build flatpak on CI

.github/workflows/linux-flatpak.yml

@@ -1,4 +1,4 @@
-name: Create PR for flathub
+name: Build flatpak
 
 on:
   release:
@@ -7,13 +7,53 @@ on:
     inputs:
       tag:
         description: 'Release tag'
-        required: true
+        required: false
 
 jobs:
   get-version:
     uses: ./.github/workflows/get-version.yml
     with:
       version: ${{ inputs.tag }}
+
+  flatpak:
+    name: "Build flatpak"
+    needs: [get-version]
+    runs-on: ubuntu-latest
+    container:
+      image: ghcr.io/flathub-infra/flatpak-github-actions:gnome-48
+      options: --privileged
+    strategy:
+      matrix:
+        variant:
+          - arch: x86_64
+            runner: ubuntu-24.04
+          - arch: aarch64
+            runner: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          path: cryptomator
+      - name: Get SHA of HEAD commit
+        id: git-head-sha
+        run: echo "head-sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT
+      - name: Transform build template into build script
+        run: envsubst '$FLATPAK_VERSION $FLATPAK_REVISION $CRYPTOMATOR_SOURCE' < cryptomator/dist/linux/flatpak/org.cryptomator.Cryptomator.TEMPLATE.yaml > org.cryptomator.Cryptomator.yaml
+        env:
+          FLATPAK_VERSION: ${{ needs.get-version.outputs.semVerNum }}
+          FLATPAK_REVISION: 1
+          CRYPTOMATOR SOURCE: |-
+            type: git
+                    path: cryptomator
+                    commit: ${{ steps.git-head-sha.outputs.head-sha }}
+      - uses: flatpak/flatpak-github-actions/flatpak-builder@92ae9851ad316786193b1fd3f40c4b51eb5cb101 # v6.6
+        with:
+          bundle: cryptomator.flatpak
+          manifest-path: org.cryptomator.Cryptomator.yaml
+          cache-key: flatpak-builder-${{ github.sha }}
+          #build-dir: flatpak_app
+          #gpg-sign:
+          arch: ${{ matrix.variant.arch }}
+
   tarball:
     name: Determines tarball url and compute checksum
     runs-on: ubuntu-latest

dist/linux/flatpak/.gitignore

@@ -0,0 +1,13 @@
+#
+# Excludes
+.flatpak-builder/
+.idea/
+build/
+
+.DS_Store
+Thumbs.db
+*.iml
+
+
+#
+# Includes

dist/linux/flatpak/.gitmodules

@@ -0,0 +1,3 @@
+[submodule "shared-modules"]
+	path = shared-modules
+	url = https://github.com/flathub/shared-modules.git

dist/linux/flatpak/build-aux/fusermount-wrapper.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# From: https://gitlab.gnome.org/GNOME/gnome-builder/-/blob/main/build-aux/flatpak/fusermount-wrapper.sh
+
+if [ -z "$_FUSE_COMMFD" ]; then
+    FD_ARGS=
+else
+    FD_ARGS="--env=_FUSE_COMMFD=${_FUSE_COMMFD} --forward-fd=${_FUSE_COMMFD}"
+fi
+
+if [ -e /proc/self/fd/3 ] && [ 3 != "$_FUSE_COMMFD" ]; then
+    FD_ARGS="$FD_ARGS --forward-fd=3"
+fi
+
+exec flatpak-spawn --host --forward-fd=1 --forward-fd=2 $FD_ARGS fusermount3 "$@"

