include sha256 sums of artifacts in release notes

Author: overheadhunter

.github/release.yml

@@ -0,0 +1,23 @@
+# .github/release.yml
+# see https://docs.github.com/en/repositories/releasing-projects-on-github/automatically-generated-release-notes#configuring-automatically-generated-release-notes
+
+changelog:
+  exclude:
+    authors:
+      - cryptobot
+      - dependabot
+      - github-actions
+  categories:
+    - title: What's New 🎉
+      labels:
+        - enhancement
+    - title: Bugfixes 🐛
+      labels:
+        - bug
+    - title: Other Changes 📎
+      labels:
+        - "*"
+      exclude:
+        labels:
+          - bug
+          - enhancement

.github/workflows/build.yml

@@ -25,7 +25,6 @@ jobs:
         if: startsWith(github.ref, 'refs/tags/')
         run: ./mvnw versions:set --file ./pom.xml -DnewVersion=${GITHUB_REF##*/}
       - name: Build and Test
-        id: buildAndTest
         run: >
           ./mvnw -B verify
           jacoco:report
@@ -41,12 +40,30 @@ jobs:
         with:
           name: artifacts
           path: target/*.jar
+      - name: Calculate Checksums
+        id: checksums
+        run: |
+          SHA256SUMS=$(shasum -a256 target/*.jar)
+          echo "sha256=${SHA256SUMS}" >> $GITHUB_OUTPUT
       - name: Create Release
-        uses: actions/create-release@v1 # NOTE: action is unmaintained and archived
         if: startsWith(github.ref, 'refs/tags/')
-        env:
-          GITHUB_TOKEN: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }} # release as "cryptobot"
+        uses: softprops/action-gh-release@v1
         with:
-          tag_name: ${{ github.ref }}
-          release_name: Release ${{ github.ref }}
-          prerelease: true
+          token: ${{ secrets.CRYPTOBOT_RELEASE_TOKEN }}
+          body: |-
+            ## Maven Coordinates
+            ```xml
+              <dependency>
+                <groupId>org.cryptomator</groupId>
+                <artifactId>siv-mode</artifactId>
+                <version>${{ github.ref_name }}</version>
+              </dependency>
+            ```
+
+            ## Artifact Checksums
+            ```txt
+            ${{ steps.checksums.outputs.sha256 }}
+            ```
+
+            See [README.md](../#reproducible-builds) section regarding reproducing this build.
+          generate_release_notes: true

README.md

@@ -53,7 +53,7 @@ public void encryptWithAssociatedData() {
 </dependencies>
 ```
 
-## JPMS
+## Java Module
 
 From version 1.3.2 onwards this library is an explicit module with the name `org.cryptomator.siv`. You can use it by adding the following line to your `module-info.java`.
 
@@ -63,11 +63,15 @@ requires org.cryptomator.siv;
 
 Because BouncyCastle classes are shaded, this library only depends on `java.base`.
 
-## Building
+## Reproducible Builds
 
-This is a Maven project. To build it, run `./mvnw clean install`.
+This is a Maven project that can be built using `mvn install`. However, if you want to build this reproducibly, please make sure:
 
-Requires JDK 11.0.3 or newer at build time due to JPMS support.
+1. Use the same build environment
+    * The same [JDK as our CI builds](https://github.com/cryptomator/siv-mode/blob/develop/.github/workflows/build.yml#L15-L16)
+    * Ideally the same same arch and OS (x86_64 Linux)
+    * Same locale (en_US) and linebreaks (POSIX)
+2. Use `./mvnw install` instead (or `./mvnw verify` or `./mvnw package -DskipTests`, depending on your intentions)
 
 ## License
 Distributed under the MIT X Consortium license. See the LICENSE file for more info.