From 80a3e67ba3278b4cfec611f249e3f597407cb5b5 Mon Sep 17 00:00:00 2001 From: Juliusz Sosinowicz Date: Mon, 15 Jun 2026 18:53:00 +0000 Subject: [PATCH] CI: clarify ccache/apt-deps offload comments (Copilot review) Tighten three pieces of documentation to match the implementation; no behaviour change: - install-apt-deps (ghcr-debs-tag description): the apt mirror is avoided only on the successful offline path. The offline install is a single --no-download install of the whole package set, so any miss (bundle absent/private/incomplete) falls back to the apt path. - ci-deps-image header: each bundle is every requested package plus the dependencies not already present on the matching runner image - tied to that runner, not a portable/self-contained .deb closure. - ci-deps-image schedule note: a package missing from the bundle fails the whole offline install (it is not per-package), falling back to the full apt path. --- .github/actions/install-apt-deps/action.yml | 12 +++++++----- .github/workflows/ci-deps-image.yml | 13 +++++++++---- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/.github/actions/install-apt-deps/action.yml b/.github/actions/install-apt-deps/action.yml index 5f692100c4..1e6222149f 100644 --- a/.github/actions/install-apt-deps/action.yml +++ b/.github/actions/install-apt-deps/action.yml @@ -24,11 +24,13 @@ inputs: description: > Tag of a prebuilt .deb bundle published to ghcr.io//wolfssl-ci-debs by the ci-deps-image workflow - (e.g. "ubuntu-24.04-minimal"). When set, the packages are installed offline - from that bundle - the apt mirror is never contacted - and the apt - cache path below is skipped entirely. Any failure (bundle missing, - not public, or missing a package) falls through to the apt path, so - this is always safe to set. Leave empty to use apt only. + (e.g. "ubuntu-24.04-minimal"). When set, the packages are installed + offline from that bundle and the apt cache path below is skipped; on + that happy path the apt mirror is not contacted. The offline install + is all-or-nothing (a single --no-download install of the whole set), + so any failure - bundle missing, not public, or not covering every + requested package - falls back to the apt path. Always safe to set; + leave empty to use apt only. required: false default: '' runs: diff --git a/.github/workflows/ci-deps-image.yml b/.github/workflows/ci-deps-image.yml index ff8ac38a56..91cc5e6371 100644 --- a/.github/workflows/ci-deps-image.yml +++ b/.github/workflows/ci-deps-image.yml @@ -3,8 +3,11 @@ name: CI deps image # Builds the prebuilt apt .deb bundles that the make-check family (the # -minimal tags) and the interop workflows (the -full tags, a superset) # install offline (see .github/actions/install-apt-deps, input -# ghcr-debs-tag). Each bundle is the .deb closure of a package list in -# .github/ci-deps/, published to ghcr.io//wolfssl-ci-debs:. +# ghcr-debs-tag). Each bundle holds the .debs for a package list in +# .github/ci-deps/ - every package plus the dependencies not already on the +# matching runner image, so it is tied to that runner rather than being a +# portable, self-contained closure - published to +# ghcr.io//wolfssl-ci-debs:. # # Why: the apt mirror times out often enough to break PR CI. Resolving the # closure ONCE here (on master, where a slow mirror only delays this job and @@ -21,8 +24,10 @@ on: schedule: # Weekend only - refresh the bundles weekly so they track base-image # security updates. A mid-week package-list change waits for Saturday - # (or run this manually via workflow_dispatch); until then install-apt-deps - # falls back to apt for any package not yet in the bundle. + # (or run this manually via workflow_dispatch); until then the offline + # install (a single --no-download install of the whole set) fails if any + # requested package is missing from the bundle, and install-apt-deps + # falls back to the full apt path. - cron: '0 2 * * 6' workflow_dispatch: