CI: install all apt deps from ghcr bundles, drop actions/cache apt-deps layer#10701
Merged
Merged
Conversation
The ci-cache-offload work added a ghcr .deb bundle path to install-apt-deps, making the actions/cache apt-archive layer redundant. Remove it so no apt-deps-* cache entries are produced. Apt packages now install either offline from the ghcr bundle (when ghcr-debs-tag is set) or via plain apt-get with the existing retry/backoff. - Strip the Compute/Restore/Pre-seed/Collect/Save cache steps and the cache-hit fast path; drop the now-unused 'cache' input. - Update callers that passed 'cache': membrowse-onboard, membrowse-report (and the apt_cache matrix key in membrowse-targets.json), and sssd. The ghcr offline path and the ccache actions/cache usage are untouched.
Extends the ghcr offline-install path to every install-apt-deps consumer that was still on plain apt, and publishes the bundles they need. New bundles built by ci-deps-image: - ubuntu-24.04-embedded: the membrowse ARM cross-toolchain (~0.5 GB), kept out of -full so it does not bloat the interop workflows' pull. - ubuntu-24.04-linuxkm: linux-headers-$(uname -r) + the kernel-module build toolchain. linux-headers tracks the runner's running kernel, so a daily job rebuilds it only when uname -r changed (recorded as an image label); a mismatch during a runner-image rollout just falls back to apt. Consumers now passing ghcr-debs-tag: - sssd -> ubuntu-24.04-full (its deps added to that list) - hostap-vm -> ubuntu-22.04-full (its deps added to that list) - membrowse targets -> ubuntu-24.04-embedded; the two linuxkm targets -> ubuntu-24.04-linuxkm (new per-target matrix.ghcr_tag) - linuxkm.yml -> ubuntu-24.04-linuxkm (pinned to ubuntu-24.04 so the bundle's headers match the runner kernel) Each consumer still falls back to apt when its bundle is unavailable, so nothing breaks until ci-deps-image first publishes the new tags.
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the GitHub Actions CI dependency installation flow to rely on prebuilt GHCR .deb bundles (offline installs) and removes the redundant actions/cache-based apt archive caching from the install-apt-deps composite action. It also extends bundle coverage to additional consumers (membrowse embedded + linux kernel module headers/toolchain) via new/updated bundle definitions in ci-deps-image.
Changes:
- Remove the apt-archive caching layer from
.github/actions/install-apt-depsand keep only (1) optional offline GHCR bundle install and (2) online apt-get retry/backoff. - Update workflows and membrowse target matrices to pass
ghcr-debs-tag(and add new per-targetghcr_tagvalues). - Extend
ci-deps-imageto publish new bundle variants (ubuntu-24.04-embedded,ubuntu-24.04-linuxkm) and add/update package lists accordingly.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/sssd.yml | Switch install-apt-deps usage from cache input to ghcr-debs-tag for ubuntu-24.04-full. |
| .github/workflows/membrowse-report.yml | Use per-target matrix.ghcr_tag for offline bundle installs instead of apt cache control. |
| .github/workflows/membrowse-onboard.yml | Use per-target matrix.ghcr_tag for offline bundle installs instead of apt cache control. |
| .github/workflows/linuxkm.yml | Pin runner to ubuntu-24.04 and install headers via the ubuntu-24.04-linuxkm bundle when available. |
| .github/workflows/hostap-vm.yml | Enable offline install via ubuntu-22.04-full bundle. |
| .github/workflows/ci-deps-image.yml | Add new static -embedded bundle and a kernel-tracking daily -linuxkm bundle job. |
| .github/membrowse-targets.json | Add ghcr_tag per target and remove now-unused apt_cache. |
| .github/ci-deps/packages-ubuntu-24.04-full.txt | Add missing packages needed by updated consumers (e.g., sssd deps). |
| .github/ci-deps/packages-ubuntu-24.04-embedded.txt | New package list for membrowse embedded targets’ bundle. |
| .github/ci-deps/packages-ubuntu-22.04-full.txt | Add packages needed by hostap-vm and other ubuntu-22.04-full consumers. |
| .github/actions/install-apt-deps/action.yml | Remove cache input and all actions/cache steps; keep GHCR-offline + apt retry paths. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Addresses PR review feedback. The kernel-tracking linuxkm bundle treated a failed --download-only as a warning and still published, so a transient mirror error could ship a partial bundle. Because the daily job skips rebuilds while the kernel label matches, such a partial bundle would persist until the kernel next changes (~monthly), forcing consumers to fall back to apt the whole time. The linuxkm set is small and entirely required, so resolve it as one closure and let a failure fail the job; we push only on success, so the last good bundle stays in place. The static -full/-minimal bundles keep their per-package skip-and-warn - they serve many independent consumer subsets and rebuild weekly, so maximizing coverage is the right trade-off there.
