Merge branch 'develop' into feature/window-debug-launcher

# Conflicts:
#	.github/workflows/win-exe.yml
#	dist/win/.gitignore

.github/workflows/appimage.yml

@@ -10,7 +10,8 @@ on:
         required: false
 
 env:
-  JAVA_VERSION: 19
+  JAVA_DIST: 'temurin'
+  JAVA_VERSION: '24.0.1+9'
 
 jobs:
   get-version:
@@ -20,51 +21,79 @@ jobs:
 
   build:
     name: Build AppImage
-    runs-on: ubuntu-latest
+    runs-on: ${{ matrix.os }}
     needs: [get-version]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            appimage-suffix: x86_64
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/23.0.2/openjfx-23.0.2_linux-x64_bin-jmods.zip'
+            openjfx-sha: '063baebc6922e4a89c94b9dfb7a4f53e59e8d6fec400d4e670b31bc2ab324dec'
+          - os: ubuntu-24.04-arm
+            appimage-suffix: aarch64
+            openjfx-url: 'https://download2.gluonhq.com/openjfx/23.0.2/openjfx-23.0.2_linux-aarch64_bin-jmods.zip'
+            openjfx-sha: '9bbedaeae1590b69e2b22237bda310936df33e344dbc243bea2e86acaab3a0d8'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
-          java-package: 'jdk+fx'
+          check-latest: true
           cache: 'maven'
-      - name: Ensure major jfx version in pom equals in jdk
-        shell: pwsh
+
+      - name: Download OpenJFX jmods
+        id: download-jmods
         run: |
-          $jfxPomVersion = (&mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout) -split "\."
-          $jfxJdkVersion = ((Get-Content -path "${env:JAVA_HOME}/lib/javafx.properties" | Where-Object {$_ -like 'javafx.version=*' }) -replace '.*=','') -split "\."
-          if ($jfxPomVersion[0] -ne $jfxJdkVersion[0]) {
-            Write-Error "Major part of JavaFX version in pom($($jfxPomVersion[0])) does not match the version in JDK($($jfxJdkVersion[0])) "
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          echo "${{ matrix.openjfx-sha }}  openjfx-jmods.zip" | shasum -a256 --check
+          mkdir -p openjfx-jmods
+          unzip -j openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
+      - name: Ensure major jfx version in pom and in jmods is the same
+        run: |
+          JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
+          JMOD_VERSION=${JMOD_VERSION#*@}
+          JMOD_VERSION=${JMOD_VERSION%%.*}
+          POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+          POM_JFX_VERSION=${POM_JFX_VERSION#*@}
+          POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
+
+          if [ $POM_JFX_VERSION -ne $JMOD_VERSION ]; then
+            >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != amd64 jmod version (${JMOD_VERSION})"
             exit 1
-          }
+          fi
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pdependency-check,linux -DskipTests
+        run: mvn -B clean package -Plinux -DskipTests -Djavafx.platform=linux
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
           cp target/cryptomator-*.jar target/mods
+      - name: Run jlink with help option
+        id: jep-493-check
+        run: |
+          JMOD_PATHS="openjfx-jmods"
+          if ! ${JAVA_HOME}/bin/jlink --help | grep -q "Linking from run-time image enabled"; then
+            JMOD_PATHS="${JAVA_HOME}/jmods:${JMOD_PATHS}"
+          fi
+          echo "jmod_paths=${JMOD_PATHS}" >> "$GITHUB_OUTPUT"
       - name: Run jlink
+        #Remark: no compression is applied for improved build compression later (here appimage)
         run: >
           ${JAVA_HOME}/bin/jlink
           --verbose
           --output runtime
-          --module-path "${JAVA_HOME}/jmods"
-          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.crypto.ec,jdk.security.auth,jdk.accessibility,jdk.management.jfr
+          --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.security.auth,jdk.accessibility,jdk.management.jfr,jdk.net,java.compiler
           --strip-native-commands
           --no-header-files
           --no-man-pages
           --strip-debug
-          --compress=1
-      - name: Prepare additional launcher
-        run: envsubst '${SEMVER_STR} ${REVISION_NUM}' < dist/linux/launcher-gtk2.properties > launcher-gtk2.properties
-        env:
-          SEMVER_STR: ${{  needs.get-version.outputs.semVerStr }}
-          REVISION_NUM: ${{  needs.get-version.outputs.revNum }}
+          --compress zip-0
       - name: Run jpackage
         run: >
           ${JAVA_HOME}/bin/jpackage
@@ -77,23 +106,25 @@ jobs:
           --dest appdir
           --name Cryptomator
           --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2023 Skymatic GmbH"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
           --app-version "${{  needs.get-version.outputs.semVerNum }}.${{  needs.get-version.outputs.revNum }}"
           --java-options "--enable-preview"
-          --java-options "--enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64"
+          --java-options "--enable-native-access=org.cryptomator.jfuse.linux.amd64,org.cryptomator.jfuse.linux.aarch64,org.purejava.appindicator"
           --java-options "-Xss5m"
           --java-options "-Xmx256m"
           --java-options "-Dcryptomator.appVersion=\"${{  needs.get-version.outputs.semVerStr }}\""
           --java-options "-Dfile.encoding=\"utf-8\""
-          --java-options "-Dcryptomator.logDir=\"~/.local/share/Cryptomator/logs\""
-          --java-options "-Dcryptomator.pluginDir=\"~/.local/share/Cryptomator/plugins\""
-          --java-options "-Dcryptomator.settingsPath=\"~/.config/Cryptomator/settings.json:~/.Cryptomator/settings.json\""
-          --java-options "-Dcryptomator.p12Path=\"~/.config/Cryptomator/key.p12\""
-          --java-options "-Dcryptomator.ipcSocketPath=\"~/.config/Cryptomator/ipc.socket\""
-          --java-options "-Dcryptomator.mountPointsDir=\"~/.local/share/Cryptomator/mnt\""
-          --java-options "-Dcryptomator.showTrayIcon=false"
+          --java-options "-Djava.net.useSystemProxies=true"
+          --java-options "-Dcryptomator.logDir=\"@{userhome}/.local/share/Cryptomator/logs\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/.local/share/Cryptomator/plugins\""
+          --java-options "-Dcryptomator.settingsPath=\"@{userhome}/.config/Cryptomator/settings.json:@{userhome}/.Cryptomator/settings.json\""
+          --java-options "-Dcryptomator.p12Path=\"@{userhome}/.config/Cryptomator/key.p12\""
+          --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/.config/Cryptomator/ipc.socket\""
+          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/.local/share/Cryptomator/mnt\""
+          --java-options "-Dcryptomator.showTrayIcon=true"
+          --java-options "-Dcryptomator.integrationsLinux.trayIconsDir=\"@{appdir}/usr/share/icons/hicolor/symbolic/apps\""
           --java-options "-Dcryptomator.buildNumber=\"appimage-${{  needs.get-version.outputs.revNum }}\""
-          --add-launcher Cryptomator-gtk2=launcher-gtk2.properties
+          --java-options "-Dcryptomator.networking.truststore.p12Path=\"/etc/cryptomator/certs.p12\""
           --resource-dir dist/linux/resources
       - name: Patch Cryptomator.AppDir
         run: |
@@ -102,17 +133,21 @@ jobs:
           cp dist/linux/common/org.cryptomator.Cryptomator256.png Cryptomator.AppDir/usr/share/icons/hicolor/256x256/apps/org.cryptomator.Cryptomator.png
           cp dist/linux/common/org.cryptomator.Cryptomator512.png Cryptomator.AppDir/usr/share/icons/hicolor/512x512/apps/org.cryptomator.Cryptomator.png
           cp dist/linux/common/org.cryptomator.Cryptomator.svg Cryptomator.AppDir/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg
+          cp dist/linux/common/org.cryptomator.Cryptomator.tray.svg Cryptomator.AppDir/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.tray.svg
+          cp dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg Cryptomator.AppDir/usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.tray-unlocked.svg
+          cp dist/linux/common/org.cryptomator.Cryptomator.tray.svg Cryptomator.AppDir/usr/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-symbolic.svg
+          cp dist/linux/common/org.cryptomator.Cryptomator.tray-unlocked.svg Cryptomator.AppDir/usr/share/icons/hicolor/symbolic/apps/org.cryptomator.Cryptomator.tray-unlocked-symbolic.svg
           cp dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml Cryptomator.AppDir/usr/share/metainfo/org.cryptomator.Cryptomator.metainfo.xml
           cp dist/linux/common/org.cryptomator.Cryptomator.desktop Cryptomator.AppDir/usr/share/applications/org.cryptomator.Cryptomator.desktop
           cp dist/linux/common/application-vnd.cryptomator.vault.xml Cryptomator.AppDir/usr/share/mime/packages/application-vnd.cryptomator.vault.xml
           ln -s usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg Cryptomator.AppDir/org.cryptomator.Cryptomator.svg
-          ln -s usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg Cryptomator.AppDir/Cryptomator.svg
           ln -s usr/share/icons/hicolor/scalable/apps/org.cryptomator.Cryptomator.svg Cryptomator.AppDir/.DirIcon
-          ln -s usr/share/applications/org.cryptomator.Cryptomator.desktop Cryptomator.AppDir/Cryptomator.desktop
+          ln -s usr/share/applications/org.cryptomator.Cryptomator.desktop Cryptomator.AppDir/org.cryptomator.Cryptomator.desktop
+          ln -s org.cryptomator.Cryptomator.metainfo.xml Cryptomator.AppDir/usr/share/metainfo/org.cryptomator.Cryptomator.appdata.xml
           ln -s bin/cryptomator.sh Cryptomator.AppDir/AppRun
       - name: Download AppImageKit
         run: |
-          curl -L https://github.com/AppImage/AppImageKit/releases/download/13/appimagetool-x86_64.AppImage -o appimagetool.AppImage
+          curl -L https://github.com/AppImage/appimagetool/releases/download/continuous/appimagetool-${{ matrix.appimage-suffix }}.AppImage -o appimagetool.AppImage
           chmod +x appimagetool.AppImage
           ./appimagetool.AppImage --appimage-extract
       - name: Prepare GPG-Agent for signing with key 615D449FE6E6A235
@@ -124,29 +159,29 @@ jobs:
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Build AppImage
         run: >
-          ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${{  needs.get-version.outputs.semVerStr }}-x86_64.AppImage
-          -u 'gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-x86_64.AppImage.zsync'
-          --sign --sign-key=615D449FE6E6A235 --sign-args="--batch --pinentry-mode loopback"
+          ./squashfs-root/AppRun Cryptomator.AppDir cryptomator-${{  needs.get-version.outputs.semVerStr }}-${{ matrix.appimage-suffix }}.AppImage
+          -u 'gh-releases-zsync|cryptomator|cryptomator|latest|cryptomator-*-${{ matrix.appimage-suffix }}.AppImage.zsync'
+          --sign --sign-key=615D449FE6E6A235
       - name: Create detached GPG signatures
         run: |
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator-*.AppImage.zsync
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
-          name: appimage
+          name: appimage-${{ matrix.appimage-suffix }}
           path: |
             cryptomator-*.AppImage
             cryptomator-*.AppImage.zsync
             cryptomator-*.asc
           if-no-files-found: error
       - name: Publish AppImage on GitHub Releases
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
           files: |
             cryptomator-*.AppImage
             cryptomator-*.zsync
-            cryptomator-*.asc
+            cryptomator-*.asc