dist/linux/flatpak/maven-dependencies-aarch64.yaml

@@ -0,0 +1,25 @@
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-base/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-base/25.0.2/javafx-base-25.0.2-linux-aarch64.jar
+  sha256: 465697a5e51f56f99b3920d53df7a0472e930156fdb70f633ea7a42b07a84cd5
+  only-arches: [aarch64]
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-controls/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-controls/25.0.2/javafx-controls-25.0.2-linux-aarch64.jar
+  sha256: 490c37ef1a6d9c46fc72e8445901c577dd604bde5b0aa0b9b2957b6508e57b19
+  only-arches: [aarch64]
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-fxml/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-fxml/25.0.2/javafx-fxml-25.0.2-linux-aarch64.jar
+  sha256: 656688d2fd3d12f2f689b0fa133b46ad5f907eac96e0c1dcabae572d0eac35d8
+  only-arches: [aarch64]
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-graphics/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-graphics/25.0.2/javafx-graphics-25.0.2-linux-aarch64.jar
+  sha256: 2489ad216e970fbad968998da9d199ea984f64a291b2e95d9db65fe1311bfd8d
+  only-arches: [aarch64]
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-swing/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-swing/25.0.2/javafx-swing-25.0.2-linux-aarch64.jar
+  sha256: f4505c4f11ddf95adc8dd06417fd49a2a9d0f19a2c8323f5f449b8bbc9c5dd2c
+  only-arches: [aarch64]

dist/linux/flatpak/maven-dependencies-x86_64.yaml

@@ -0,0 +1,25 @@
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-base/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-base/25.0.2/javafx-base-25.0.2-linux.jar
+  sha256: eb11384d3ac0c13b42c27d49a1cb01d469dec640f245828d323bca016c2311c0
+  only-arches: [x86_64]
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-controls/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-controls/25.0.2/javafx-controls-25.0.2-linux.jar
+  sha256: 3937b7215c0a9b02fdaafd2bb694a6efce27fa226809c6ca970a8a02b1691cb9
+  only-arches: [x86_64]
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-fxml/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-fxml/25.0.2/javafx-fxml-25.0.2-linux.jar
+  sha256: a96b973c0083a03385948ee02d7cfbd28b807d98f4498ae3e920f6da6caf7ab6
+  only-arches: [x86_64]
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-graphics/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-graphics/25.0.2/javafx-graphics-25.0.2-linux.jar
+  sha256: a43e751003621f9f0b19666e92a147d62da924fb2c0229c1e49ec39d9d21c4b2
+  only-arches: [x86_64]
+- type: file
+  dest: .m2/repository/org/openjfx/javafx-swing/25.0.2
+  url: https://repo.maven.apache.org/maven2/org/openjfx/javafx-swing/25.0.2/javafx-swing-25.0.2-linux.jar
+  sha256: a75e6504ac03331f4ae3be0d181c7c970c526de1b53ad2e5c44e8d31026bf5ec
+  only-arches: [x86_64]

