cryptomator/.github/workflows/debian.yml

name: Build Debian Package

on:
  workflow_dispatch:
    inputs:
      semver:
        description: 'SemVer String (e.g. 1.7.0-beta1)'
      ppaver:
        description: 'Base PPA Version String (e.g. 1.6.16+1.7.0~beta1) without -0ppa1'
      dput:
        description: 'Upload to PPA'
        required: true
        default: false
        type: boolean
  push:
    branches-ignore:
      - 'dependabot/**'
    paths:
      - '.github/workflows/debian.yml'
      - 'dist/linux/debian/**'
      - 'dist/linux/common/**'
      - 'dist/linux/resources/**'

env:
  JAVA_DIST: 'temurin'
  JAVA_VERSION: '25.0.2+10.0.LTS'
  DEB_BUILD_DEPENDS: 'debhelper (>=10), openjdk-25-jdk (>= 25+36), libgtk-3-0 (>= 3.20.0), libxxf86vm1, libgl1'
  OPENJFX_JMODS_AMD64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-x64_bin-jmods.zip'
  OPENJFX_JMODS_AMD64_HASH: 'e0a9c29d8cf3af9b8b48848b43f87b5785bc107c53a951b19668ce05842bba1b'
  OPENJFX_JMODS_AARCH64: 'https://download2.gluonhq.com/openjfx/25.0.2/openjfx-25.0.2_linux-aarch64_bin-jmods.zip'
  OPENJFX_JMODS_AARCH64_HASH: 'c3408f818693cce09e59829a8e862a82c7695fdfcd585c41cfd527f5fc3fe646'

jobs:
  get-version:
    uses: ./.github/workflows/get-version.yml
    with:
      version: ${{ inputs.semver }} #okay if not defined

  build:
    name: Build Debian Package
    runs-on: ubuntu-22.04
    needs: [get-version]
    env:
      INPUT_PPAVER: ${{ inputs.ppaver }}
    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
      - id: deb-version
        name: Determine deb-version
        run: |
          if [ -n "${INPUT_PPAVER}" ]; then
            echo "debVersion=${INPUT_PPAVER}" >> "$GITHUB_OUTPUT"
          else
            echo "debVersion=${{needs.get-version.outputs.semVerStr}}" >> "$GITHUB_OUTPUT"
          fi
      - name: Install build tools
        run: |
          sudo apt-get update
          sudo apt-get install devscripts dput
          sudo apt-get satisfy "${DEB_BUILD_DEPENDS}"
        env:
          DEB_BUILD_DEPENDS: ${{ env.DEB_BUILD_DEPENDS }}
      - name: Setup Java
        uses: actions/setup-java@be666c2fcd27ec809703dec50e508c2fdc7f6654 # v5.2.0
        with:
          distribution: ${{ env.JAVA_DIST }}
          java-version: ${{ env.JAVA_VERSION }}
          check-latest: true
          cache: 'maven'
      - name: Run maven
        run: mvn -B clean package -Plinux -DskipTests
      - name: Download OpenJFX jmods
        id: download-jmods
        run: |
          curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AMD64 }} -o openjfx-amd64.zip
          echo "${{ env.OPENJFX_JMODS_AMD64_HASH }}  openjfx-amd64.zip" | shasum -a256 --check
          mkdir -p jmods/amd64
          unzip -j openjfx-amd64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/amd64
          curl --silent --fail-with-body --proto "=https" -L ${{ env.OPENJFX_JMODS_AARCH64 }} -o openjfx-aarch64.zip
          echo "${{ env.OPENJFX_JMODS_AARCH64_HASH }}  openjfx-aarch64.zip" | shasum -a256 --check
          mkdir -p jmods/aarch64
          unzip -j openjfx-aarch64.zip \*/javafx.base.jmod \*/javafx.controls.jmod \*/javafx.fxml.jmod \*/javafx.graphics.jmod -d jmods/aarch64
      - name: Ensure major jfx version in pom and in jmods is the same
        run: |
          JMOD_VERSION_AMD64=$(jmod describe jmods/amd64/javafx.base.jmod | head -1)
          JMOD_VERSION_AMD64=${JMOD_VERSION_AMD64#*@}
          JMOD_VERSION_AMD64=${JMOD_VERSION_AMD64%%.*}
          JMOD_VERSION_AARCH64=$(jmod describe jmods/aarch64/javafx.base.jmod | head -1)
          JMOD_VERSION_AARCH64=${JMOD_VERSION_AARCH64#*@}
          JMOD_VERSION_AARCH64=${JMOD_VERSION_AARCH64%%.*}
          POM_JFX_VERSION=$(mvn help:evaluate "-Dexpression=javafx.version" -q -DforceStdout)
          POM_JFX_VERSION=${POM_JFX_VERSION#*@}
          POM_JFX_VERSION=${POM_JFX_VERSION%%.*}