.github/workflows/av-whitelist.yml

@@ -0,0 +1,88 @@
+name: AntiVirus Whitelisting
+
+on:
+  workflow_call:
+    inputs:
+      url:
+        description: "Url to the file to upload"
+        required: true
+        type: string
+  workflow_dispatch:
+    inputs:
+      url:
+        description: "Url to the file to upload"
+        required: true
+        type: string
+      avast:
+        description: "Upload to Avast"
+        required: false
+        type: boolean
+        default: false
+      kaspersky:
+        description: "Upload to Kaspersky"
+        required: false
+        type: boolean
+        default: false
+
+jobs:
+  download-file:
+    name: Downloads the file into the VM
+    runs-on: ubuntu-latest
+    outputs:
+      fileName: ${{ steps.extractName.outputs.fileName}}
+    steps:
+      - name: Extract file name
+        id: extractName
+        run: |
+          url="${{ inputs.url }}"
+          echo "fileName=${url##*/}" >> $GITHUB_OUTPUT
+      - name: Download file
+        run: curl --remote-name ${{ inputs.url }} -L -o ${{steps.extractName.outputs.fileName}}
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ steps.extractName.outputs.fileName }}
+          path: ${{ steps.extractName.outputs.fileName }}
+          if-no-files-found: error
+  allowlist-kaspersky:
+    name: Anti Virus Allowlisting Kaspersky
+    runs-on: ubuntu-latest
+    needs: download-file
+    if: github.event_name == 'workflow_call' || inputs.kaspersky
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.download-file.outputs.fileName }}
+          path: upload
+      - name: Upload to Kaspersky
+        uses: SamKirkland/FTP-Deploy-Action@v4.3.5
+        with:
+          protocol: ftps
+          server: allowlist.kaspersky-labs.com
+          port: 990
+          username: ${{ secrets.ALLOWLIST_KASPERSKY_USERNAME }}
+          password: ${{ secrets.ALLOWLIST_KASPERSKY_PASSWORD }}
+          local-dir: ./upload/
+  allowlist-avast:
+    name: Anti Virus Allowlisting Avast
+    runs-on: ubuntu-latest
+    needs: download-file
+    if: github.event_name == 'workflow_call'  || inputs.avast
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.download-file.outputs.fileName }}
+          path: upload
+      - name: Upload to Avast 
+        uses: wlixcc/SFTP-Deploy-Action@v1.2.5
+        with:
+          server: whitelisting.avast.com
+          port: 22
+          username: ${{ secrets.ALLOWLIST_AVAST_USERNAME }}
+          password: ${{ secrets.ALLOWLIST_AVAST_PASSWORD }}
+          ssh_private_key: ''
+          sftp_only: true
+          local_path: './upload/*'
+          remote_path: '/data'

.github/workflows/build.yml

@@ -6,7 +6,8 @@ on:
     types: [labeled]
 
 env:
-  JAVA_VERSION: 19
+  JAVA_DIST: 'temurin'
+  JAVA_VERSION: 24
 
 defaults:
   run:
@@ -17,14 +18,14 @@ jobs:
     name: Compile and Test
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Cache SonarCloud packages
-        uses: actions/cache@v3
+        uses: actions/cache@v4
         with:
           path: ~/.sonar/cache
           key: ${{ runner.os }}-sonar
@@ -32,10 +33,10 @@ jobs:
       - name: Build and Test
         run: >
           xvfb-run
-          mvn -B verify
+          mvn -B verify -Djavafx.platform=linux
           jacoco:report
           org.sonarsource.scanner.maven:sonar-maven-plugin:sonar
-          -Pcoverage,dependency-check
+          -Pcoverage
           -Dsonar.projectKey=cryptomator_cryptomator
           -Dsonar.organization=cryptomator
           -Dsonar.host.url=https://sonarcloud.io
@@ -44,7 +45,7 @@ jobs:
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}
       - name: Draft a release
         if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           draft: true
           discussion_category_name: releases
@@ -52,5 +53,25 @@ jobs:
           generate_release_notes: true
           body: |-
             :construction: Work in Progress
+            ### What's New 🎉
+            
+            ### Bugfixes 🐛
+            
+            ### Other Changes 📎
             
             ---
+            
+            TODO FULL CHANGELOG
+            
+            📜 List of closed issues is available [here](TODO)
+            
+            ---
+            ⏳ Please be patient, the builds are still [running](https://github.com/cryptomator/cryptomator/actions). New versions of Cryptomator can be found here in a few moments. ⏳
+            
+            <!-- Don't forget to include the
+            💾 SHA-256 checksums of release artifacts:
+            ```
+            ```
+            -->
+            
+            As usual, the GPG signatures can be checked using [our public key `5811 7AFA 1F85 B3EE C154  677D 615D 449F E6E6 A235`](https://gist.github.com/cryptobot/211111cf092037490275f39d408f461a).

.github/workflows/check-jdk-updates.yml

@@ -0,0 +1,83 @@
+name: Check JDK for non-major updates
+
+on:
+  schedule:
+    - cron: '0 0 1 * *' # run once a month at the first day of month
+  workflow_dispatch:
+
+env:
+  JDK_VERSION: '24.0.1+9'
+  JDK_VENDOR: temurin
+  RUNTIME_VERSION_HELPER: >
+    public class Test {
+      public static void main(String[]  args) {
+          System.out.println(Runtime.version());
+      }
+    }
+
+jobs:
+  check-version:
+    name: Checkout latest jdk version
+    runs-on: ubuntu-latest
+    env:
+        JDK_MAJOR_VERSION: 'toBeFilled'
+    steps:
+      - name: Determine current major version
+        run: echo 'JDK_MAJOR_VERSION=${{ env.JDK_VERSION }}'.substring(0,20) >> "$env:GITHUB_ENV"
+        shell: pwsh
+      - name: Checkout latest JDK ${{ env.JDK_MAJOR_VERSION }}
+        uses: actions/setup-java@v4
+        with:
+          java-version: ${{ env.JDK_MAJOR_VERSION}}
+          distribution: ${{ env.JDK_VENDOR }}
+          check-latest: true
+      - name: Determine if update is available
+        id: determine
+        shell: pwsh
+        run: |
+          $latestVersion = 0,0,0,0 #INTERIM, UPDATE, PATCH and BUILD
+          $currentVersion = 0,0,0,0
+
+          # Get the latest JDK runtime version
+          "${env:RUNTIME_VERSION_HELPER}" | Set-Content -Path "GetRuntimeVersion.java"
+          $latestVersionString = & java GetRuntimeVersion.java
+          $runtimeVersionAndBuild = $latestVersionString.Split('+')
+          if($runtimeVersionAndBuild.Length -eq 2) {
+            $latestVersion[3]=$runtimeVersionAndBuild[1];
+          }
+          $tmp=$runtimeVersionAndBuild[0].Split('.')
+          for($i=0;$i -lt $latestVersion.Length; $i++) {
+            $latestVersion[$i]=$tmp[$i+1];
+          }
+
+          # Get the current JDK version
+          $runtimeVersionAndBuild = '${{ env.JDK_VERSION}}'.Split('+')
+          if($runtimeVersionAndBuild.Length -eq 2) {
+            $currentVersion[3]=$runtimeVersionAndBuild[1];
+          }
+          $tmp=$runtimeVersionAndBuild[0].Split('.')
+          for($i=0;$i -lt $currentVersion.Length; $i++) {
+            $currentVersion[$i]=$tmp[$i+1];
+          }
+
+          # compare
+          for($i=0; $i -lt $currentVersion.Length ; $i++) {
+            if($latestVersion[$i] -gt  $currentVersion[$i]){
+              echo 'UPDATE_AVAILABLE=true' >> "$env:GITHUB_OUTPUT"
+              echo "LATEST_JDK_VERSION='${latestVersionString}'" >> "$env:GITHUB_OUTPUT"
+              return 0;
+            }
+          }
+      - name: Notify
+        if: steps.determine.outputs.UPDATE_AVAILABLE == 'true'
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "JDK update available"
+          SLACK_MESSAGE: "Cryptomator-CI JDK can be upgraded to ${{ steps.determine.outputs.LATEST_JDK_VERSION }}. Check the Nextcloud collective for instructions."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true

.github/workflows/debian.yml

@@ -3,9 +3,6 @@ name: Build Debian Package
 on:
   workflow_dispatch:
     inputs:
-      ref:
-        description: 'GitHub Ref (e.g. refs/tags/1.6.16)'
-        required: true
       semver:
         description: 'SemVer String (e.g. 1.7.0-beta1)'
         required: true
@@ -19,19 +16,21 @@ on:
         type: boolean
 
 env:
-  JAVA_VERSION: 19
-  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/19/openjfx-19_linux-x64_bin-jmods.zip'
-  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/19/openjfx-19_linux-aarch64_bin-jmods.zip'
+  JAVA_DIST: 'temurin'
+  JAVA_VERSION: '24.0.1+9'
+  COFFEELIBS_JDK: 24
+  COFFEELIBS_JDK_VERSION: '24.0.1+9-0ppa3'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/23.0.2/openjfx-23.0.2_linux-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: '063baebc6922e4a89c94b9dfb7a4f53e59e8d6fec400d4e670b31bc2ab324dec'
+  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/23.0.2/openjfx-23.0.2_linux-aarch64_bin-jmods.zip'
+  OPENJFX_JMODS_AARCH64_HASH: '9bbedaeae1590b69e2b22237bda310936df33e344dbc243bea2e86acaab3a0d8'
 