|
retest this please |
setup-alire@v5 caches the gnat_native+gprbuild toolchain via actions/cache (key alr[1][2.1.0][...]), holding ~1.26 GiB - 3x the 428 MiB toolchain, one copy per ref - against the repo's 10 GiB cache cap. On a miss the toolchain is only a ~17s pull from github.com (alire-project releases), so the cache saved ~20-30s on a ~6.5min Ada job (dominated by gnatprove). Not worth the space; install it fresh each run.
arduino.yml's per-core actions/cache layer stored the installed cores and toolchains (~/.arduino15) - several GB, dominated by the esp32 and mbed cores - in the 10 GB Actions cache. For esp32 it was also ineffective: the disk-cleanup step deletes the esp32 toolchain before actions/cache saves it, so esp32 re-downloaded every run anyway. - New arduino-cores-image workflow resolves each of the 9 distinct cores and publishes a tar of ~/.arduino15 + ~/Arduino/libraries to ghcr.io/<owner>/wolfssl-ci-arduino:<core>. It runs monthly: esp32, the fastest-moving core, releases ~monthly and the rest far less often. - New install-arduino-core composite action restores that bundle offline and verifies the core is present, falling back to `arduino-cli core install` when the bundle is unavailable - so nothing breaks until the image is first published and made public. - arduino.yml calls the action in place of the inline core install and the actions/cache step. This takes the flaky espressif / esp8266.com / pjrc.com downloads off the PR critical path and frees the Actions cache of the largest binaries it held.
dgarske
approved these changes
Jun 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Follow-up to the ci-cache-offload work: now that
install-apt-depscaninstall apt packages offline from a ghcr
.debbundle, extend that path tothe remaining consumers and drop the redundant
actions/cacheapt-deps layer.Drop the
actions/cacheapt-deps layer frominstall-apt-deps.debbundle path made theactions/cacheapt-archive layerredundant. Remove it so no
apt-deps-*cache entries are produced. Aptpackages now install either offline from the ghcr bundle (when
ghcr-debs-tagis set) or via plainapt-getwith the existingretry/backoff.
cache-hit fast path; drop the now-unused
cacheinput.cache: membrowse-onboard, membrowse-report(and the
apt_cachematrix key inmembrowse-targets.json), and sssd.actions/cacheusage are untouched.Install all apt deps from ghcr bundles
install-apt-depsconsumerthat was still on plain apt, and publishes the bundles they need.
ci-deps-image:ubuntu-24.04-embedded: the membrowse ARM cross-toolchain (~0.5 GB),kept out of
-fullso it does not bloat the interop workflows' pull.ubuntu-24.04-linuxkm:linux-headers-$(uname -r)+ the kernel-modulebuild toolchain.
linux-headerstracks the runner's running kernel, so adaily job rebuilds it only when
uname -rchanged (recorded as an imagelabel); a mismatch during a runner-image rollout just falls back to apt.
ghcr-debs-tag:ubuntu-24.04-full(its deps added to that list)ubuntu-22.04-full(its deps added to that list)ubuntu-24.04-embedded; the two linuxkm targets ->ubuntu-24.04-linuxkm(new per-targetmatrix.ghcr_tag)ubuntu-24.04-linuxkm(pinned toubuntu-24.04so thebundle's headers match the runner kernel)
nothing breaks until
ci-deps-imagefirst publishes the new tags.Testing
CI only — affects
.github/workflows and actions.