pr.yaml: GPG-verified focal-security install via signed-by=#148
Merged
Conversation
The 'Install OpenSSL 1.1 for .NET 5.0' step was failing on newer GitHub-hosted Ubuntu runners. [trusted=yes] skips GPG verification so the source isn't silently ignored. Validated by IComparable-Extensions#69; canonical equivalent in repo-template#336. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the CI workflow to make the “Install OpenSSL 1.1 for .NET 5.0” step succeed on newer GitHub-hosted Ubuntu runners by altering the focal-security APT source configuration.
Changes:
- Adds
[trusted=yes]to thefocal-securityAPT source line soapt-get updateno longer depends on the focal archive signing key being present.
Addresses Copilot's review on repo-template#336: [trusted=yes] disables GPG verification entirely. signed-by=/usr/share/keyrings/ubuntu-archive-keyring.gpg pins the source to the Ubuntu archive keyring shipped in every runner image, so libssl1.1 is still signature-verified. Matches repo-template main after #336 merged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Chris-Wolfgang
changed the title
This was referenced Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the
focal-securityapt source with[signed-by=/usr/share/keyrings/ubuntu-archive-keyring.gpg], allowing apt to installlibssl1.1for the .NET 5.0 test stage on newer Ubuntu runners while keeping GPG signature verification enabled.Why
This step was previously failing on newer GitHub-hosted Ubuntu runners with
E: Package 'libssl1.1' has no installation candidate. apt was silentlyIgn-ing the source because nosigned-by=directive pointed it at a keyring containing the focal signing key. The Canonical archive keyring at/usr/share/keyrings/ubuntu-archive-keyring.gpgis present on every GitHub-hosted Ubuntu runner and contains the same signing key Canonical uses across releases (focal, jammy, noble), so it can verify focal-security packages from a non-focal runner without disabling signature checking.An earlier iteration of this rollout used
[trusted=yes](skipping verification) as a quick unblock; this PR brings in the keyring-based replacement that restores end-to-end signature verification.Validation
Tested end-to-end against the actual
ubuntu-latest(noble 24.04) runner image — see the run linked in repo-template#336. This PR is part of the rollout to the 18 affected repos.Note for reviewers
This PR edits
.github/workflows/pr.yaml, which the v3 PR-Checks workflow treats as a protected configuration file. The "Detect protected configuration file changes" step will fail CI by design — that is the explicit guard against PRs disabling analyzers/scans by modifying workflows. The change here is the canonicalpr.yamlsync fromrepo-template, so maintainer-bypass merge (or local validation against canonical) is appropriate.