 jobs:
   build:
     name: Build Debian Package
-    runs-on: ubuntu-20.04
+    runs-on: ubuntu-22.04
     steps:
-      - uses: actions/checkout@v3
-        with:
-          ref: ${{ inputs.ref }}
-          fetch-depth: 0
+      - uses: actions/checkout@v4
       - id: versions
         name: Get version information
         run: |
@@ -45,22 +44,25 @@ jobs:
         run: |
           sudo add-apt-repository ppa:coffeelibs/openjdk
           sudo apt-get update
-          sudo apt-get install debhelper devscripts dput coffeelibs-jdk-19 libgtk2.0-0
+          sudo apt-get install debhelper devscripts dput coffeelibs-jdk-${{ env.COFFEELIBS_JDK }}=${{ env.COFFEELIBS_JDK_VERSION }}
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
+          check-latest: true
           cache: 'maven'
       - name: Run maven
-        run: mvn -B clean package -Pdependency-check,linux -DskipTests
+        run: mvn -B clean package -Plinux -Djavafx.platform=linux -DskipTests
       - name: Download OpenJFX jmods
         id: download-jmods
         run: |
           curl -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip
+          echo "${{ env.OPENJFX_JMODS_AMD64_HASH }}  openjfx-amd64.zip" | shasum -a256 --check
           mkdir -p jmods/amd64
           unzip -j openjfx-amd64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/amd64
           curl -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip
+          echo "${{ env.OPENJFX_JMODS_AARCH64_HASH }}  openjfx-aarch64.zip" | shasum -a256 --check
           mkdir -p jmods/aarch64
           unzip -j openjfx-aarch64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/aarch64
       - name: Ensure major jfx version in pom and in jmods is the same
@@ -97,7 +99,8 @@ jobs:
         run: |
           cp -r dist/linux/debian/ pkgdir
           export RFC2822_TIMESTAMP=`date --rfc-2822`
-          envsubst '${SEMVER_STR} ${VERSION_NUM} ${REVISION_NUM}' < dist/linux/debian/rules > pkgdir/debian/rules
+          export DISABLE_UPDATE_CHECK=${{ inputs.dput }}
+          envsubst '${SEMVER_STR} ${VERSION_NUM} ${REVISION_NUM} ${DISABLE_UPDATE_CHECK}' < dist/linux/debian/rules > pkgdir/debian/rules
           envsubst '${PPA_VERSION} ${RFC2822_TIMESTAMP}' < dist/linux/debian/changelog > pkgdir/debian/changelog
           find . -name "*.jar" >> pkgdir/debian/source/include-binaries
           mv pkgdir cryptomator_${{ inputs.ppaver }}
@@ -115,6 +118,7 @@ jobs:
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: debuild
         run: |
+          (sleep 8m; gpg --batch --quiet --pinentry-mode loopback -u 615D449FE6E6A235 --dry-run --sign README.md) &
           debuild -S -sa -d
           debuild -b -sa -d
         env:
@@ -125,7 +129,7 @@ jobs:
         run: |
           gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator_*_amd64.deb
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: linux-deb-package
           path: |
@@ -139,17 +143,11 @@ jobs:
       - name: Publish on PPA
         if: inputs.dput
         run: dput ppa:sebastian-stenzel/cryptomator-beta cryptomator_*_source.changes
-      
       # If ref is a tag, also upload to GitHub Releases:
-      - name: Determine tag name
-        if: startsWith(inputs.ref, 'refs/tags/')
-        run: |
-          REF=${{ inputs.ref }}
-          echo "TAG_NAME=${REF##*/}" >> $GITHUB_ENV
       - name: Publish Debian package on GitHub Releases
-        if: startsWith(inputs.ref, 'refs/tags/')
+        if: startsWith(github.ref, 'refs/tags/') && inputs.dput
         env:
           GITHUB_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
         run: |
           artifacts=$(ls | grep cryptomator*.deb)
-          gh release upload ${{ env.TAG_NAME }} $artifacts
+          gh release upload ${{ github.ref_name }} $artifacts

.github/workflows/dependency-check.yml

@@ -0,0 +1,18 @@
+name: OWASP Maven Dependency Check
+on:
+  schedule:
+    - cron: '0 8 * * 0'
+  workflow_dispatch:
+
+
+jobs:
+  check-dependencies:
+    uses: skymatic/workflows/.github/workflows/run-dependency-check.yml@v1
+    with:
+      runner-os: 'ubuntu-latest'
+      java-distribution: 'temurin'
+      java-version: 24
+      check-command: 'mvn -B validate -Pdependency-check -Djavafx.platform=linux'
+    secrets:
+      nvd-api-key: ${{ secrets.NVD_API_KEY }}
+      slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/dl-stats.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Get download count of latest releases
         id: get-stats
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const query = `query($owner:String!, $name:String!) {

.github/workflows/error-db.yml

@@ -2,7 +2,7 @@ name: Update Error Database
 
 on:
   discussion:
-    types: [created, edited, category_changed, answered, unanswered]
+    types: [created, edited, deleted, category_changed, answered, unanswered]
   discussion_comment:
     types: [created, edited, deleted]
 
@@ -12,8 +12,9 @@ jobs:
     if: github.event.discussion.category.name == 'Errors'
     steps:
       - name: Query Discussion Data
+        if: github.event_name == 'discussion_comment' || github.event_name == 'discussion' && github.event.action != 'deleted'
         id: query-data
-        uses: actions/github-script@v6
+        uses: actions/github-script@v7
         with:
           script: |
             const query = `query ($owner: String!, $name: String!, $discussionNumber: Int!) {
@@ -47,8 +48,13 @@ jobs:
       - name: Merge Error Code Data
         run: |
           jq -c '.' ${{ steps.get-gist.outputs.file }} > original.json
-          echo $DISCUSSION | jq -c '.repository.discussion | .comments = .comments.totalCount | {(.id|tostring) : .}' > new.json
-          jq -s '.[0] * .[1]' original.json new.json > merged.json
+          if [ ! -z "$DISCUSSION" ]
+          then
+            echo $DISCUSSION | jq -c '.repository.discussion | .comments = .comments.totalCount | {(.id|tostring) : .}' > new.json
+            jq -s '.[0] * .[1]' original.json new.json > merged.json
+          else
+            cat original.json | jq 'del(.[] | select(.url=="https://github.com/cryptomator/cryptomator/discussions/${{ github.event.discussion.number }}"))' > merged.json
+          fi
         env:
           DISCUSSION: ${{ steps.query-data.outputs.result }}
       - name: Patch Gist

.github/workflows/flathub.yml

@@ -0,0 +1,88 @@
+name: Create PR for flathub
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: 'Release tag'
+        required: true
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.tag }}
+  tarball:
+    name: Determines tarball url and compute checksum
+    runs-on: ubuntu-latest
+    needs: [get-version]
+    if:  github.event_name == 'workflow_dispatch' || needs.get-version.outputs.versionType == 'stable'
+    outputs:
+      url: ${{ steps.url.outputs.url}}
+      sha512: ${{ steps.sha512.outputs.sha512}}
+    steps:
+      - name: Determine tarball url
+        id: url
+        run: |
+          URL="";
+          if [[ -n "${{ inputs.tag }}"  ]]; then
+            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ inputs.tag }}.tar.gz"
+          else
+            URL="https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz"
+          fi
+          echo "url=${URL}" >> "$GITHUB_OUTPUT"
+      - name: Download source tarball and compute checksum
+        id: sha512
+        run: |
+          curl --silent --fail-with-body -L -H "Accept: application/vnd.github+json" ${{ steps.url.outputs.url }} --output cryptomator.tar.gz
+          TARBALL_SHA512=$(sha512sum cryptomator.tar.gz | cut -d ' ' -f1)
+          echo "sha512=${TARBALL_SHA512}" >> "$GITHUB_OUTPUT"
+  flathub:
+    name: Create PR for flathub
+    runs-on: ubuntu-latest
+    needs: [tarball, get-version]
+    env:
+      FLATHUB_PR_URL: tbd
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          repository: 'flathub/org.cryptomator.Cryptomator'
+          token: ${{ secrets.CRYPTOBOT_WINGET_TOKEN }}
+      - name: Checkout release branch
+        run: |
+          git checkout -b release/${{ needs.get-version.outputs.semVerStr }}
+      - name: Update build file
+        run: |
+          sed -i -e 's/VERSION: [0-9]\+\.[0-9]\+\.[0-9]\+.*/VERSION: ${{ needs.get-version.outputs.semVerStr }}/g' org.cryptomator.Cryptomator.yaml
+          sed -i -e 's/sha512: [0-9A-Za-z_\+-]\{128\} #CRYPTOMATOR/sha512: ${{ needs.tarball.outputs.sha512 }} #CRYPTOMATOR/g' org.cryptomator.Cryptomator.yaml
+          sed -i -e 's;url: https://github.com/cryptomator/cryptomator/archive/refs/tags/[^[:blank:]]\+;url: ${{ needs.tarball.outputs.url }};g' org.cryptomator.Cryptomator.yaml
+      - name: Commit and push
+        run: |
+          git config user.name "${{ github.actor }}"
+          git config user.email "${{ github.actor_id }}+${{ github.actor }}@users.noreply.github.com"
+          git config push.autoSetupRemote true
+          git stage .
+          git commit -m "Prepare release ${{needs.get-version.outputs.semVerStr}}"
+          git push
+      - name: Create pull request
+        run: |
+          printf "> [!IMPORTANT]\n> Todos:\n> - [ ] Update maven dependencies\n> - [ ] Check for JDK update\n> - [ ] Check for JFX update" > pr_body.md
+          PR_URL=$(gh pr create --title "Release ${{ needs.get-version.outputs.semVerStr }}" --body-file pr_body.md)
+          echo "FLATHUB_PR_URL=$PR_URL" >> "$GITHUB_ENV"
+        env:
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_WINGET_TOKEN }}
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@v2
+        if: github.event_name == 'release'
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "Flathub release PR created for ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} created."
+          SLACK_MESSAGE: "See <${{ env.FLATHUB_PR_URL }}|PR> on how to proceed.>."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true

.github/workflows/get-version.yml

@@ -22,9 +22,8 @@ on:
         value: ${{ jobs.determine-version.outputs.type }}
 
 env:
-  JAVA_VERSION: 19
   JAVA_DIST: 'temurin'
-  JAVA_CACHE: 'maven'
+  JAVA_VERSION: 24
 
 jobs:
   determine-version:
@@ -36,22 +35,22 @@ jobs:
       revNum: ${{ steps.versions.outputs.revNum }}
       type: ${{ steps.versions.outputs.type}}
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           fetch-depth: 0
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
-          cache: ${{ env.JAVA_CACHE }}
+          cache: 'maven'
       - id: versions
         name: Get version information
         run: |
           if [[ $GITHUB_REF =~ refs/tags/[0-9]+\.[0-9]+\.[0-9]+.* ]]; then
             SEM_VER_STR=${GITHUB_REF##*/}
           elif [[ "${{ inputs.version }}" =~ [0-9]+\.[0-9]+\.[0-9]+.* ]]; then
-            SEM_VER_STR="${{ github.event.inputs.version }}"
+            SEM_VER_STR="${{ inputs.version }}"
           else
             SEM_VER_STR=`mvn help:evaluate -Dexpression=project.version -q -DforceStdout`
           fi
@@ -72,6 +71,6 @@ jobs:
           echo "revNum=${REVCOUNT}" >> $GITHUB_OUTPUT
           echo "type=${TYPE}" >> $GITHUB_OUTPUT
       - name: Validate Version
-        uses: skymatic/semver-validation-action@v2
+        uses: skymatic/semver-validation-action@v3
         with:
-          version: ${{ steps.versions.outputs.semVerStr }} 
+          version: ${{ steps.versions.outputs.semVerStr }}

