.com
-          port: 21
-          username: ${{ secrets.ALLOWLIST_AVAST_USERNAME }}
-          password: ${{ secrets.ALLOWLIST_AVAST_PASSWORD }}
-          local-dir: files/
+  allowlist-exe:
+    uses: ./.github/workflows/av-whitelist.yml
+    needs: [build-exe]
+    with:
+      url: ${{ needs.build-exe.outputs.download-url }}
+
   notify-winget:
     name: Notify for winget-release
     if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published' && needs.get-version.outputs.versionType == 'stable'