dist/linux/flatpak/org.cryptomator.Cryptomator.TEMPLATE.yaml

@@ -0,0 +1,183 @@
+app-id: org.cryptomator.Cryptomator
+command: cryptomator
+runtime: org.freedesktop.Platform
+runtime-version: '25.08'
+sdk: org.freedesktop.Sdk
+separate-locales: false
+finish-args:
+  # Required for FUSE, see https://github.com/flathub/org.cryptomator.Cryptomator/pull/68#issuecomment-1935136502
+  - --device=all
+  # Set the PATH environment variable in the application, as flatpak is resetting the shell's PATH
+  - --env=PATH=/app/bin/:/usr/bin/
+  # Allow filesystem access to the user's home dir
+  # Needed to manage vaults there
+  - --filesystem=home
+  # Reading system certificates
+  - --filesystem=host-etc:ro
+  # Allow access to the XDG data directory
+  # Needed to connect to KeePassXC's UNIX domain socket
+  - --filesystem=xdg-run/org.keepassxc.KeePassXC.BrowserServer
+  - --filesystem=xdg-run/app/org.keepassxc.KeePassXC/
+  # Share IPC namespace with the host, without it the X11 shared memory extension will not work
+  - --share=ipc
+  # Allow access to the network
+  - --share=network
+  # Show windows using X11
+  - --socket=x11
+  # Needed to reveal encrypted files
+  - --talk-name=org.freedesktop.FileManager1
+  # Run any command on the host
+  # Needed to spawn fusermount on the host
+  - --talk-name=org.freedesktop.Flatpak
+  # Allow desktop notifications
+  - --talk-name=org.freedesktop.Notifications
+  # Allow access to the GNOME secret service API and to talk to the GNOME keyring daemon
+  - --talk-name=org.freedesktop.secrets
+  - --talk-name=org.gnome.keyring
+  # Allow to talk to the KDE kwallet daemon
+  - --talk-name=org.kde.kwalletd5
+  - --talk-name=org.kde.kwalletd6
+  # Needed to talk to the gvfs daemons over D-Bus and list mounts using the GIO APIs
+  - --talk-name=org.gtk.vfs.*
+  # Allow access to appindicator icons
+  - --talk-name=org.ayatana
+  # Allow access to appindicator icons on KDE
+  - --talk-name=org.kde.StatusNotifierWatcher
+cleanup:
+  - /include
+  - /lib/pkgconfig
+modules:
+  - shared-modules/libayatana-appindicator/libayatana-appindicator-gtk3.json
+  - name: libfuse
+    buildsystem: meson
+    config-opts:
+      - -Dexamples=false
+      - -Dinitscriptdir=
+      - -Duseroot=false
+      - -Dtests=false
+      # don't install rules on the host
+      - -Dudevrulesdir=/tmp/
+    sources:
+      - type: archive
+        url: https://github.com/libfuse/libfuse/releases/download/fuse-3.16.2/fuse-3.16.2.tar.gz
+        sha256: f797055d9296b275e981f5f62d4e32e089614fc253d1ef2985851025b8a0ce87
+        x-checker-data:
+          type: anitya
+          project-id: 861
+          url-template: https://github.com/libfuse/libfuse/releases/download/fuse-$version/fuse-$version.tar.gz
+          versions: {<: '3.17.0'}
+  - name: host-command-wrapper
+    buildsystem: simple
+    build-commands:
+      - install fusermount-wrapper.sh /app/bin/fusermount3
+    sources:
+      - type: file
+        path: build-aux/fusermount-wrapper.sh
+  - name: cryptomator
+    buildsystem: simple
+    build-options:
+      env:
+        PATH: /app/bin:/usr/bin
+        MAVEN_OPTS: -Dmaven.repo.local=.m2/repository
+        JAVA_HOME: jdk
+        JMODS_PATH: jmods
+        VERSION: $FLATPAK_VERSION
+        REVISION_NO: '$FLATPAK_REVISION'
+    build-commands:
+      # Setup Java
+      - tar xvfz jdk.tar.gz --transform 's!^[^/]*!jdk!'
+      - mkdir jmods
+      - unzip -j openjfx.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods
+      # Setup Maven
+      - mkdir maven
+      - tar xf maven.tar.gz --strip-components=1 --exclude=jansi-native --directory=maven
+      # Build project
+      - maven/bin/mvn clean package -DskipTests -Plinux -Djavafx.platform=linux
+      - cp target/cryptomator-*.jar target/mods
+      - cd target
+      - $JAVA_HOME/bin/jlink
+        --output runtime
+        --module-path $JMODS_PATH
+        --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.ec,jdk.crypto.cryptoki,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler
+        --no-header-files
+        --no-man-pages
+        --strip-debug
+        --compress=zip-0
+      - $JAVA_HOME/bin/jpackage
+        --type app-image
+        --runtime-image runtime
+        --input target/libs
+        --module-path target/mods
+        --module org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator
+        --dest .
+        --name Cryptomator
+        --vendor 'Skymatic GmbH'
+        --copyright '(C) 2016 - 2025 Skymatic GmbH'