.github/workflows/mac-dmg-x64.yml

@@ -0,0 +1,281 @@
+name: Build macOS .dmg for x64
+
+#######################################
+# STOP! DO NOT EDIT THIS FILE!
+#
+# It is a copy of mac-dmg.yml with tiny adjustements (mainly lines 42 to 47)
+# It was made necessary, since Github does not offer free macos intel runners for macos 15 and above.
+#
+#######################################
+
+on:
+  release:
+    types: [published]
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version'
+        required: false
+      notarize:
+        description: 'Notarize'
+        required: true
+        default: false
+        type: boolean
+
+env:
+  JAVA_DIST: 'temurin'
+  JAVA_VERSION: '24.0.1+9'
+
+jobs:
+  get-version:
+    uses: ./.github/workflows/get-version.yml
+    with:
+      version: ${{ inputs.version }}
+
+  build-arm:
+    name: Build Cryptomator.app for ${{ matrix.output-suffix }}
+    runs-on: ${{ matrix.os }}
+    needs: [get-version]
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+        - os: macos-15-large
+          architecture: x64
+          output-suffix: x64
+          fuse-lib: macFUSE
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/23.0.2/openjfx-23.0.2_osx-x64_bin-jmods.zip'
+          openjfx-sha: '5e6c65c065eea22430c0eab36f37a5985eb8ad99e19e8772262021740d338f68'
+    steps:
+      - uses: actions/checkout@v4
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: ${{ env.JAVA_DIST }}
+          java-version: ${{ env.JAVA_VERSION }}
+          architecture: ${{ matrix.architecture }}
+          check-latest: true
+          cache: 'maven'
+      - name: Download OpenJFX jmods
+        id: download-jmods
+        run: |
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
+          mkdir -p openjfx-jmods/
+          unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
+      - name: Ensure major jfx version in pom and in jmods is the same
+        run: |
+          JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
+          JMOD_VERSION=${JMOD_VERSION#*@}
+          JMOD_VERSION=${JMOD_VERSION%%.*}
+          POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+          POM_JFX_VERSION=${POM_JFX_VERSION#*@}
+          POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
+
+          if [ "${POM_JFX_VERSION}" -ne "${JMOD_VERSION}" ]; then
+            >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
+            exit 1
+          fi
+      - name: Set version
+        run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
+      - name: Run maven
+        run: mvn -B -Djavafx.platform=mac clean package -Pmac -DskipTests
+      - name: Patch target dir
+        run: |
+          cp LICENSE.txt target
+          cp target/cryptomator-*.jar target/mods
+      - name: Run jlink with help option
+        id: jep-493-check
+        run: |
+          JMOD_PATHS="openjfx-jmods"
+          if ! ${JAVA_HOME}/bin/jlink --help | grep -q "Linking from run-time image enabled"; then
+            JMOD_PATHS="${JAVA_HOME}/jmods:${JMOD_PATHS}"
+          fi
+          echo "jmod_paths=${JMOD_PATHS}" >> "$GITHUB_OUTPUT"
+      - name: Run jlink
+        #Remark: no compression is applied for improved build compression later (here dmg)
+        run: >
+          ${JAVA_HOME}/bin/jlink
+          --verbose
+          --output runtime
+          --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
+          --strip-native-commands
+          --no-header-files
+          --no-man-pages
+          --strip-debug
+          --compress zip-0
+      - name: Run jpackage
+        run: >
+          ${JAVA_HOME}/bin/jpackage
+          --verbose
+          --type app-image
+          --runtime-image runtime
+          --input target/libs
+          --module-path target/mods
+          --module org.cryptomator.desktop/org.cryptomator.launcher.Cryptomator
+          --dest appdir
+          --name Cryptomator
+          --vendor "Skymatic GmbH"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
+          --app-version "${{ needs.get-version.outputs.semVerNum }}"
+          --java-options "--enable-preview"
+          --java-options "--enable-native-access=org.cryptomator.jfuse.mac"
+          --java-options "-Xss5m"
+          --java-options "-Xmx256m"
+          --java-options "-Dfile.encoding=\"utf-8\""
+          --java-options "-Djava.net.useSystemProxies=true"
+          --java-options "-Dapple.awt.enableTemplateImages=true"
+          --java-options "-Dsun.java2d.metal=true"
+          --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
+          --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/Library/Application Support/Cryptomator/Plugins\""
+          --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/Cryptomator/settings.json\""
+          --java-options "-Dcryptomator.p12Path=\"@{userhome}/Library/Application Support/Cryptomator/key.p12\""
+          --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/Library/Application Support/Cryptomator/ipc.socket\""
+          --java-options "-Dcryptomator.integrationsMac.keychainServiceName=\"Cryptomator\""
+          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support/Cryptomator/mnt\""
+          --java-options "-Dcryptomator.showTrayIcon=true"
+          --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.get-version.outputs.revNum }}\""
+          --mac-package-identifier org.cryptomator
+          --resource-dir dist/mac/resources
+      - name: Patch Cryptomator.app
+        run: |
+          mv appdir/Cryptomator.app Cryptomator.app
+          mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
+          sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
+          sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
+          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
+        env:
+          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
+          REVISION_NO: ${{ needs.get-version.outputs.revNum }}
+          PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
+      - name: Generate license for dmg
+        run: >
+          mvn -B -Djavafx.platform=mac license:add-third-party
+          -Dlicense.thirdPartyFilename=license.rtf
+          -Dlicense.outputDirectory=dist/mac/dmg/resources
+          -Dlicense.fileTemplate=dist/mac/dmg/resources/licenseTemplate.ftl
+          -Dlicense.includedScopes=compile
+          -Dlicense.excludedGroups=^org\.cryptomator
+          -Dlicense.failOnMissing=true
+          -Dlicense.licenseMergesUrl=file://${{ github.workspace }}/license/merges
+      - name: Install codesign certificate
+        run: |
+          # create variables
+          CERTIFICATE_PATH=$RUNNER_TEMP/codesign.p12
+          KEYCHAIN_PATH=$RUNNER_TEMP/codesign.keychain-db
+
+          # import certificate and provisioning profile from secrets
+          echo -n "$CODESIGN_P12_BASE64" | base64 --decode --output $CERTIFICATE_PATH
+
+          # create temporary keychain
+          security create-keychain -p "$CODESIGN_TMP_KEYCHAIN_PW" $KEYCHAIN_PATH
+          security set-keychain-settings -lut 900 $KEYCHAIN_PATH
+          security unlock-keychain -p "$CODESIGN_TMP_KEYCHAIN_PW" $KEYCHAIN_PATH
+
+          # import certificate to keychain
+          security import $CERTIFICATE_PATH -P "$CODESIGN_P12_PW" -A -t cert -f pkcs12 -k $KEYCHAIN_PATH
+          security list-keychain -d user -s $KEYCHAIN_PATH
+        env:
+          CODESIGN_P12_BASE64: ${{ secrets.MACOS_CODESIGN_P12_BASE64 }}
+          CODESIGN_P12_PW: ${{ secrets.MACOS_CODESIGN_P12_PW }}
+          CODESIGN_TMP_KEYCHAIN_PW: ${{ secrets.MACOS_CODESIGN_TMP_KEYCHAIN_PW }}
+      - name: Codesign
+        run: |
+          echo "Codesigning jdk files..."
+          find Cryptomator.app/Contents/runtime/Contents/Home/lib/ -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
+          find Cryptomator.app/Contents/runtime/Contents/Home/lib/ \( -name 'jspawnhelper' -o -name 'pauseengine' -o -name 'simengine' \) -exec codesign --force -o runtime -s ${CODESIGN_IDENTITY} {} \;
+          echo "Codesigning jar contents..."
+          find Cryptomator.app/Contents/runtime/Contents/MacOS -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
+          for JAR_PATH in `find Cryptomator.app -name "*.jar"`; do
+            if [[ `unzip -l ${JAR_PATH} | grep '.dylib\|.jnilib'` ]]; then
+              JAR_FILENAME=$(basename ${JAR_PATH})
+              OUTPUT_PATH=${JAR_PATH%.*}
+              echo "Codesigning libs in ${JAR_FILENAME}..."
+              unzip -q ${JAR_PATH} -d ${OUTPUT_PATH}
+              find ${OUTPUT_PATH} -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
+              find ${OUTPUT_PATH} -name '*.jnilib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
+              rm ${JAR_PATH}
+              pushd ${OUTPUT_PATH} > /dev/null
+              zip -qr ../${JAR_FILENAME} *
+              popd > /dev/null
+              rm -r ${OUTPUT_PATH}
+            fi
+          done
+          echo "Codesigning Cryptomator.app..."
+          sed -i '' "s|###APP_IDENTIFIER_PREFIX###|${TEAM_IDENTIFIER}.|g" dist/mac/Cryptomator.entitlements
+          sed -i '' "s|###TEAM_IDENTIFIER###|${TEAM_IDENTIFIER}|g" dist/mac/Cryptomator.entitlements
+          codesign --force --deep --entitlements dist/mac/Cryptomator.entitlements -o runtime -s ${CODESIGN_IDENTITY} Cryptomator.app
+        env:
+          CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
+          TEAM_IDENTIFIER: ${{ secrets.MACOS_TEAM_IDENTIFIER }}
+      - name: Prepare .dmg contents
+        run: |
+          mkdir dmg
+          mv Cryptomator.app dmg
+          cp dist/mac/dmg/resources/${{ matrix.fuse-lib }}.webloc dmg
+          ls -l dmg
+      - name: Install create-dmg
+        run: |
+          brew install create-dmg
+          create-dmg --help
+      - name: Create .dmg
+        run: >
+          create-dmg
+          --volname Cryptomator
+          --volicon "dist/mac/dmg/resources/Cryptomator-Volume.icns"
+          --background "dist/mac/dmg/resources/Cryptomator-${{ matrix.fuse-lib }}-background.tiff"
+          --window-pos 400 100
+          --window-size 640 694
+          --icon-size 128
+          --icon "Cryptomator.app" 128 245
+          --hide-extension "Cryptomator.app"
+          --icon "${{ matrix.fuse-lib }}.webloc" 320 501
+          --hide-extension "${{ matrix.fuse-lib }}.webloc"
+          --app-drop-link 512 245
+          --eula "dist/mac/dmg/resources/license.rtf"
+          --icon ".background" 128 758
+          --icon ".VolumeIcon.icns" 512 758
+          Cryptomator-${VERSION_NO}-${{ matrix.output-suffix }}.dmg dmg
+        env:
+          VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
+      - name: Notarize .dmg
+        if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
+        uses: cocoalibs/xcode-notarization-action@v1
+        with:
+          app-path: 'Cryptomator-*.dmg'
+          apple-id: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
+          password: ${{ secrets.MACOS_NOTARIZATION_PW }}
+          team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
+          xcode-path: '/Applications/Xcode_16.app'
+      - name: Add possible alpha/beta tags to installer name
+        run: mv Cryptomator-*.dmg Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.output-suffix }}.dmg
+      - name: Create detached GPG signature with key 615D449FE6E6A235
+        run: |
+          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
+          echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a Cryptomator-*.dmg
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+      - name: Clean up codesign certificate
+        if: ${{ always() }}
+        run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
+        continue-on-error: true
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: dmg-${{ matrix.output-suffix }}
+          path: |
+            Cryptomator-*.dmg
+            Cryptomator-*.asc
+          if-no-files-found: error
+      - name: Publish dmg on GitHub Releases
+        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
+        uses: softprops/action-gh-release@v2
+        with:
+          fail_on_unmatched_files: true
+          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          files: |
+            Cryptomator-*.dmg
+            Cryptomator-*.asc

