From 14f876e420fadcb20f8674580d0dae46b31be02f Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 7 Nov 2025 10:28:49 +0100
Subject: [PATCH 1/3] refactor build workflow

[deploy]
---
 .github/workflows/build.yml           | 85 +++++++++++++++++++++++++--
 .github/workflows/publish-central.yml | 35 -----------
 .github/workflows/publish-github.yml  | 24 --------
 3 files changed, 80 insertions(+), 64 deletions(-)
 delete mode 100644 .github/workflows/publish-central.yml
 delete mode 100644 .github/workflows/publish-github.yml

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 34ecc7c..b71957c 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -3,31 +3,106 @@ on:
   push:
   pull_request_target:
     types: [labeled]
+
+env:
+  JAVA_VERSION: 25
+
 jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
-    if: "!contains(github.event.head_commit.message, '[ci skip]') && !contains(github.event.head_commit.message, '[skip ci]')"
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-java@v5
         with:
           distribution: 'temurin'
-          java-version: 25
+          java-version: ${{ env.JAVA_VERSION }}
           cache: 'maven'
       - name: Ensure to use tagged version
         if: startsWith(github.ref, 'refs/tags/')
         run: mvn versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
-        id: buildAndTest
-        run: mvn -B clean install
+        run: mvn -B verify --no-transfer-progress
+      - name: Attest
+        if: startsWith(github.ref, 'refs/tags/')
+        uses: actions/attest-build-provenance@v3
+        with:
+          subject-path: |
+            target/*.jar
+            target/*.pom
       - uses: actions/upload-artifact@v4
         with:
           name: artifacts
           path: target/*.jar
+
+  deploy-central:
+    name: Deploy to Maven Central
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-java@v5
+        with:
+          distribution: 'temurin'
+          java-version: ${{ env.JAVA_VERSION }}
+          cache: 'maven'
+          server-id: central
+          server-username: MAVEN_CENTRAL_USERNAME
+          server-password: MAVEN_CENTRAL_PASSWORD
+      - name: Verify project version matches tag
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          PROJECT_VERSION=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "$PROJECT_VERSION" = "$TAG_NAME"
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
+      - name: Deploy to Maven Central
+        run: mvn deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
+        env:
+          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
+          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
+
+  deploy-github:
+    name: Deploy to GitHub Packages
+    runs-on: ubuntu-latest
+    needs: [build]
+    if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
+    steps:
+      - uses: actions/checkout@v5
+      - uses: actions/setup-java@v5
+        if: startsWith(github.ref, 'refs/tags/')
+        with:
+          java-version: ${{ env.JAVA_VERSION }}
+          distribution: temurin
+          cache: 'maven'
+      - name: Verify project version matches tag
+        if: startsWith(github.ref, 'refs/tags/')
+        run: |
+          PROJECT_VERSION=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
+          test "$PROJECT_VERSION" = "$TAG_NAME"
+        env:
+          TAG_NAME: ${{ github.event.release.tag_name }}
+      - name: Deploy to GitHub Packages
+        if: startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]')
+        run: mvn deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
+          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
+          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
+
+  release:
+    name: Release
+    runs-on: ubuntu-latest
+    needs: [deploy-central, deploy-github]
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
       - name: Create Release
         uses: softprops/action-gh-release@v2
-        if: startsWith(github.ref, 'refs/tags/')
         with:
           prerelease: true
           token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
diff --git a/.github/workflows/publish-central.yml b/.github/workflows/publish-central.yml
deleted file mode 100644
index e195b19..0000000
--- a/.github/workflows/publish-central.yml
+++ /dev/null
@@ -1,35 +0,0 @@
-name: Publish to Maven Central
-on:
-  release:
-    types: [published]
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-java@v5
-        with:
-          distribution: 'temurin'
-          java-version: 25
-          cache: 'maven'
-          server-id: central
-          server-username: MAVEN_CENTRAL_USERNAME
-          server-password: MAVEN_CENTRAL_PASSWORD
-      - name: Verify project version = ${{ github.event.release.tag_name }}
-        run: |
-            PROJECT_VERSION=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
-            test "$PROJECT_VERSION" = "${{ github.event.release.tag_name }}"
-      - name: Deploy
-        run: mvn deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
-        env:
-          MAVEN_OPTS: >
-            --add-opens=java.base/java.util=ALL-UNNAMED
-            --add-opens=java.base/java.lang.reflect=ALL-UNNAMED
-            --add-opens=java.base/java.text=ALL-UNNAMED
-            --add-opens=java.desktop/java.awt.font=ALL-UNNAMED
-          MAVEN_CENTRAL_USERNAME: ${{ secrets.MAVEN_CENTRAL_USERNAME }}
-          MAVEN_CENTRAL_PASSWORD: ${{ secrets.MAVEN_CENTRAL_PASSWORD }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
-          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
-          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
\ No newline at end of file
diff --git a/.github/workflows/publish-github.yml b/.github/workflows/publish-github.yml
deleted file mode 100644
index 1f0f2b6..0000000
--- a/.github/workflows/publish-github.yml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: Publish to GitHub Packages
-on:
-  release:
-    types: [published]
-jobs:
-  publish:
-    runs-on: ubuntu-latest
-    if: startsWith(github.ref, 'refs/tags/') # only allow publishing tagged versions
-    steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-java@v5
-        with:
-          distribution: 'temurin'
-          java-version: 25
-          cache: 'maven'
-      - name: Enforce project version ${{ github.event.release.tag_name }}
-        run: mvn versions:set -B -DnewVersion=${{ github.event.release.tag_name }}
-      - name: Deploy
-        run: mvn deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          MAVEN_GPG_PASSPHRASE: ${{ secrets.RELEASES_GPG_PASSPHRASE }}
-          MAVEN_GPG_KEY: ${{ secrets.RELEASES_GPG_PRIVATE_KEY }} # Value of the GPG private key to import
-          MAVEN_GPG_KEY_FINGERPRINT: ${{ vars.RELEASES_GPG_KEY_FINGERPRINT }}
\ No newline at end of file