+        --java-options '--enable-native-access=javafx.graphics,org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator'
+        --java-options "--sun-misc-unsafe-memory-access=allow"
+        --java-options '-Xss5m'
+        --java-options '-Xmx256m'
+        --java-options '-Dfile.encoding='utf-8''
+        --java-options '-Djava.net.useSystemProxies=true'
+        --java-options "-Dcryptomator.appVersion='${VERSION}'"
+        --java-options "-Dcryptomator.buildNumber='flatpak-${REVISION_NO}'"
+        --java-options '-Dcryptomator.ipcSocketPath='@{userhome}/.config/Cryptomator/ipc.socket''
+        --java-options '-Dcryptomator.adminConfigPath='/run/host/etc/cryptomator/config.properties''
+        --java-options '-Dcryptomator.logDir='@{userhome}/.local/share/Cryptomator/logs''
+        --java-options '-Dcryptomator.mountPointsDir='@{userhome}/.local/share/Cryptomator/mnt''
+        --java-options '-Dcryptomator.pluginDir='@{userhome}/.local/share/Cryptomator/plugins''
+        --java-options '-Dcryptomator.p12Path='@{userhome}/.config/Cryptomator/key.p12''
+        --java-options '-Dcryptomator.settingsPath='@{userhome}/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json''
+        --java-options '-Dcryptomator.showTrayIcon=true'
+        --java-options '-Dcryptomator.updateMechanism=org.cryptomator.linux.update.FlatpakUpdater'
+        --java-options '-Dcryptomator.networking.truststore.p12Path='/run/host/etc/cryptomator/certs.p12''
+        --java-options '-Dcryptomator.hub.enableTrustOnFirstUse=true'
+        --app-version "${VERSION}.${REVISION_NO}"
+        --verbose
+      - cp -R Cryptomator /app/
+      - ln -s /app/Cryptomator/bin/Cryptomator /app/bin/cryptomator
+      - cp -R /app/lib/* /app/Cryptomator/lib/app/
+      - install -D -m0644 -t /app/share/applications/ dist/linux/common/org.cryptomator.Cryptomator.desktop
+      - install -D -m0644 -t /app/share/icons/hicolor/scalable/apps/ dist/linux/common/org.cryptomator.Cryptomator.svg
+      - install -D -m0644 -T dist/linux/common/org.cryptomator.Cryptomator.tray.svg /app/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-symbolic.svg
+      - install -D -m0644 -T dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg /app/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-unlocked-symbolic.svg
+      - install -D -m0644 -t /app/share/metainfo/ dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml
+    sources:
+      - $CRYPTOMATOR_SOURCE
+      - maven-dependencies.yaml
+      - maven-dependencies-x86_64.yaml
+      - maven-dependencies-aarch64.yaml
+      - type: file
+        dest-filename: jdk.tar.gz
+        only-arches:
+          - x86_64
+        url: https://github.com/adoptium/temurin25-binaries/releases/download/jdk-25.0.2%2B10/OpenJDK25U-jdk_x64_linux_hotspot_25.0.2_10.tar.gz
+        sha512: 29043fde119a031c2ca8d57aed445fedd9e7f74608fcdc7a809076ba84cfd1c31f08de2ecccf352e159fdcd1cae172395ed46363007552ff242057826c81ab3a
+      - type: file
+        dest-filename: jdk.tar.gz
+        only-arches:
+          - aarch64
+        url: https://github.com/adoptium/temurin25-binaries/releases/download/jdk-25.0.2%2B10/OpenJDK25U-jdk_aarch64_linux_hotspot_25.0.2_10.tar.gz
+        sha512: f1d3ccec3e1f1bed9d632f14b9223709d6e5c2e0d922125d068870dd3016492a2ca8f08924d4a9d0dc5eb2159fa09efee366a748fd0093475baf29e5c70c781a
+      - type: file
+        dest-filename: openjfx.zip
+        only-arches:
+          - x86_64
+        url: https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip
+        sha512: 21f550217101c513f9eb1d7947eba30cb79618238e6539ce770e54e84b01574cdaeba40af602391145f163dd8e43e3794395467413152f13ffffeff948b0ca1b
+      - type: file
+        dest-filename: openjfx.zip
+        only-arches:
+          - aarch64
+        url: https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip
+        sha512: a9268409b3803e386490bf1319d0f0a14173cebe862c12254cd51b430ee0a297437d9e38d5ebeae0da8899be898b312b103330d09dcfd3e63c1e7d15f2f14311
+      - type: file
+        dest-filename: maven.tar.gz
+        url: https://repo1.maven.org/maven2/org/apache/maven/apache-maven/3.9.13/apache-maven-3.9.13-bin.tar.gz
+        sha512: d9ccd44ba2991586e359c29eb86780ae8ff4ec1b88b0b8af3af074803472690cf2017782a9c4401343c62cbcd056231db9612e1e551cbd9747c21746d732c015
+        x-checker-data:
+          type: anitya
+          project-id: 1894
+          stable-only: true
+          url-template: https://repo1.maven.org/maven2/org/apache/maven/apache-maven/$version/apache-maven-$version-bin.tar.gz
+          versions: {<: '4.0'}