.github/workflows/mac-dmg.yml

@@ -1,4 +1,4 @@
-name: Build macOS .dmg
+name: Build macOS .dmg for arm64
 
 on:
   release:
@@ -8,9 +8,15 @@ on:
       version:
         description: 'Version'
         required: false
+      notarize:
+        description: 'Notarize'
+        required: true
+        default: false
+        type: boolean
 
 env:
-  JAVA_VERSION: 19
+  JAVA_DIST: 'temurin'
+  JAVA_VERSION: '24.0.1+9'
 
 jobs:
   get-version:
@@ -26,54 +32,71 @@ jobs:
       fail-fast: false
       matrix:
         include:
-        - os: macos-11
-          architecture: x64
-          output-suffix: x64
-          xcode-path: '/Applications/Xcode_13.2.1.app'
-        - os: [self-hosted, macOS, ARM64]
+        - os: macos-15
           architecture: aarch64
           output-suffix: arm64
-          xcode-path: '/Applications/Xcode_13.2.1.app'
+          fuse-lib: FUSE-T
+          openjfx-url: 'https://download2.gluonhq.com/openjfx/23.0.2/openjfx-23.0.2_osx-aarch64_bin-jmods.zip'
+          openjfx-sha: 'c690cc642a3924cf56622951f478ba57aec9ce09063761f800c3319331bed3fc'
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
-          java-package: 'jdk+fx'
           architecture: ${{ matrix.architecture }}
+          check-latest: true
           cache: 'maven'
-      - name: Ensure major jfx version in pom equals in jdk
-        if: ${{ !contains(matrix.os, 'self-hosted') }}
-        shell: pwsh
+      - name: Download OpenJFX jmods
+        id: download-jmods
         run: |
-          $jfxPomVersion = (&mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout) -split "\."
-          $jfxJdkVersion = ((Get-Content -path "${env:JAVA_HOME}/lib/javafx.properties" | Where-Object {$_ -like 'javafx.version=*' }) -replace '.*=','') -split "\."
-          if ($jfxPomVersion[0] -ne $jfxJdkVersion[0]) {
-            Write-Error "Major part of JavaFX version in pom($($jfxPomVersion[0])) does not match the version in JDK($($jfxJdkVersion[0])) "
+          curl -L ${{ matrix.openjfx-url }} -o openjfx-jmods.zip
+          echo "${{ matrix.openjfx-sha }} *openjfx-jmods.zip" | shasum -a256 --check
+          mkdir -p openjfx-jmods/
+          unzip -jo openjfx-jmods.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d openjfx-jmods
+      - name: Ensure major jfx version in pom and in jmods is the same
+        run: |
+          JMOD_VERSION=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
+          JMOD_VERSION=${JMOD_VERSION#*@}
+          JMOD_VERSION=${JMOD_VERSION%%.*}
+          POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+          POM_JFX_VERSION=${POM_JFX_VERSION#*@}
+          POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
+
+          if [ "${POM_JFX_VERSION}" -ne "${JMOD_VERSION}" ]; then
+            >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != jmod version (${JMOD_VERSION})"
             exit 1
-          }
+          fi
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pdependency-check,mac -DskipTests
+        run: mvn -B -Djavafx.platform=mac clean package -Pmac -DskipTests
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
           cp target/cryptomator-*.jar target/mods
+      - name: Run jlink with help option
+        id: jep-493-check
+        run: |
+          JMOD_PATHS="openjfx-jmods"
+          if ! ${JAVA_HOME}/bin/jlink --help | grep -q "Linking from run-time image enabled"; then
+            JMOD_PATHS="${JAVA_HOME}/jmods:${JMOD_PATHS}"
+          fi
+          echo "jmod_paths=${JMOD_PATHS}" >> "$GITHUB_OUTPUT"
       - name: Run jlink
+        #Remark: no compression is applied for improved build compression later (here dmg)
         run: >
           ${JAVA_HOME}/bin/jlink
           --verbose
           --output runtime
-          --module-path "${JAVA_HOME}/jmods"
-          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
+          --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
           --strip-native-commands
           --no-header-files
           --no-man-pages
           --strip-debug
-          --compress=1
+          --compress zip-0
       - name: Run jpackage
         run: >
           ${JAVA_HOME}/bin/jpackage
@@ -86,23 +109,24 @@ jobs:
           --dest appdir
           --name Cryptomator
           --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2023 Skymatic GmbH"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
           --app-version "${{ needs.get-version.outputs.semVerNum }}"
           --java-options "--enable-preview"
           --java-options "--enable-native-access=org.cryptomator.jfuse.mac"
           --java-options "-Xss5m"
           --java-options "-Xmx256m"
           --java-options "-Dfile.encoding=\"utf-8\""
+          --java-options "-Djava.net.useSystemProxies=true"
           --java-options "-Dapple.awt.enableTemplateImages=true"
           --java-options "-Dsun.java2d.metal=true"
           --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
-          --java-options "-Dcryptomator.logDir=\"~/Library/Logs/Cryptomator\""
-          --java-options "-Dcryptomator.pluginDir=\"~/Library/Application Support/Cryptomator/Plugins\""
-          --java-options "-Dcryptomator.settingsPath=\"~/Library/Application Support/Cryptomator/settings.json\""
-          --java-options "-Dcryptomator.p12Path=\"~/Library/Application Support/Cryptomator/key.p12\""
-          --java-options "-Dcryptomator.ipcSocketPath=\"~/Library/Application Support/Cryptomator/ipc.socket\""
+          --java-options "-Dcryptomator.logDir=\"@{userhome}/Library/Logs/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{userhome}/Library/Application Support/Cryptomator/Plugins\""
+          --java-options "-Dcryptomator.settingsPath=\"@{userhome}/Library/Application Support/Cryptomator/settings.json\""
+          --java-options "-Dcryptomator.p12Path=\"@{userhome}/Library/Application Support/Cryptomator/key.p12\""
+          --java-options "-Dcryptomator.ipcSocketPath=\"@{userhome}/Library/Application Support/Cryptomator/ipc.socket\""
           --java-options "-Dcryptomator.integrationsMac.keychainServiceName=\"Cryptomator\""
-          --java-options "-Dcryptomator.mountPointsDir=\"~/Cryptomator\""
+          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Library/Application Support/Cryptomator/mnt\""
           --java-options "-Dcryptomator.showTrayIcon=true"
           --java-options "-Dcryptomator.buildNumber=\"dmg-${{ needs.get-version.outputs.revNum }}\""
           --mac-package-identifier org.cryptomator
@@ -113,12 +137,14 @@ jobs:
           mv dist/mac/resources/Cryptomator-Vault.icns Cryptomator.app/Contents/Resources/
           sed -i '' "s|###BUNDLE_SHORT_VERSION_STRING###|${VERSION_NO}|g" Cryptomator.app/Contents/Info.plist
           sed -i '' "s|###BUNDLE_VERSION###|${REVISION_NO}|g" Cryptomator.app/Contents/Info.plist
+          echo -n "$PROVISIONING_PROFILE_BASE64" | base64 --decode --output Cryptomator.app/Contents/embedded.provisionprofile
         env:
           VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
           REVISION_NO: ${{ needs.get-version.outputs.revNum }}
+          PROVISIONING_PROFILE_BASE64: ${{ secrets.MACOS_PROVISIONING_PROFILE_BASE64 }}
       - name: Generate license for dmg
         run: >
-          mvn -B license:add-third-party
+          mvn -B -Djavafx.platform=mac license:add-third-party
           -Dlicense.thirdPartyFilename=license.rtf
           -Dlicense.outputDirectory=dist/mac/dmg/resources
           -Dlicense.fileTemplate=dist/mac/dmg/resources/licenseTemplate.ftl
@@ -151,7 +177,7 @@ jobs:
         run: |
           echo "Codesigning jdk files..."
           find Cryptomator.app/Contents/runtime/Contents/Home/lib/ -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
-          find Cryptomator.app/Contents/runtime/Contents/Home/lib/ -name 'jspawnhelper' -exec codesign --force -o runtime -s ${CODESIGN_IDENTITY} {} \;
+          find Cryptomator.app/Contents/runtime/Contents/Home/lib/ \( -name 'jspawnhelper' -o -name 'pauseengine' -o -name 'simengine' \) -exec codesign --force -o runtime -s ${CODESIGN_IDENTITY} {} \;
           echo "Codesigning jar contents..."
           find Cryptomator.app/Contents/runtime/Contents/MacOS -name '*.dylib' -exec codesign --force -s ${CODESIGN_IDENTITY} {} \;
           for JAR_PATH in `find Cryptomator.app -name "*.jar"`; do
@@ -170,14 +196,17 @@ jobs:
             fi
           done
           echo "Codesigning Cryptomator.app..."
+          sed -i '' "s|###APP_IDENTIFIER_PREFIX###|${TEAM_IDENTIFIER}.|g" dist/mac/Cryptomator.entitlements
+          sed -i '' "s|###TEAM_IDENTIFIER###|${TEAM_IDENTIFIER}|g" dist/mac/Cryptomator.entitlements
           codesign --force --deep --entitlements dist/mac/Cryptomator.entitlements -o runtime -s ${CODESIGN_IDENTITY} Cryptomator.app
         env:
           CODESIGN_IDENTITY: ${{ secrets.MACOS_CODESIGN_IDENTITY }}
+          TEAM_IDENTIFIER: ${{ secrets.MACOS_TEAM_IDENTIFIER }}
       - name: Prepare .dmg contents
         run: |
           mkdir dmg
           mv Cryptomator.app dmg
-          cp dist/mac/dmg/resources/macFUSE.webloc dmg
+          cp dist/mac/dmg/resources/${{ matrix.fuse-lib }}.webloc dmg
           ls -l dmg
       - name: Install create-dmg
         run: |
@@ -188,31 +217,30 @@ jobs:
           create-dmg
           --volname Cryptomator
           --volicon "dist/mac/dmg/resources/Cryptomator-Volume.icns"
-          --background "dist/mac/dmg/resources/Cryptomator-background.tiff"
+          --background "dist/mac/dmg/resources/Cryptomator-${{ matrix.fuse-lib }}-background.tiff"
           --window-pos 400 100
           --window-size 640 694
           --icon-size 128
           --icon "Cryptomator.app" 128 245
           --hide-extension "Cryptomator.app"
-          --icon "macFUSE.webloc" 320 501
-          --hide-extension "macFUSE.webloc"
+          --icon "${{ matrix.fuse-lib }}.webloc" 320 501
+          --hide-extension "${{ matrix.fuse-lib }}.webloc"
           --app-drop-link 512 245
           --eula "dist/mac/dmg/resources/license.rtf"
           --icon ".background" 128 758
-          --icon ".fseventsd" 320 758
           --icon ".VolumeIcon.icns" 512 758
           Cryptomator-${VERSION_NO}-${{ matrix.output-suffix }}.dmg dmg
         env:
           VERSION_NO: ${{ needs.get-version.outputs.semVerNum }}
       - name: Notarize .dmg
-        if: startsWith(github.ref, 'refs/tags/')
+        if: startsWith(github.ref, 'refs/tags/') || inputs.notarize
         uses: cocoalibs/xcode-notarization-action@v1
         with:
           app-path: 'Cryptomator-*.dmg'
           apple-id: ${{ secrets.MACOS_NOTARIZATION_APPLE_ID }}
           password: ${{ secrets.MACOS_NOTARIZATION_PW }}
           team-id: ${{ secrets.MACOS_NOTARIZATION_TEAM_ID }}
-          xcode-path: ${{ matrix.xcode-path }}
+          xcode-path: '/Applications/Xcode_16.app'
       - name: Add possible alpha/beta tags to installer name
         run: mv Cryptomator-*.dmg Cryptomator-${{ needs.get-version.outputs.semVerStr }}-${{ matrix.output-suffix }}.dmg
       - name: Create detached GPG signature with key 615D449FE6E6A235
@@ -227,14 +255,16 @@ jobs:
         run: security delete-keychain $RUNNER_TEMP/codesign.keychain-db
         continue-on-error: true
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: dmg-${{ matrix.output-suffix }}
-          path: Cryptomator-*.dmg
+          path: |
+            Cryptomator-*.dmg
+            Cryptomator-*.asc
           if-no-files-found: error
       - name: Publish dmg on GitHub Releases
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v1
+        if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}