          if [ $POM_JFX_VERSION -ne $JMOD_VERSION_AMD64 ]; then
            >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != amd64 jmod version (${JMOD_VERSION_AMD64})"
            exit 1
          fi

          if [ $POM_JFX_VERSION -ne $JMOD_VERSION_AARCH64 ]; then
            >&2 echo "Major JavaFX version in pom.xml (${POM_JFX_VERSION}) != aarch64 jmod version (${JMOD_VERSION_AARCH64})"
            exit 1
          fi
      - name: Create orig.tar.gz with common/ libs/ mods/ jmods/
        run: |
          mkdir pkgdir
          cp -r target/libs pkgdir
          cp -r target/mods pkgdir
          cp -r jmods pkgdir
          cp -r dist/linux/common/ pkgdir
          cp target/cryptomator-*.jar pkgdir/mods
          tar -cJf cryptomator_${{ steps.deb-version.outputs.debVersion }}.orig.tar.xz -C pkgdir .
      - name: Patch and rename pkgdir
        run: |
          cp -r dist/linux/debian/ pkgdir
          export RFC2822_TIMESTAMP=`date --rfc-2822`
          export DISABLE_UPDATE_CHECK=${{ inputs.dput }}
          envsubst '${SEMVER_STR} ${VERSION_NUM} ${REVISION_NUM} ${DISABLE_UPDATE_CHECK}' < dist/linux/debian/rules > pkgdir/debian/rules
          envsubst '${PPA_VERSION} ${RFC2822_TIMESTAMP}' < dist/linux/debian/changelog > pkgdir/debian/changelog
          find . -name "*.jar" >> pkgdir/debian/source/include-binaries
          mv pkgdir cryptomator_${{ steps.deb-version.outputs.debVersion }}
        env:
          SEMVER_STR: ${{ needs.get-version.outputs.semVerStr }}
          VERSION_NUM: ${{ needs.get-version.outputs.semVerNum }}
          REVISION_NUM: ${{ needs.get-version.outputs.revNum }}
          PPA_VERSION: ${{ steps.deb-version.outputs.debVersion }}-0ppa1
      - name: Prepare GPG-Agent for signing with key 615D449FE6E6A235
        run: |
          echo "${GPG_PRIVATE_KEY}" | gpg --batch --quiet --import
          echo "${GPG_PASSPHRASE}" | gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --dry-run --sign README.md
        env:
          GPG_PRIVATE_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }}
          GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
      - name: debuild
        run: |
          (sleep 8m; gpg --batch --quiet --pinentry-mode loopback -u 615D449FE6E6A235 --dry-run --sign README.md) &
          debuild -S -sa -d
          debuild -b -sa -d
        env:
          DEBSIGN_PROGRAM: gpg --batch --pinentry-mode loopback
          DEBSIGN_KEYID: 615D449FE6E6A235
        working-directory: cryptomator_${{ steps.deb-version.outputs.debVersion }}
      - name: Create detached GPG signatures
        run: |
          gpg --batch --quiet --passphrase-fd 0 --pinentry-mode loopback -u 615D449FE6E6A235 --detach-sign -a cryptomator_*_amd64.deb
      - name: Upload artifacts
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
        with:
          name: linux-deb-package
          path: |
            cryptomator_*.dsc
            cryptomator_*.orig.tar.xz
            cryptomator_*.debian.tar.xz
            cryptomator_*_source.buildinfo
            cryptomator_*_source.changes
            cryptomator_*_amd64.deb
            cryptomator_*.asc
      - name: Publish on PPA
        if: inputs.dput && inputs.ppaver != ''
        run: dput ppa:sebastian-stenzel/cryptomator-beta cryptomator_*_source.changes
      # If ref is a tag, also upload to GitHub Releases:
      - name: Publish Debian package on GitHub Releases
        if: startsWith(github.ref, 'refs/tags/') && inputs.dput
        env:
          GITHUB_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
        run: |
          artifacts=$(ls | grep cryptomator*.deb)
          gh release upload ${{ github.ref_name }} $artifacts