dist/linux/flatpak/update-maven-dependencies.sh

@@ -0,0 +1,58 @@
+#!/usr/bin/env bash
+
+# update.sh - Script to update the Cryptomator Flatpak maven dependencies
+# Requires yq and natsort to be installed
+
+set -e
+
+if ! command -v yq >/dev/null 2>&1
+then
+    echo "Command 'yq' could not be found."
+    exit 1
+fi
+if ! command -v natsort >/dev/null 2>&1
+then
+    echo "Command 'natsort' could not be found"
+    exit 1
+fi
+
+# clean up previous builds
+rm -rf .flatpak-builder/ build/ repo
+
+# patch the yml file
+## copy the build file to a temporary location
+BACKUP_FILE="org.cryptomator.Cryptomator.yaml.tmp"
+cp org.cryptomator.Cryptomator.yaml $BACKUP_FILE
+## This allows the Flatpak to access the network, which is required to update maven dependencies
+yq '(.modules[] | select(.name == "cryptomator") | .build-options.build-args) = ["--share=network"]' -i org.cryptomator.Cryptomator.yaml
+## Remove the maven dependency files from the sources list
+yq '(.modules[] | select(.name == "cryptomator") | .sources) |= map(select( . == "maven*" | not))' -i org.cryptomator.Cryptomator.yaml
+
+# Build the Flatpak package
+flatpak-builder --force-clean --install-deps-from=flathub --build-only --keep-build-dirs build org.cryptomator.Cryptomator.yaml
+
+# Update maven dependencies
+## Update arch independent dependencies
+( cd .flatpak-builder/build/cryptomator-1/.m2/repository/             \
+ && find * -type f \( -iname '*.jar' -o -iname '*.pom' \)   \
+ | grep -v 'javafx-*-linux-*.jar'                           \
+ | natsort -p                                               \
+ | xargs -rI '{}' bash -c                                   \
+ 'echo -e "- type: file\n  dest: .m2/repository/$(dirname {})\n  url: https://repo.maven.apache.org/maven2/{}\n  sha256: $(sha256sum {} | cut -c 1-64)"' \
+ ) > maven-dependencies.yaml
+
+## Update x86_64 arch dependencies
+( cd .flatpak-builder/build/cryptomator-1/.m2/repository/         \
+ && find * -type f \( -iname 'javafx-*-linux.jar' \)    \
+ | natsort -p                                           \
+ | xargs -rI '{}' bash -c                               \
+ 'echo -e "- type: file\n  dest: .m2/repository/$(dirname {})\n  url: https://repo.maven.apache.org/maven2/{}\n  sha256: $(sha256sum {} | cut -c 1-64)\n  only-arches: [x86_64]"' \
+ ) > maven-dependencies-x86_64.yaml
+
+
+## Update aarch64 arch dependencies :-P
+echo "WARNING: JavaFX AARCH64 dependencies are not updated automatically."
+echo "Please update them manually."
+
+# revert the yml file to its original state
+mv $BACKUP_FILE org.cryptomator.Cryptomator.yaml