.github/workflows/no-response.yml

@@ -0,0 +1,22 @@
+# Configuration for close-stale-issues - https://github.com/marketplace/actions/close-stale-issues
+
+name: 'Close awaiting response issues'
+on:
+  schedule:
+    - cron: '00 09 * * *'
+
+jobs:
+  no-response:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v9
+        with:
+          days-before-stale: 14
+          days-before-close: 0
+          days-before-pr-close: -1
+          stale-issue-label: 'state:stale'
+          close-issue-message: "This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further."
+          only-labels: 'state:awaiting-response'

.github/workflows/post-publish.yml

@@ -10,7 +10,7 @@ jobs:
     steps:
       - name: Download source tarball
         run: |
-          curl -L -H "Accept: application/vnd.github+json" ${{ github.event.release.tarball_url }} --output cryptomator-${{ github.event.release.tag_name }}.tar.gz
+          curl -L -H "Accept: application/vnd.github+json" https://github.com/cryptomator/cryptomator/archive/refs/tags/${{ github.event.release.tag_name }}.tar.gz --output cryptomator-${{ github.event.release.tag_name }}.tar.gz
       - name: Sign source tarball with key 615D449FE6E6A235
         run: |
           echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
@@ -19,7 +19,7 @@ jobs:
           GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Publish asc on GitHub Releases
-        uses: softprops/action-gh-release@v1
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}

.github/workflows/pullrequest.yml

@@ -4,7 +4,8 @@ on:
   pull_request:
 
 env:
-  JAVA_VERSION: 19
+  JAVA_DIST: 'temurin'
+  JAVA_VERSION: 24
 
 defaults:
   run:
@@ -14,13 +15,12 @@ jobs:
   test:
     name: Compile and Test
     runs-on: ubuntu-latest
-    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-java@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-java@v4
         with:
-          distribution: 'zulu'
+          distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Build and Test
-        run: xvfb-run mvn -B clean install jacoco:report -Pcoverage,dependency-check
+        run: xvfb-run mvn -B clean install jacoco:report -Pcoverage -Djavafx.platform=linux

.github/workflows/release-check.yml

@@ -6,19 +6,26 @@ on:
       - 'release/**'
       - 'hotfix/**'
 
-env:
-  JAVA_VERSION: 19
-
 defaults:
   run:
     shell: bash
 
+env:
+  JAVA_DIST: 'temurin'
+  JAVA_VERSION: 23
+
 jobs:
-  release-check-precondition:
+  check-preconditions:
     name: Validate commits pushed to release/hotfix branch to fulfill release requirements
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
+      - name: Setup Java
+        uses: actions/setup-java@v4
+        with:
+          distribution: ${{ env.JAVA_DIST }}
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
       - id: validate-pom-version
         name: Validate POM version
         run: |
@@ -37,7 +44,22 @@ jobs:
           fi
       - name: Validate release in org.cryptomator.Cryptomator.metainfo.xml file
         run: |
-          if ! grep -q "<release date=\".*\" version=\"${{ steps.validate-pom-version.outputs.semVerStr }}\"/>" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then
+          if ! grep -q "<release date=\".*\" version=\"${{ steps.validate-pom-version.outputs.semVerStr }}\">" dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml; then
             echo "Release not set in dist/linux/common/org.cryptomator.Cryptomator.metainfo.xml"
             exit 1
-          fi
+          fi
+      - name: Cache NVD DB
+        uses: actions/cache@v4
+        with:
+          path: ~/.m2/repository/org/owasp/dependency-check-data/
+          key: dependency-check-${{ github.run_id }}
+          restore-keys: |
+            dependency-check
+        env:
+          SEGMENT_DOWNLOAD_TIMEOUT_MINS: 5
+      - name: Run org.owasp:dependency-check plugin
+        id: dependency-check
+        continue-on-error: true
+        run: mvn -B verify -Pdependency-check -DskipTests -Djavafx.platform=linux
+        env:
+          NVD_API_KEY: ${{ secrets.NVD_API_KEY }}

.github/workflows/stale.yml

@@ -0,0 +1,24 @@
+# Configuration for close-stale-issues - https://github.com/marketplace/actions/close-stale-issues
+
+name: 'Close stale issues'
+on:
+  schedule:
+    - cron: '00 09 * * *'
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+      pull-requests: write
+    steps:
+      - uses: actions/stale@v9
+        with:
+          days-before-stale: 365
+          days-before-close: 90
+          exempt-issue-labels: 'type:security-issue,type:feature-request,type:enhancement,type:upstream-bug,state:awaiting-response,state:blocked,state:confirmed'
+          exempt-all-milestones: true
+          stale-issue-label: 'state:stale'
+          stale-pr-label: 'state:stale'
+          stale-issue-message: 'This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.'
+          stale-pr-message: 'This PR has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.'

.github/workflows/win-exe.yml

@@ -8,11 +8,19 @@ on:
       version:
         description: 'Version'
         required: false
+      isDebug:
+        description: 'Build debug version with console output'
+        type: boolean
+        default: false
+
 
 env:
-  JAVA_VERSION: 19
   JAVA_DIST: 'zulu'
-  JAVA_CACHE: 'maven'
+  JAVA_VERSION: '24.0.1+9'
+  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/23.0.1/openjfx-23.0.1_windows-x64_bin-jmods.zip'
+  OPENJFX_JMODS_AMD64_HASH: 'ee176dcee3bd78bde7910735bd67f67c792882f5b89626796ae06f7a1c0119d3'
+  WINFSP_MSI: 'https://github.com/winfsp/winfsp/releases/download/v2.0/winfsp-2.0.23075.msi'
+  WINFSP_UNINSTALLER: 'https://github.com/cryptomator/winfsp-uninstaller/releases/latest/download/winfsp-uninstaller.exe'
 