From 050bf4c0899932e75a0f4d905e21a9198f84aeae Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 7 Nov 2025 10:42:43 +0100
Subject: [PATCH 2/3] fix build

[deploy]
---
 .github/workflows/build.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b71957c..7ac6eb8 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -74,7 +74,6 @@ jobs:
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-java@v5
-        if: startsWith(github.ref, 'refs/tags/')
         with:
           java-version: ${{ env.JAVA_VERSION }}
           distribution: temurin
@@ -87,7 +86,6 @@ jobs:
         env:
           TAG_NAME: ${{ github.event.release.tag_name }}
       - name: Deploy to GitHub Packages
-        if: startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]')
         run: mvn deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

From bbded7100d1629d86b560640f1753169c7ef8c6c Mon Sep 17 00:00:00 2001
From: Sebastian Stenzel <sebastian.stenzel@gmail.com>
Date: Fri, 7 Nov 2025 11:03:26 +0100
Subject: [PATCH 3/3] apply suggestions from code review

[deploy]
---
 .github/workflows/build.yml | 18 +++++++++++-------
 1 file changed, 11 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 7ac6eb8..cfc847a 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -11,6 +11,9 @@ jobs:
   build:
     name: Build and Test
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write # Required for the attestations step
+      attestations: write # Required for the attestations step
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-java@v5
@@ -38,6 +41,7 @@ jobs:
   deploy-central:
     name: Deploy to Maven Central
     runs-on: ubuntu-latest
+    permissions: {}
     needs: [build]
     if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
     steps:
@@ -54,9 +58,7 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/')
         run: |
           PROJECT_VERSION=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
-          test "$PROJECT_VERSION" = "$TAG_NAME"
-        env:
-          TAG_NAME: ${{ github.event.release.tag_name }}
+          test "$PROJECT_VERSION" = "${GITHUB_REF##*/}"
       - name: Deploy to Maven Central
         run: mvn deploy -B -DskipTests -Psign,deploy-central --no-transfer-progress
         env:
@@ -69,6 +71,8 @@ jobs:
   deploy-github:
     name: Deploy to GitHub Packages
     runs-on: ubuntu-latest
+    permissions:
+      packages: write # Required for the deploy to GitHub Packages step
     needs: [build]
     if: github.repository_owner == 'cryptomator' && (startsWith(github.ref, 'refs/tags/') || contains(github.event.head_commit.message, '[deploy]'))
     steps:
@@ -76,15 +80,13 @@ jobs:
       - uses: actions/setup-java@v5
         with:
           java-version: ${{ env.JAVA_VERSION }}
-          distribution: temurin
+          distribution: 'temurin'
           cache: 'maven'
       - name: Verify project version matches tag
         if: startsWith(github.ref, 'refs/tags/')
         run: |
           PROJECT_VERSION=$(mvn help:evaluate "-Dexpression=project.version" -q -DforceStdout)
-          test "$PROJECT_VERSION" = "$TAG_NAME"
-        env:
-          TAG_NAME: ${{ github.event.release.tag_name }}
+          test "$PROJECT_VERSION" = "${GITHUB_REF##*/}"
       - name: Deploy to GitHub Packages
         run: mvn deploy -B -DskipTests -Psign,deploy-github --no-transfer-progress
         env:
@@ -96,6 +98,8 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # Required for the release step
     needs: [deploy-central, deploy-github]
     if: startsWith(github.ref, 'refs/tags/')
     steps: