From d9134b49adc27863a76d5151c1004ff52f135204 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Fri, 6 Mar 2026 17:11:11 +0100 Subject: [PATCH] add workflow_call to release artifact workflows --- .github/workflows/appimage.yml | 25 ++++++++++++++++++++++--- .github/workflows/mac-dmg-x64.yml | 23 +++++++++++++++++++---- .github/workflows/mac-dmg.yml | 21 ++++++++++++++++++--- .github/workflows/win-exe.yml | 30 +++++++++++++++++++++++++++--- 4 files changed, 86 insertions(+), 13 deletions(-) diff --git a/.github/workflows/appimage.yml b/.github/workflows/appimage.yml index d3da01b7b..2ecef5f22 100644 --- a/.github/workflows/appimage.yml +++ b/.github/workflows/appimage.yml @@ -1,8 +1,19 @@ name: Build AppImage on: - release: - types: [published] + workflow_call: + inputs: + is-release: + description: "Workflow is called by a release" + type: boolean + default: false + outputs: + sha256-appimage-x64: + description: "SHA256 sum of the x64 appimage" + value: ${{ jobs.build.outputs.x64-sha256sum}} + sha256-appimage-aarch64: + description: "SHA256 sum of the aarch64 appimage" + value: ${{ jobs.build.outputs.x64-sha256sum}} workflow_dispatch: inputs: version: @@ -35,6 +46,9 @@ jobs: name: Build AppImage runs-on: ${{ matrix.os }} needs: [get-version] + outputs: + x64-sha256sum: ${{ steps.sha256sum.outputs.value-x86_64 }} + aarch64-sha256sum: ${{ steps.sha256sum.outputs.value-aarch64 }} env: SEMVER_STR: ${{ needs.get-version.outputs.semVerStr }} SEMVER_NUM: ${{ needs.get-version.outputs.semVerNum }} @@ -180,6 +194,10 @@ jobs: ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${SEMVER_STR}-${{ matrix.arch }}.AppImage -u "gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${{ matrix.arch }}.AppImage.zsync" --sign --sign-key=615D449FE6E6A235 + - id: sha256sum + run: | + read -ra CMD_OUTPUT < <(sha256sum cryptomator-*.AppImage) + echo "value-${{matrix.arch}}=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT - name: Create detached GPG signatures run: | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage @@ -194,9 +212,10 @@ jobs: cryptomator-*.asc if-no-files-found: error - name: Publish AppImage on GitHub Releases - if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published' + if: github.ref_type == 'tag' && inputs.is-release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: + draft: true fail_on_unmatched_files: true token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} files: | diff --git a/.github/workflows/mac-dmg-x64.yml b/.github/workflows/mac-dmg-x64.yml index bdb66d667..6c42b43a0 100644 --- a/.github/workflows/mac-dmg-x64.yml +++ b/.github/workflows/mac-dmg-x64.yml @@ -9,8 +9,16 @@ name: Build macOS .dmg for x64 ####################################### on: - release: - types: [published] + workflow_call: + inputs: + is-release: + description: "Workflow is called by a release" + type: boolean + default: false + outputs: + sha256-dmg: + description: "SHA256 sum of the x64 dmg" + value: ${{ jobs.build.outputs.sha256sum}} workflow_dispatch: inputs: version: @@ -32,10 +40,12 @@ jobs: with: version: ${{ inputs.version }} - build-arm: + build: name: Build Cryptomator.app for ${{ matrix.output-suffix }} runs-on: ${{ matrix.os }} needs: [get-version] + outputs: + sha256sum: ${{ steps.sha256sum.outputs.value }} strategy: fail-fast: false matrix: @@ -256,6 +266,10 @@ jobs: password: ${{ secrets.MACOS_NOTARIZATION_PW }} team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} xcode-path: '/Applications/Xcode_16.app' + - id: sha256sum + run: | + read -ra CMD_OUTPUT < <(sha -a256 Cryptomator-*.dmg) + echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT - name: Add possible alpha/beta tags to installer name run: mv Cryptomator-*.dmg Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.output-suffix }}.dmg - name: Create detached GPG signature with key 615D449FE6E6A235 @@ -278,9 +292,10 @@ jobs: Cryptomator-*.asc if-no-files-found: error - name: Publish dmg on GitHub Releases - if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published' + if: github.ref_type == 'tag' && inputs.is-release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: + draft: true fail_on_unmatched_files: true token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} files: | diff --git a/.github/workflows/mac-dmg.yml b/.github/workflows/mac-dmg.yml index 743586153..ca9c13199 100644 --- a/.github/workflows/mac-dmg.yml +++ b/.github/workflows/mac-dmg.yml @@ -1,8 +1,16 @@ name: Build macOS .dmg for arm64 on: - release: - types: [published] + workflow_call: + inputs: + is-release: + description: "Workflow is called by a release" + type: boolean + default: false + outputs: + sha256-dmg: + description: "SHA256 sum of the arm64 dmg" + value: ${{ jobs.build.outputs.sha256sum}} workflow_dispatch: inputs: version: @@ -34,6 +42,8 @@ jobs: name: Build Cryptomator.app for ${{ matrix.output-suffix }} runs-on: ${{ matrix.os }} needs: [get-version] + outputs: + sha256sum: ${{ steps.sha256sum.outputs.value }} strategy: fail-fast: false matrix: @@ -255,6 +265,10 @@ jobs: password: ${{ secrets.MACOS_NOTARIZATION_PW }} team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }} xcode-path: '/Applications/Xcode_16.app' + - id: sha256sum + run: | + read -ra CMD_OUTPUT < <(sha -a256 Cryptomator-*.dmg) + echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT - name: Add possible alpha/beta tags to installer name run: mv Cryptomator-*.dmg Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.output-suffix }}.dmg - name: Create detached GPG signature with key 615D449FE6E6A235 @@ -277,9 +291,10 @@ jobs: Cryptomator-*.asc if-no-files-found: error - name: Publish dmg on GitHub Releases - if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published' + if: github.ref_type == 'tag' && inputs.is-release uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: + draft: true fail_on_unmatched_files: true token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} files: | diff --git a/.github/workflows/win-exe.yml b/.github/workflows/win-exe.yml index 1e36d0af4..536083d72 100644 --- a/.github/workflows/win-exe.yml +++ b/.github/workflows/win-exe.yml @@ -1,8 +1,19 @@ name: Build Windows Installer on: - release: - types: [published] + workflow_call: + inputs: + is-release: + description: "Workflow is called by a release" + type: boolean + default: false + outputs: + sha256-msi: + description: "SHA256 sum of the x64 msi" + value: ${{ jobs.build-msi.outputs.sha256sum}} + sha256-exe: + description: "SHA256 sum of the x64 exe" + value: ${{ jobs.build-exe.outputs.sha256sum}} workflow_dispatch: inputs: version: @@ -43,6 +54,8 @@ jobs: name: Build .msi Installer runs-on: ${{ matrix.os }} needs: [ get-version ] + outputs: + sha256sum: ${{ steps.sha256sum.outputs.value }} strategy: matrix: include: @@ -270,6 +283,10 @@ jobs: tenant-id: ${{ secrets.AZURE_TENANT_ID }} client-id: ${{ secrets.AZURE_CLIENT_ID }} client-secret: ${{ secrets.AZURE_CLIENT_SECRET }} + - id: sha256sum + run: | + read -ra CMD_OUTPUT < <(sha256sum installer/Cryptomator-*.msi) + echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT - name: Add possible alpha/beta tags and architecture to installer name run: mv installer/Cryptomator-*.msi Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.arch }}.msi - name: Create detached GPG signature with key 615D449FE6E6A235 @@ -292,6 +309,8 @@ jobs: name: Build .exe installer runs-on: ${{ matrix.os }} needs: [ get-version, build-msi ] + outputs: + sha256sum: ${{ steps.sha256sum.outputs.value }} strategy: matrix: include: @@ -413,6 +432,10 @@ jobs: sign-url: 'https://cryptomator.org' username: ${{ secrets.WIN_CODESIGN_USERNAME }} password: ${{ secrets.WIN_CODESIGN_PW }} + - id: sha256sum + run: | + read -ra CMD_OUTPUT < <(sha256sum installer/Cryptomator-*.exe) + echo "value=${CMD_OUTPUT[0]}" >> $GITHUB_OUTPUT - name: Add possible alpha/beta tags to installer name run: mv installer/Cryptomator-Installer.exe Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.executable-suffix }}.exe - name: Create detached GPG signature with key 615D449FE6E6A235 @@ -433,7 +456,7 @@ jobs: publish: name: Publish installers to the github release - if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published' + if: github.ref_type == 'tag' && inputs.is-release runs-on: ubuntu-latest needs: [ build-msi, build-exe ] outputs: @@ -448,6 +471,7 @@ jobs: id: publish uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 with: + draft: true fail_on_unmatched_files: true token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} # do not change ordering of filelist, required for correct job output