 defaults:
   run:
@@ -30,44 +38,73 @@ jobs:
     needs: [get-version]
     env:
       LOOPBACK_ALIAS: 'cryptomator-vault'
+      WIN_CONSOLE_FLAG: ''
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup Java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
-          java-package: 'jdk+fx'
-          cache: ${{ env.JAVA_CACHE }}
-      - name: Ensure major jfx version in pom equals in jdk
-        shell: pwsh
+          check-latest: true
+          cache: 'maven'
+      - name: Install wix and extensions
         run: |
-          $jfxPomVersion = (&mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout) -split "\."
-          $jfxJdkVersion = ((Get-Content -path "${env:JAVA_HOME}/lib/javafx.properties" | Where-Object {$_ -like 'javafx.version=*' }) -replace '.*=','') -split "\."
-          if ($jfxPomVersion[0] -ne $jfxJdkVersion[0]) {
-            Write-Error "Major part of JavaFX version in pom($($jfxPomVersion[0])) does not match the version in JDK($($jfxJdkVersion[0])) "
-            exit 1
+          dotnet tool install --global wix --version 6.0.0
+          wix.exe extension add WixToolset.UI.wixext/6.0.0 --global
+          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
+      - name: Download and extract JavaFX jmods from Gluon
+        #In the last step we move all jmods files a dir level up because jmods are placed inside a directory in the zip
+        run: |
+          curl --output openjfx-jmods.zip -L "${{ env.OPENJFX_JMODS_AMD64 }}"
+          if(!(Get-FileHash -Path openjfx-jmods.zip -Algorithm SHA256).Hash.ToLower().equals("${{ env.OPENJFX_JMODS_AMD64_HASH }}")) {
+            throw "Wrong checksum of JMOD archive downloaded from ${{ env.OPENJFX_JMODS_AMD64 }}.";
           }
+          Expand-Archive -Path openjfx-jmods.zip -DestinationPath openjfx-jmods
+          Get-ChildItem -Path openjfx-jmods -Recurse -Filter "*.jmod" | ForEach-Object { Move-Item -Path $_ -Destination $_.Directory.Parent}
+        shell: pwsh
+      - name: Ensure major jfx version in pom and in jmods is the same
+        run: |
+          JMOD_VERSION_AMD64=$(jmod describe openjfx-jmods/javafx.base.jmod | head -1)
+          JMOD_VERSION_AMD64=${JMOD_VERSION_AMD64#*@}
+          JMOD_VERSION_AMD64=${JMOD_VERSION_AMD64%%.*}
+          POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
+          POM_JFX_VERSION=${POM_JFX_VERSION#*@}
+          POM_JFX_VERSION=${POM_JFX_VERSION%%.*}
+
+          if [ $POM_JFX_VERSION -ne $JMOD_VERSION_AMD64 ]; then
+            >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != amd64 jmod version (${JMOD_VERSION_AMD64})"
+            exit 1
+          fi
       - name: Set version
         run : mvn versions:set -DnewVersion=${{ needs.get-version.outputs.semVerStr }}
       - name: Run maven
-        run: mvn -B clean package -Pdependency-check,win -DskipTests
+        run: mvn -B clean package -Pwin -DskipTests -Djavafx.platform=win
       - name: Patch target dir
         run: |
           cp LICENSE.txt target
           cp target/cryptomator-*.jar target/mods
+      - name: Run jlink with help option
+        id: jep-493-check
+        run: |
+          JMOD_PATHS="openjfx-jmods"
+          if ! $(${JAVA_HOME}/bin/jlink --help | grep -q "Linking from run-time image enabled"); then
+            JMOD_PATHS="${JAVA_HOME}/jmods;${JMOD_PATHS}"
+          fi
+          echo "jmod_paths=${JMOD_PATHS}" >> "$GITHUB_OUTPUT"
       - name: Run jlink
+        #Remark: no compression is applied for improved build compression later (here msi)
         run: >
           ${JAVA_HOME}/bin/jlink
           --verbose
           --output runtime
-          --module-path "${JAVA_HOME}/jmods"
-          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.unsupported,jdk.crypto.ec,jdk.accessibility,jdk.management.jfr
+          --module-path "${{ steps.jep-493-check.outputs.jmod_paths }}"
+          --add-modules java.base,java.desktop,java.instrument,java.logging,java.naming,java.net.http,java.scripting,java.sql,java.xml,javafx.base,javafx.graphics,javafx.controls,javafx.fxml,jdk.crypto.mscapi,jdk.unsupported,jdk.accessibility,jdk.management.jfr,java.compiler
           --strip-native-commands
           --no-header-files
           --no-man-pages
           --strip-debug
-          --compress=1
+          --compress zip-0
       - name: Prepare debug launcher config
         shell: bash
         run: envsubst '${SEMVER_STR} ${REVISION_NUM} ${APP_NAME} ${LOOPBACK_ALIAS}' < dist/win/resources/debug-launcher.properties > dist/win/resources/CryptomatorDebug.properties
@@ -87,25 +124,27 @@ jobs:
           --dest appdir
           --name Cryptomator
           --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2023 Skymatic GmbH"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
           --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
           --java-options "--enable-preview"
-          --java-options "--enable-native-access=org.cryptomator.jfuse.win"
+          --java-options "--enable-native-access=org.cryptomator.jfuse.win,org.cryptomator.integrations.win"
           --java-options "-Xss5m"
           --java-options "-Xmx256m"
           --java-options "-Dcryptomator.appVersion=\"${{ needs.get-version.outputs.semVerStr }}\""
           --java-options "-Dfile.encoding=\"utf-8\""
-          --java-options "-Dcryptomator.logDir=\"~/AppData/Roaming/Cryptomator\""
-          --java-options "-Dcryptomator.pluginDir=\"~/AppData/Roaming/Cryptomator/Plugins\""
-          --java-options "-Dcryptomator.settingsPath=\"~/AppData/Roaming/Cryptomator/settings.json\""
-          --java-options "-Dcryptomator.p12Path=\"~/AppData/Roaming/Cryptomator/key.p12\""
-          --java-options "-Dcryptomator.ipcSocketPath=\"~/AppData/Roaming/Cryptomator/ipc.socket\""
-          --java-options "-Dcryptomator.mountPointsDir=\"~/Cryptomator\""
+          --java-options "-Djava.net.useSystemProxies=true"
+          --java-options "-Dcryptomator.logDir=\"@{localappdata}/Cryptomator\""
+          --java-options "-Dcryptomator.pluginDir=\"@{appdata}/Cryptomator/Plugins\""
+          --java-options "-Dcryptomator.settingsPath=\"@{appdata}/Cryptomator/settings.json;@{userhome}/AppData/Roaming/Cryptomator/settings.json\""
+          --java-options "-Dcryptomator.p12Path=\"@{appdata}/Cryptomator/key.p12;@{userhome}/AppData/Roaming/Cryptomator/key.p12\""
+          --java-options "-Dcryptomator.ipcSocketPath=\"@{localappdata}/Cryptomator/ipc.socket\""
+          --java-options "-Dcryptomator.mountPointsDir=\"@{userhome}/Cryptomator\""
           --java-options "-Dcryptomator.loopbackAlias=\"${{ env.LOOPBACK_ALIAS }}\""
           --java-options "-Dcryptomator.showTrayIcon=true"
           --java-options "-Dcryptomator.buildNumber=\"msi-${{ needs.get-version.outputs.revNum }}\""
           --java-options "-Dcryptomator.integrationsWin.autoStartShellLinkName=\"Cryptomator\""
-          --java-options "-Dcryptomator.integrationsWin.keychainPaths=\"~/AppData/Roaming/Cryptomator/keychain.json\""
+          --java-options "-Dcryptomator.integrationsWin.keychainPaths=\"@{appdata}/Cryptomator/keychain.json;@{userhome}/AppData/Roaming/Cryptomator/keychain.json\""
+          --java-options "-Djavafx.verbose=${{ inputs.isDebug }}"
           --resource-dir dist/win/resources
           --icon dist/win/resources/Cryptomator.ico
           --add-launcher "CryptomatorDebug=CryptomatorDebug.properties"
@@ -127,26 +166,56 @@ jobs:
           attrib -r appdir/Cryptomator/Cryptomator.exe
           attrib -r appdir/Cryptomator/CryptomatorDebug.exe
         shell: pwsh
-      - name: Extract integrations DLL for code signing
+      - name: Extract jars with DLLs for Codesigning
         shell: pwsh
-        run: gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --extract integrations.dll }
+        run: |
+          Add-Type -AssemblyName "System.io.compression.filesystem"
+          $jarFolder = Resolve-Path ".\appdir\Cryptomator\app\mods"
+          $jarExtractDir = New-Item -Path ".\appdir\jar-extract" -ItemType Directory
+
+          #for all jars inspect
+          Get-ChildItem -Path $jarFolder -Filter "*.jar" | ForEach-Object {
+              $jar = [Io.compression.zipfile]::OpenRead($_.FullName)
+              if (@($jar.Entries | Where-Object {$_.Name.ToString().EndsWith(".dll")} | Select-Object -First 1).Count -gt 0) {
+                  #jars containing dlls extract
+                  Set-Location $jarExtractDir
+                  Expand-Archive -Path $_.FullName
+              }
+              $jar.Dispose()
+          }
+      - name: Extract wixhelper.dll for Codesigning #see https://github.com/cryptomator/cryptomator/issues/3130
+        shell: pwsh
+        run: |
+          New-Item -Path appdir/jpackage-jmod -ItemType Directory
+          & $env:JAVA_HOME\bin\jmod.exe extract --dir jpackage-jmod "${env:JAVA_HOME}\jmods\jdk.jpackage.jmod"
+          Get-ChildItem -Recurse -Path "jpackage-jmod" -File wixhelper.dll | Select-Object -Last 1 | Copy-Item -Destination "appdir"
       - name: Codesign
-        uses: skymatic/code-sign-action@v2
+        uses: skymatic/code-sign-action@v3
         with:
           certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
           password: ${{ secrets.WIN_CODESIGN_P12_PW }}
           certificatesha1: 5FC94CE149E5B511E621F53A060AC67CBD446B3A
           description: Cryptomator
           timestampUrl: 'http://timestamp.digicert.com'
-          folder: appdir/Cryptomator
+          folder: appdir
           recursive: true
-      - name: Repack signed DLL into jar
+      - name: Replace DLLs inside jars with signed ones
         shell: pwsh
         run: |
-          gci ./appdir/Cryptomator/app/mods/ -File integrations-win-*.jar | ForEach-Object {Set-Location -Path $_.Directory; jar --file=$($_.FullName) --update integrations.dll; Remove-Item integrations.dll}
+          $jarExtractDir = Resolve-Path ".\appdir\jar-extract"
+          $jarFolder = Resolve-Path ".\appdir\Cryptomator\app\mods"
+          Get-ChildItem -Path $jarExtractDir | ForEach-Object {
+              $jarName = $_.Name
+              $jarFile = "${jarFolder}\${jarName}.jar"
+              Set-Location $_
+              Get-ChildItem -Path $_ -Recurse -File "*.dll" | ForEach-Object {
+                  # update jar with signed dll
+                  jar --file="$jarFile" --update $(Resolve-Path -Relative -Path $_)
+              }
+          }
       - name: Generate license for MSI
         run: >
-          mvn -B license:add-third-party
+          mvn -B license:add-third-party "-Djavafx.platform=win"
           "-Dlicense.thirdPartyFilename=license.rtf"
           "-Dlicense.outputDirectory=dist/win/resources"
           "-Dlicense.fileTemplate=dist/win/resources/licenseTemplate.ftl"
@@ -165,20 +234,21 @@ jobs:
           --dest installer
           --name Cryptomator
           --vendor "Skymatic GmbH"
-          --copyright "(C) 2016 - 2023 Skymatic GmbH"
-          --app-version "${{ needs.get-version.outputs.semVerNum }}"
+          --copyright "(C) 2016 - 2025 Skymatic GmbH"
+          --app-version "${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum}}"
           --win-menu
           --win-dir-chooser
           --win-shortcut-prompt
-          --win-update-url "https:\\cryptomator.org"
+          --win-update-url "https:\\cryptomator.org\downloads"
           --win-menu-group Cryptomator
           --resource-dir dist/win/resources
           --license-file dist/win/resources/license.rtf
           --file-associations dist/win/resources/FAvaultFile.properties
         env:
           JP_WIXWIZARD_RESOURCES: ${{ github.workspace }}/dist/win/resources # requires abs path, used in resources/main.wxs
+          JP_WIXHELPER_DIR: ${{ github.workspace }}\appdir
       - name: Codesign MSI
-        uses: skymatic/code-sign-action@v2
+        uses: skymatic/code-sign-action@v3
         with:
           certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
           password: ${{ secrets.WIN_CODESIGN_P12_PW }}
@@ -196,53 +266,41 @@ jobs:
           GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: msi
           path: |
             Cryptomator-*.msi
             Cryptomator-*.asc
           if-no-files-found: error
-      - name: Publish .msi on GitHub Releases
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v1
-        with:
-          fail_on_unmatched_files: true
-          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
-          files: |
-            *.msi
-            *.asc
-
-  call-winget-flow:
-    needs: [get-version, build-msi]
-    if: github.event.action == 'published' && needs.get-version.outputs.versionType == 'stable'
-    uses: ./.github/workflows/winget.yml
-    with:
-      releaseTag: ${{ github.event.release.tag_name }}
-    secrets: inherit
-
 
