From f7b04a11c8b825a0eb544f36fb5fd2c81316a414 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 25 Mar 2026 17:44:47 +0100 Subject: [PATCH 01/10] add basic workflow triggered by authenticated POST requests --- .github/workflows/update-desktop.yml | 52 ++++++++++++++++++++++++++++ 1 file changed, 52 insertions(+) create mode 100644 .github/workflows/update-desktop.yml diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml new file mode 100644 index 000000000..d57ad8630 --- /dev/null +++ b/.github/workflows/update-desktop.yml @@ -0,0 +1,52 @@ +name: Updates download urls to latest version + +on: + repository_dispatch: + types: [desktop-update] + +jobs: + + create-pr: + name: Create PR for aur repo + runs-on: ubuntu-latest + env: + DESKTOP_VERSION: ${{ github.event.client_payload.version }} + steps: + - name: Checkout repo + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + - name: Create new branch + run: | + git config --global safe.directory '*' + git checkout -b "feature/desktop-$DESKTOP_VERSION" + - name: Update params.yaml + run: | + echo "TODO $DESKTOP_VERSION" > config/_default/params.yaml + - name: Commit and push + run: | + git config user.name "cryptobot" + git config user.email "cryptobot@users.noreply.github.com" + git config push.autoSetupRemote true + git stage config/_default/params.yaml + git commit -m "Update desktop download urls to version ${DESKTOP_VERSION}" + git push + - name: Create pull request + id: create-pr + run: | + printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md + PR_URL=$(gh pr create --title "Update desktop download to $DESKTOP_VERSION" --body-file pr_body.md) + echo "url=$PR_URL" >> "$GITHUB_OUTPUT" + env: + GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }} + - name: Slack Notification + if: github.event_name == 'release' + uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3 + env: + SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }} + SLACK_USERNAME: 'Cryptobot' + SLACK_ICON: false + SLACK_ICON_EMOJI: ':bot:' + SLACK_CHANNEL: 'cryptomator-desktop' + SLACK_TITLE: "AUR release PR created for ${{ github.event.repository.name }} ${{ github.event.client_payload.version }} ." + SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed." + SLACK_FOOTER: false + MSG_MINIMAL: true \ No newline at end of file From 0a2700437f0d336e819d8f4a8f2cdba9829794ab Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 25 Mar 2026 23:52:54 +0100 Subject: [PATCH 02/10] explicitly set permissions --- .github/workflows/update-desktop.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index d57ad8630..b068de6f1 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -9,6 +9,8 @@ jobs: create-pr: name: Create PR for aur repo runs-on: ubuntu-latest + permissions: + contents: write env: DESKTOP_VERSION: ${{ github.event.client_payload.version }} steps: From d0f8a9a6e5badf729415ee55a1ef8b546d97bec0 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 25 Mar 2026 23:54:19 +0100 Subject: [PATCH 03/10] wording changes --- .github/workflows/update-desktop.yml | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index b068de6f1..c81b9b093 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -5,7 +5,6 @@ on: types: [desktop-update] jobs: - create-pr: name: Create PR for aur repo runs-on: ubuntu-latest @@ -19,7 +18,7 @@ jobs: - name: Create new branch run: | git config --global safe.directory '*' - git checkout -b "feature/desktop-$DESKTOP_VERSION" + git checkout -b "feature/desktop-${DESKTOP_VERSION}" - name: Update params.yaml run: | echo "TODO $DESKTOP_VERSION" > config/_default/params.yaml @@ -29,13 +28,13 @@ jobs: git config user.email "cryptobot@users.noreply.github.com" git config push.autoSetupRemote true git stage config/_default/params.yaml - git commit -m "Update desktop download urls to version ${DESKTOP_VERSION}" + git commit -m "Update desktop download urls to release ${DESKTOP_VERSION}" git push - name: Create pull request id: create-pr run: | printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md - PR_URL=$(gh pr create --title "Update desktop download to $DESKTOP_VERSION" --body-file pr_body.md) + PR_URL=$(gh pr create --title "Desktop release ${DESKTOP_VERSION}" --body-file pr_body.md) echo "url=$PR_URL" >> "$GITHUB_OUTPUT" env: GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }} @@ -48,7 +47,7 @@ jobs: SLACK_ICON: false SLACK_ICON_EMOJI: ':bot:' SLACK_CHANNEL: 'cryptomator-desktop' - SLACK_TITLE: "AUR release PR created for ${{ github.event.repository.name }} ${{ github.event.client_payload.version }} ." + SLACK_TITLE: "Website update PR created for release ${{ github.event.client_payload.version }} ." SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed." SLACK_FOOTER: false - MSG_MINIMAL: true \ No newline at end of file + MSG_MINIMAL: true From 40b43c67185847ecc478e5929de0ff0ec448df5c Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Wed, 25 Mar 2026 23:54:32 +0100 Subject: [PATCH 04/10] rename event type to desktop-release --- .github/workflows/update-desktop.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index c81b9b093..8717cbcdf 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -2,7 +2,7 @@ name: Updates download urls to latest version on: repository_dispatch: - types: [desktop-update] + types: [desktop-release] jobs: create-pr: From dcedf030abbf9c117e3bbbf94faa6e1a7c683a99 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Mar 2026 00:20:58 +0100 Subject: [PATCH 05/10] implement params.yaml update step --- .github/workflows/update-desktop.yml | 49 +++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index 8717cbcdf..6e6449dc1 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -21,7 +21,54 @@ jobs: git checkout -b "feature/desktop-${DESKTOP_VERSION}" - name: Update params.yaml run: | - echo "TODO $DESKTOP_VERSION" > config/_default/params.yaml + MSI_URL=$(jq -r '[.[] | select(.name | endswith(".msi"))][0].browser_download_url // "null"' <<< "$ASSETS_JSON") + MSI_DIGEST=$(jq -r '[.[] | select(.name | endswith(".msi"))][0].digest // "null"' <<< "$ASSETS_JSON") + EXE_URL=$(jq -r '[.[] | select(.name | endswith(".exe"))][0].browser_download_url // "null"' <<< "$ASSETS_JSON") + EXE_DIGEST=$(jq -r '[.[] | select(.name | endswith(".exe"))][0].digest // "null"' <<< "$ASSETS_JSON") + DMG_X64_URL=$(jq -r '[.[] | select(.name | endswith("-x64.dmg"))][0].browser_download_url // "null"' <<< "$ASSETS_JSON") + DMG_X64_DIGEST=$(jq -r '[.[] | select(.name | endswith("-x64.dmg"))][0].digest // "null"' <<< "$ASSETS_JSON") + DMG_ARM64_URL=$(jq -r '[.[] | select(.name | endswith("-arm64.dmg"))][0].browser_download_url // "null"' <<< "$ASSETS_JSON") + DMG_ARM64_DIGEST=$(jq -r '[.[] | select(.name | endswith("-arm64.dmg"))][0].digest // "null"' <<< "$ASSETS_JSON") + APPIMAGE_AARCH64_URL=$(jq -r '[.[] | select(.name | endswith("-aarch64.AppImage"))][0].browser_download_url // "null"' <<< "$ASSETS_JSON") + APPIMAGE_AARCH64_DIGEST=$(jq -r '[.[] | select(.name | endswith("-aarch64.AppImage"))][0].digest // "null"' <<< "$ASSETS_JSON") + APPIMAGE_X64_URL=$(jq -r '[.[] | select(.name | endswith("-x86_64.AppImage"))][0].browser_download_url // "null"' <<< "$ASSETS_JSON") + APPIMAGE_X64_DIGEST=$(jq -r '[.[] | select(.name | endswith("-x86_64.AppImage"))][0].digest // "null"' <<< "$ASSETS_JSON") + + UPDATED_ASSETS=0 + + update_release() { + local key="$1" + local url="$2" + local digest="$3" + local filename_expr="${4:-'(env(RELEASE_URL) | split(\"/\") | .[-1])'}" + + if [ "$url" = "null" ] || [ -z "$url" ]; then + return + fi + + UPDATED_ASSETS=1 + RELEASE_URL="$url" RELEASE_DIGEST="${digest#sha256:}" yq -i " + .releases.${key}.version = env(DESKTOP_VERSION) | + .releases.${key}.filename = ${filename_expr} | + .releases.${key}.downloadUrl = env(RELEASE_URL) | + .releases.${key}.signatureUrl = (env(RELEASE_URL) + \".asc\") | + .releases.${key}.checksum = env(RELEASE_DIGEST) + " config/_default/params.yaml + } + + update_release "exe" "$EXE_URL" "$EXE_DIGEST" + update_release "msi" "$MSI_URL" "$MSI_DIGEST" + update_release "dmg" "$DMG_X64_URL" "$DMG_X64_DIGEST" '("Cryptomator-" + env(DESKTOP_VERSION) + ".dmg")' + update_release '"dmg-arm64"' "$DMG_ARM64_URL" "$DMG_ARM64_DIGEST" + update_release "appimage" "$APPIMAGE_X64_URL" "$APPIMAGE_X64_DIGEST" + update_release '"appimage-aarch64"' "$APPIMAGE_AARCH64_URL" "$APPIMAGE_AARCH64_DIGEST" + + if [ "$UPDATED_ASSETS" -eq 0 ]; then + echo "No supported desktop assets found in release payload" + exit 1 + fi + env: + ASSETS_JSON: ${{ toJson(github.event.client_payload.release.assets ) }} - name: Commit and push run: | git config user.name "cryptobot" From acd8bd8c7422b33563dc7668736e00192d075eea Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Mar 2026 11:56:47 +0100 Subject: [PATCH 06/10] apply suggestions from code review --- .github/workflows/update-desktop.