Extends the ghcr offline-install path to every install-apt-deps consumer
that was still on plain apt, and publishes the bundles they need.
New bundles built by ci-deps-image:
- ubuntu-24.04-embedded: the membrowse ARM cross-toolchain (~0.5 GB), kept
out of -full so it does not bloat the interop workflows' pull.
- ubuntu-24.04-linuxkm: linux-headers-$(uname -r) + the kernel-module build
toolchain. linux-headers tracks the runner's running kernel, so a daily
job rebuilds it only when uname -r changed (recorded as an image label);
a mismatch during a runner-image rollout just falls back to apt.
Consumers now passing ghcr-debs-tag:
- sssd -> ubuntu-24.04-full (its deps added to that list)
- hostap-vm -> ubuntu-22.04-full (its deps added to that list)
- membrowse targets -> ubuntu-24.04-embedded; the two linuxkm targets ->
ubuntu-24.04-linuxkm (new per-target matrix.ghcr_tag)
- linuxkm.yml -> ubuntu-24.04-linuxkm (pinned to ubuntu-24.04 so the
bundle's headers match the runner kernel)
Each consumer still falls back to apt when its bundle is unavailable, so
nothing breaks until ci-deps-image first publishes the new tags.
The ci-cache-offload work added a ghcr .deb bundle path to
install-apt-deps, making the actions/cache apt-archive layer redundant.
Remove it so no apt-deps-* cache entries are produced. Apt packages now
install either offline from the ghcr bundle (when ghcr-debs-tag is set)
or via plain apt-get with the existing retry/backoff.
- Strip the Compute/Restore/Pre-seed/Collect/Save cache steps and the
cache-hit fast path; drop the now-unused 'cache' input.
- Update callers that passed 'cache': membrowse-onboard, membrowse-report
(and the apt_cache matrix key in membrowse-targets.json), and sssd.
The ghcr offline path and the ccache actions/cache usage are untouched.
Forks with Actions enabled would otherwise run the membrowse build matrix on push/workflow_dispatch and report fork builds to the membrowse backend. Guard the jobs in both workflows with github.repository_owner == 'wolfssl' (combined with the existing draft check in the report workflow), matching tls-anvil.yml and coverity-scan-fixes.yml.
Also default the analyze/onboard matrix to '[]' so strategy expansion does not error when load-targets is skipped on forks or draft PRs.
Use unique concurrency group per commit for push events so that
sequential merges to master don't cancel each other's queued runs.
This ensures every master commit gets analyzed for memory tracking.