   build-exe:
     name: Build .exe installer
     runs-on: windows-latest
     needs: [get-version, build-msi]
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+      - name: Install wix and extensions
+        run: |
+          dotnet tool install --global wix --version 6.0.0
+          wix.exe extension add WixToolset.BootstrapperApplications.wixext/6.0.0 --global
+          wix.exe extension add WixToolset.Util.wixext/6.0.0 --global
       - name: Download .msi
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: msi
           path: dist/win/bundle/resources
       - name: Strip version info from msi file name
         run: mv dist/win/bundle/resources/Cryptomator*.msi dist/win/bundle/resources/Cryptomator.msi
-      - uses: actions/setup-java@v3
+      - uses: actions/setup-java@v4
         with:
           distribution: ${{ env.JAVA_DIST }}
           java-version: ${{ env.JAVA_VERSION }}
-          cache: ${{ env.JAVA_CACHE }}
+          check-latest: true
+          cache: 'maven'
       - name: Generate license for exe
         run: >
-          mvn -B license:add-third-party
+          mvn -B license:add-third-party "-Djavafx.platform=win"
           "-Dlicense.thirdPartyFilename=license.rtf"
           "-Dlicense.fileTemplate=dist/win/bundle/resources/licenseTemplate.ftl"
           "-Dlicense.outputDirectory=dist/win/bundle/resources"
@@ -253,32 +311,32 @@ jobs:
         shell: pwsh
       - name: Download WinFsp
         run: |
-          $winfspUrl= (Select-String -Path ".\dist\win\bundle\resources\winfsp-download.url" -Pattern 'https:.*').Matches.Value
-          curl --output dist/win/bundle/resources/winfsp.msi -L $winfspUrl
+          curl --output dist/win/bundle/resources/winfsp.msi -L ${{ env.WINFSP_MSI }}
         shell: pwsh
-      - name: Compile to wixObj file
+      - name: Download Legacy-WinFsp uninstaller
+        run: |
+          curl --output dist/win/bundle/resources/winfsp-uninstaller.exe -L ${{ env.WINFSP_UNINSTALLER }}
+        shell: pwsh
+      - name: Create Wix Burn bundle
+        working-directory: dist/win
         run: >
-          "${WIX}/bin/candle.exe" dist/win/bundle/bundleWithWinfsp.wxs
-          -ext WixBalExtension
-          -out dist/win/bundle/
-          -dBundleVersion="${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum }}"
-          -dBundleVendor="Skymatic GmbH"
-          -dBundleCopyright="(C) 2016 - 2023 Skymatic GmbH"
-          -dAboutUrl="https://cryptomator.org"
-          -dHelpUrl="https://cryptomator.org/contact"
-          -dUpdateUrl="https://cryptomator.org/downloads/"
-      - name: Create executable with linker
-        run: >
-          "${WIX}/bin/light.exe" -b dist/win/ dist/win/bundle/bundleWithWinfsp.wixobj
-          -ext WixBalExtension
-          -out installer/unsigned/Cryptomator-Installer.exe
+          wix build
+          -define BundleName="Cryptomator"
+          -define BundleVersion="${{ needs.get-version.outputs.semVerNum }}.${{ needs.get-version.outputs.revNum}}"
+          -define BundleVendor="Skymatic GmbH"
+          -define BundleCopyright="(C) 2016 - 2025 Skymatic GmbH"
+          -define AboutUrl="https://cryptomator.org"
+          -define HelpUrl="https://cryptomator.org/contact"
+          -define UpdateUrl="https://cryptomator.org/downloads/"
+          -ext "WixToolset.Util.wixext"
+          -ext "WixToolset.BootstrapperApplications.wixext"
+          ./bundle/bundleWithWinfsp.wxs
+          -out "../../installer/unsigned/Cryptomator-Installer.exe"
       - name: Detach burn engine in preparation to sign
         run: >
-          "${WIX}/bin/insignia.exe"
-          -ib installer/unsigned/Cryptomator-Installer.exe
-          -o tmp/engine.exe
+          wix burn detach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe
       - name: Codesign burn engine
-        uses: skymatic/code-sign-action@v2
+        uses: skymatic/code-sign-action@v3
         with:
           certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
           password: ${{ secrets.WIN_CODESIGN_P12_PW }}
@@ -287,12 +345,10 @@ jobs:
           timestampUrl: 'http://timestamp.digicert.com'
           folder: tmp
       - name: Reattach signed burn engine to installer
-        run : >
-          "${WIX}/bin/insignia.exe"
-          -ab tmp/engine.exe installer/unsigned/Cryptomator-Installer.exe
-          -o installer/Cryptomator-Installer.exe
+        run: >
+          wix burn reattach installer/unsigned/Cryptomator-Installer.exe -engine tmp/engine.exe -o installer/Cryptomator-Installer.exe
       - name: Codesign EXE
-        uses: skymatic/code-sign-action@v2
+        uses: skymatic/code-sign-action@v3
         with:
           certificate: ${{ secrets.WIN_CODESIGN_P12_BASE64 }}
           password: ${{ secrets.WIN_CODESIGN_P12_PW }}
@@ -310,59 +366,68 @@ jobs:
           GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
           GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
       - name: Upload artifacts
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: exe
           path: |
             Cryptomator-*.exe
             Cryptomator-*.asc
           if-no-files-found: error
+
+  publish:
+    name: Publish installers to the github release
+    if: startsWith(github.ref, 'refs/tags/') && github.event.action == 'published'
+    runs-on: ubuntu-latest
+    needs: [build-msi, build-exe]
+    outputs:
+      download-url-msi: ${{ fromJSON(steps.publish.outputs.assets)[0].browser_download_url }}
+      download-url-exe: ${{ fromJSON(steps.publish.outputs.assets)[1].browser_download_url }}
+    steps:
+      - name: Download installers
+        uses: actions/download-artifact@v4
+        with:
+          merge-multiple: true
       - name: Publish .msi on GitHub Releases
-        if: startsWith(github.ref, 'refs/tags/')
-        uses: softprops/action-gh-release@v1
+        id: publish
+        uses: softprops/action-gh-release@v2
         with:
           fail_on_unmatched_files: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          # do not change ordering of filelist, required for correct job output
           files: |
-            Cryptomator-*.exe
-            Cryptomator-*.asc
+            *.msi
+            *.exe
+            *.asc
 
-  allowlist:
-    name: Anti Virus Allowlisting
-    if: startsWith(github.ref, 'refs/tags/')
+  allowlist-msi:
+    uses: ./.github/workflows/av-whitelist.yml
+    needs: [publish]
+    with:
+      url: ${{ needs.publish.outputs.download-url-msi }}
+    secrets: inherit
+
+  allowlist-exe:
+    uses: ./.github/workflows/av-whitelist.yml
+    needs: [publish, allowlist-msi]
+    with:
+      url: ${{ needs.publish.outputs.download-url-exe }}
+    secrets: inherit
+
+  notify-winget:
+    name: Notify for winget-release
+    if: needs.get-version.outputs.versionType == 'stable'
+    needs: [publish, get-version]
     runs-on: ubuntu-latest
-    needs: [build-msi, build-exe]
     steps:
-      - name: Download .msi
-        uses: actions/download-artifact@v3
-        with:
-          name: msi
-          path: msi
-      - name: Download .exe
-        uses: actions/download-artifact@v3
-        with:
-          name: exe
-          path: exe
-      - name: Collect files
-        run: |
-          mkdir files
-          cp msi/*.msi files
-          cp exe/*.exe files
-      - name: Upload to Kaspersky
-        uses: SamKirkland/FTP-Deploy-Action@4.3.3
-        with:
-          protocol: ftps
-          server: allowlist.kaspersky-labs.com
-          port: 990
-          username: ${{ secrets.ALLOWLIST_KASPERSKY_USERNAME }}
-          password: ${{ secrets.ALLOWLIST_KASPERSKY_PASSWORD }}
-          local-dir: files/
-      - name: Upload to Avast
-        uses: SamKirkland/FTP-Deploy-Action@4.3.0
-        with:
-          protocol: ftp
-          server: whitelisting.avast.com
-          port: 21
-          username: ${{ secrets.ALLOWLIST_AVAST_USERNAME }}
-          password: ${{ secrets.ALLOWLIST_AVAST_PASSWORD }}
-          local-dir: files/
+      - name: Slack Notification
+        uses: rtCamp/action-slack-notify@v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_USERNAME: 'Cryptobot'
+          SLACK_ICON: false
+          SLACK_ICON_EMOJI: ':bot:'
+          SLACK_CHANNEL: 'cryptomator-desktop'
+          SLACK_TITLE: "MSI of ${{ github.event.repository.name }} ${{ github.event.release.tag_name }} published."
+          SLACK_MESSAGE: "Ready to <https://github.com/${{ github.repository }}/actions/workflows/winget.yml| release to winget>."
+          SLACK_FOOTER: false
+          MSG_MINIMAL: true

.github/workflows/winget.yml

@@ -1,49 +1,27 @@
-name: Release to Winget
+name: Publish  MSI to winget-pkgs
 
 on:
-  workflow_call:
-    inputs:
-      releaseTag:
-        required: true
-        type: string
   workflow_dispatch:
     inputs:
-      releaseTag:
-        description: 'Release tag name'
+      tag:
+        description: 'Release tag'
         required: true
-        type: string
 
 jobs:
-  publish-winget:
-    name: Publish on winget repo
+  winget:
+    name: Publish winget package
     runs-on: windows-latest
     steps:
-      - name: Get download url for release assets
-        id: get-release-assets
-        uses: actions/github-script@v6
-        with:
-          script: |
-            const query =`query($tag:String!) {
-              repository(owner:"cryptomator", name:"cryptomator"){
-                release(tagName: $tag) {
-                    releaseAssets(first:20) {
-                      nodes {
-                        name
-                        downloadUrl
-                      }
-                  }
-                }
-              }
-            }`;
-            const variables = {
-              tag: "${{ inputs.releaseTag }}"
-            }
-            return await github.graphql(query, variables)
-      - name: Submit package to Windows Package Manager Community Repository
-        id: submit-winget
+      - name: Sync winget-pkgs fork
         run: |
-          iwr https://aka.ms/wingetcreate/latest -OutFile wingetcreate.exe
-          $releaseAssets = (ConvertFrom-Json '${{ steps.get-release-assets.outputs.result }}').repository.release.releaseAssets.nodes
-          $installerUrl = $releaseAssets | Where-Object -Property name -match '^Cryptomator-.*\.msi$' | Select -ExpandProperty downloadUrl -First 1
-          .\wingetcreate.exe update Cryptomator.Cryptomator -s -v "${{ inputs.releaseTag }}" -u "$installerUrl" -t ${{ secrets.CRYPTOBOT_WINGET_TOKEN }}
-        shell: pwsh
+          gh repo sync cryptomator/winget-pkgs -b master --force
+        env:
+          GH_TOKEN: ${{ secrets.CRYPTOBOT_WINGET_TOKEN }}
+      - name: Submit package
+        uses: vedantmgoyal2009/winget-releaser@main
+        with:
+          identifier: Cryptomator.Cryptomator
+          version: ${{ inputs.tag }}
+          release-tag: ${{ inputs.tag }}
+          installers-regex: '\.msi$'
+          token: ${{ secrets.CRYPTOBOT_WINGET_TOKEN }}