diff --git a/.github/workflows/update-chocolatey.yml b/.github/workflows/update-chocolatey.yml
new file mode 100644
index 00000000..e6d26d27
--- /dev/null
+++ b/.github/workflows/update-chocolatey.yml
@@ -0,0 +1,78 @@
+name: Update Chocolatey package
+
+on:
+ release:
+ types: [published]
+
+jobs:
+ update-chocolatey:
+ if: github.event.release.prerelease == false
+ runs-on: windows-latest
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v6
+
+ - name: Set release version
+ shell: pwsh
+ run: |
+ $version = "${{ github.event.release.tag_name }}".TrimStart('v').Split('-')[0]
+ "VERSION=$version" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+ - name: Set MSI variables
+ shell: pwsh
+ run: |
+ $msiName = "Defguard_${env:VERSION}_x64_en-US.msi"
+ $msiUrl = "https://github.com/DefGuard/client/releases/download/v${env:VERSION}/Defguard_${env:VERSION}_x64_en-US.msi"
+ "MSI_NAME=$msiName" | Out-File -FilePath $env:GITHUB_ENV -Append
+ "MSI_URL=$msiUrl" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+ - name: Download MSI asset
+ shell: pwsh
+ env:
+ GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+ run: |
+ gh release download "${{ github.event.release.tag_name }}" --pattern $env:MSI_NAME --dir "$pwd"
+
+ - name: Calculate MSI checksum
+ shell: pwsh
+ run: |
+ $hash = (Get-FileHash -Algorithm SHA256 -Path $env:MSI_NAME).Hash.ToLower()
+ "MSI_SHA256=$hash" | Out-File -FilePath $env:GITHUB_ENV -Append
+
+ - name: Update Chocolatey package files
+ shell: pwsh
+ working-directory: chocolatey/defguard
+ run: |
+ $nuspecPath = "defguard.nuspec"
+ $installPath = "tools\chocolateyinstall.ps1"
+
+ (Get-Content -Raw $nuspecPath) `
+ -replace '[^<]+', "$env:VERSION" `
+ -replace '[^<]+', "$env:MSI_URL" |
+ Set-Content -NoNewline -Encoding UTF8 $nuspecPath
+
+ (Get-Content -Raw $installPath) `
+ -replace "^\$url\s*=\s*'.*'$", "`$url = '$env:MSI_URL'" `
+ -replace "checksum\s*=\s*'[^']+'", "checksum = '$env:MSI_SHA256'" |
+ Set-Content -NoNewline -Encoding UTF8 $installPath
+
+ - name: Refresh local nupkg
+ shell: pwsh
+ working-directory: chocolatey/defguard
+ run: |
+ $old = Get-ChildItem -Filter "defguard.*.nupkg" | Where-Object { $_.Name -ne "defguard.$env:VERSION.nupkg" }
+ if ($old) { $old | Remove-Item -Force }
+
+ - name: Pack Chocolatey package
+ shell: pwsh
+ working-directory: chocolatey/defguard
+ run: choco pack
+
+ - name: Push Chocolatey package
+ shell: pwsh
+ working-directory: chocolatey/defguard
+ env:
+ CHOCO_API_KEY: ${{ secrets.CHOCO_API_KEY }}
+ run: |
+ $nupkg = "defguard.$env:VERSION.nupkg"
+ choco push $nupkg --source "https://push.chocolatey.org/" -k="$env:CHOCO_API_KEY"
diff --git a/.trivyignore.yaml b/.trivyignore.yaml
index 67f4f502..68b81068 100644
--- a/.trivyignore.yaml
+++ b/.trivyignore.yaml
@@ -1,4 +1,4 @@
vulnerabilities:
- id: GHSA-wrw7-89jp-8q8g
- expired_at: 2026-05-16
+ expired_at: 2026-08-18
statement: 'glib is a transitive dependency of Tauri which we cannot update ourselves. Waiting for tauri to finish migration to gtk4-rs: https://github.com/tauri-apps/tauri/issues/12563'
diff --git a/chocolatey/defguard/README.md b/chocolatey/defguard/README.md
new file mode 100644
index 00000000..a09694c4
--- /dev/null
+++ b/chocolatey/defguard/README.md
@@ -0,0 +1,27 @@
+# Defguard Chocolatey package
+
+This directory contains the Chocolatey package source for Defguard.
+The GitHub Actions workflow updates version, MSI URL, and checksum after a release is published.
+
+## Workflow behavior
+
+- Trigger: GitHub release `published` (non-prerelease).
+- Source MSI: Release asset named `Defguard__x64_en-US.msi`.
