pr.yaml: add [trusted=yes] to focal-security apt source#13
Merged
Conversation
The 'Install OpenSSL 1.1 for .NET 5.0' step was failing on newer GitHub-hosted Ubuntu runners. [trusted=yes] skips GPG verification so the source isn't silently ignored. Validated by IComparable-Extensions#69; canonical equivalent in repo-template#336. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
This PR updates the CI workflow to make the “Install OpenSSL 1.1 for .NET 5.0” step succeed on newer Ubuntu GitHub-hosted runners by altering the focal-security APT source configuration.
Changes:
- Mark the
focal-securityAPT source as trusted ([trusted=yes]) soapt-get updatedoes not ignore it when the signing key is missing. - Unblock installation of
libssl1.1needed for .NET 5.0 on newer Ubuntu images.
Comment on lines
330
to
331
| echo "deb [trusted=yes] https://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list | ||
| sudo apt-get update -q |
| - name: Install OpenSSL 1.1 for .NET 5.0 | ||
| run: | | ||
| echo "deb https://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list | ||
| echo "deb [trusted=yes] https://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list |
Addresses Copilot's review on repo-template#336: [trusted=yes] disables GPG verification entirely. signed-by=/usr/share/keyrings/ubuntu-archive-keyring.gpg pins the source to the Ubuntu archive keyring shipped in every runner image, so libssl1.1 is still signature-verified. Matches repo-template main after #336 merged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
[trusted=yes]to thefocal-securityapt source line in the "Install OpenSSL 1.1 for .NET 5.0" step.Why
This step was failing on newer GitHub-hosted Ubuntu runners with
E: Package 'libssl1.1' has no installation candidate. Root cause: the focal Ubuntu archive signing key is not always present on newer runner images, so apt silentlyIgns the source andapt-get updatesucceeds without it.[trusted=yes]skips GPG signature verification for that single source.Validation
Tested in IComparable-Extensions#69, promoted to canonical in repo-template#336. This PR is part of the rollout to the 18 affected repos.