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index 6e6449dc1..973607fa6 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -17,7 +17,7 @@ jobs: uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Create new branch run: | - git config --global safe.directory '*' + git config --global --add safe.directory "$GITHUB_WORKSPACE" git checkout -b "feature/desktop-${DESKTOP_VERSION}" - name: Update params.yaml run: | @@ -86,7 +86,6 @@ jobs: env: GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }} - name: Slack Notification - if: github.event_name == 'release' uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }} From 8781ddfb422abd53688fc83fde89076dea9e074e Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Mar 2026 12:23:06 +0100 Subject: [PATCH 07/10] reduce noise if there are no changes --- .github/workflows/update-desktop.yml | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index 973607fa6..8e690cb7f 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -70,15 +70,23 @@ jobs: env: ASSETS_JSON: ${{ toJson(github.event.client_payload.release.assets ) }} - name: Commit and push + id: commit-and-push run: | git config user.name "cryptobot" git config user.email "cryptobot@users.noreply.github.com" git config push.autoSetupRemote true git stage config/_default/params.yaml + if git diff --cached --quiet; then + echo "No changes to commit" + echo "changed=false" >> "$GITHUB_OUTPUT" + exit 0 + fi git commit -m "Update desktop download urls to release ${DESKTOP_VERSION}" git push + echo "changed=true" >> "$GITHUB_OUTPUT" - name: Create pull request id: create-pr + if: steps.commit-and-push.outputs.changed == 'true' run: | printf "Created by $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" > pr_body.md PR_URL=$(gh pr create --title "Desktop release ${DESKTOP_VERSION}" --body-file pr_body.md) @@ -86,6 +94,7 @@ jobs: env: GH_TOKEN: ${{ secrets.CRYPTOBOT_PR_TOKEN }} - name: Slack Notification + if: steps.commit-and-push.outputs.changed == 'true' uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2.3.3 env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }} From 691b9aadc486eaec83df54428bbd8c9a9fd65741 Mon Sep 17 00:00:00 2001 From: Armin Schrenk Date: Thu, 26 Mar 2026 12:23:22 +0100 Subject: [PATCH 08/10] ensure desktop version has proper format --- .github/workflows/update-desktop.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index 8e690cb7f..15959e4ee 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -18,6 +18,10 @@ jobs: - name: Create new branch run: | git config --global --add safe.directory "$GITHUB_WORKSPACE" + if [[ ! "$DESKTOP_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([.-][0-9A-Za-z]+)*$ ]]; then + echo "Invalid version in payload: $DESKTOP_VERSION" >&2 + exit 1; + fi git checkout -b "feature/desktop-${DESKTOP_VERSION}" - name: Update params.yaml run: | From f5c680526bc711c9b69378c3a152d4b6579f8ffe Mon Sep 17 00:00:00 2001 From: Tobias Hagemann Date: Tue, 31 Mar 2026 15:11:19 +0200 Subject: [PATCH 09/10] fix filename expression, job name, and slack config --- .github/workflows/update-desktop.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index 15959e4ee..b97d9ed55 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -6,7 +6,7 @@ on: jobs: create-pr: - name: Create PR for aur repo + name: Create PR for desktop release runs-on: ubuntu-latest permissions: contents: write @@ -44,7 +44,7 @@ jobs: local key="$1" local url="$2" local digest="$3" - local filename_expr="${4:-'(env(RELEASE_URL) | split(\"/\") | .[-1])'}" + local filename_expr="${4:-(env(RELEASE_URL) | split(\"/\") | .[-1])}" if [ "$url" = "null" ] || [ -z "$url" ]; then return @@ -103,10 +103,10 @@ jobs: env: SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_CRYPTOMATOR_DESKTOP }} SLACK_USERNAME: 'Cryptobot' - SLACK_ICON: false + SLACK_ICON: '' SLACK_ICON_EMOJI: ':bot:' SLACK_CHANNEL: 'cryptomator-desktop' - SLACK_TITLE: "Website update PR created for release ${{ github.event.client_payload.version }} ." + SLACK_TITLE: "Website update PR created for release ${{ github.event.client_payload.version }}." SLACK_MESSAGE: "See <${{ steps.create-pr.outputs.url }}|PR> on how to proceed." - SLACK_FOOTER: false + SLACK_FOOTER: '' MSG_MINIMAL: true From a1ee1659124e48e0f99e4d8f377111b8022b9050 Mon Sep 17 00:00:00 2001 From: Tobias Hagemann Date: Tue, 31 Mar 2026 16:01:49 +0200 Subject: [PATCH 10/10] validate download URLs against trusted domain --- .github/workflows/update-desktop.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/update-desktop.yml b/.github/workflows/update-desktop.yml index b97d9ed55..1387239c5 100644 --- a/.github/workflows/update-desktop.yml +++ b/.github/workflows/update-desktop.yml @@ -50,6 +50,11 @@ jobs: return fi + if [[ "$url" != https://github.com/cryptomator/cryptomator/releases/download/* ]]; then + echo "Unexpected download URL: $url" >&2 + exit 1 + fi + UPDATED_ASSETS=1 RELEASE_URL="$url" RELEASE_DIGEST="${digest#sha256:}" yq -i " .releases.${key}.version = env(DESKTOP_VERSION) |