+- Updated files:
+ - `defguard.nuspec` (``, ``)
+ - `tools/chocolateyinstall.ps1` (`$url`, `checksum`)
+- Package build: `choco pack`.
+- Package push: `choco push` to `https://push.chocolatey.org/`.
+
+## Required secret
+
+- `CHOCO_API_KEY` in GitHub repo secrets.
+
+## Local testing (Windows)
+
+From this directory:
+
+```
+choco pack
+choco install defguard --source .
+```
diff --git a/chocolatey/defguard/defguard.nuspec b/chocolatey/defguard/defguard.nuspec
new file mode 100755
index 00000000..87d98666
--- /dev/null
+++ b/chocolatey/defguard/defguard.nuspec
@@ -0,0 +1,24 @@
+
+
+
+ defguard
+ 1.6.8
+ Defguard
+ Defguard
+ https://defguard.net
+ http://rawcdn.githack.com/defguard/client/main/src/shared/images/png/logo_256-256.png
+ Copyright 2026 Defguard Sp. z o.o.
+ https://github.com/DefGuard/client/blob/main/LICENSE.md
+ true
+ https://github.com/DefGuard/client
+ https://docs.defguard.net/
+ https://github.com/DefGuard/client/issues
+ defguard vpn wireguard sso mfa
+ Desktop client for Defguard - Wireguard VPN with MFA
+ Desktop client provides an easy way to access VPN locations of multiple Defguard instances via user-friendly UI.
+ https://github.com/DefGuard/client/releases
+
+
+
+
+
diff --git a/chocolatey/defguard/tools/chocolateyinstall.ps1 b/chocolatey/defguard/tools/chocolateyinstall.ps1
new file mode 100755
index 00000000..54b77a52
--- /dev/null
+++ b/chocolatey/defguard/tools/chocolateyinstall.ps1
@@ -0,0 +1,23 @@
+$ErrorActionPreference = 'Stop'
+$toolsDir = "$(Split-Path -parent $MyInvocation.MyCommand.Definition)"
+$url = 'https://github.com/DefGuard/client/releases/download/v1.6.8/Defguard_1.6.8_x64_en-US.msi'
+
+
+$packageArgs = @{
+ packageName = $env:ChocolateyPackageName
+ unzipLocation = $toolsDir
+ fileType = 'msi'
+ url = $url
+
+ softwareName = 'defguard*'
+
+ checksum = 'f7291e9d74cc270445bc1adc2624c2b74289f2276221f1c355f96d1db021871b'
+ checksumType = 'sha256'
+
+
+ silentArgs = "/qn /norestart /l*v `"$($env:TEMP)\$($packageName).$($env:chocolateyPackageVersion).MsiInstall.log`""
+ validExitCodes= @(0, 3010, 1641)
+}
+
+Install-ChocolateyPackage @packageArgs
+Write-Warning "IMPORTANT: Reboot or Re-login Required: On initial install the user is added to the defguard group.A reboot or logging out and back in is required for group membership changes to take effect. This is not required on subsequent updates."
diff --git a/chocolatey/defguard/tools/chocolateyuninstall.ps1 b/chocolatey/defguard/tools/chocolateyuninstall.ps1
new file mode 100755
index 00000000..cc8b69e8
--- /dev/null
+++ b/chocolatey/defguard/tools/chocolateyuninstall.ps1
@@ -0,0 +1,32 @@
+$ErrorActionPreference = 'Stop'
+$packageArgs = @{
+ packageName = $env:ChocolateyPackageName
+ softwareName = 'defguard*'
+ fileType = 'msi'
+ silentArgs = "/qn /norestart"
+ validExitCodes= @(0, 3010, 1605, 1614, 1641)
+}
+
+[array]$key = Get-UninstallRegistryKey -SoftwareName $packageArgs['softwareName']
+
+if ($key.Count -eq 1) {
+ $key | % {
+ $packageArgs['file'] = "$($_.UninstallString)"
+
+ if ($packageArgs['fileType'] -eq 'MSI') {
+ $packageArgs['silentArgs'] = "$($_.PSChildName) $($packageArgs['silentArgs'])"
+
+ $packageArgs['file'] = ''
+ } else {
+ }
+
+ Uninstall-ChocolateyPackage @packageArgs
+ }
+} elseif ($key.Count -eq 0) {
+ Write-Warning "$packageName has already been uninstalled by other means."
+} elseif ($key.Count -gt 1) {
+ Write-Warning "$($key.Count) matches found!"
+ Write-Warning "To prevent accidental data loss, no programs will be uninstalled."
+ Write-Warning "Please alert package maintainer the following keys were matched:"
+ $key | % {Write-Warning "- $($_.DisplayName)"}
+}