pr.yaml: add [trusted=yes] to focal-security apt source#69
Merged
Conversation
The 'Install OpenSSL 1.1 for .NET 5.0' step was failing on newer
GitHub-hosted Ubuntu runners with:
E: Package 'libssl1.1' has no installation candidate
Root cause: the focal Ubuntu archive signing key is not always
present on newer runner images. apt silently Ign's the source
('Ign:55 ... focal-security InRelease') and apt-get update succeeds
without it, so libssl1.1 isn't in the package index when install
runs.
Adding [trusted=yes] to the apt source line skips signature
verification, letting the source be used regardless of key
availability.
Testing this fix locally before propagating to canonical and the
other ~19 affected repos.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tries to restore the .NET 5.0 compatibility workaround in the PR workflow by changing how libssl1.1 is sourced from Ubuntu focal-security. In this template repo, that change affects the shared CI path used by downstream repositories created from the template.
Changes:
- Adds
[trusted=yes]to the temporaryfocal-securityAPT source used in the OpenSSL 1.1 install step. - Documents the runner-key issue that caused
libssl1.1to disappear from the package index on newer GitHub-hosted runners.
Comment on lines
+330
to
336
| # [trusted=yes] skips GPG signature verification — the focal Ubuntu archive | ||
| # signing key is not always present on newer GitHub-hosted runners, which | ||
| # caused the apt source to be silently ignored and 'libssl1.1' to fail with | ||
| # 'has no installation candidate'. | ||
| echo "deb [trusted=yes] https://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list | ||
| sudo apt-get update -q | ||
| sudo apt-get install --yes libssl1.1 |
Comment on lines
+330
to
+334
| # [trusted=yes] skips GPG signature verification — the focal Ubuntu archive | ||
| # signing key is not always present on newer GitHub-hosted runners, which | ||
| # caused the apt source to be silently ignored and 'libssl1.1' to fail with | ||
| # 'has no installation candidate'. | ||
| echo "deb [trusted=yes] https://security.ubuntu.com/ubuntu focal-security main" | sudo tee /etc/apt/sources.list.d/focal-security.list |
This was referenced May 5, 2026
Merged
pr.yaml: GPG-verified focal-security install via signed-by=
Chris-Wolfgang/ICollection-Extensions#74
Merged
pr.yaml: GPG-verified focal-security install via signed-by=
Chris-Wolfgang/IEnumerable-Extensions#88
Merged
Merged
Merged
Merged
Merged
pr.yaml: GPG-verified focal-security install via signed-by=
Chris-Wolfgang/System.Mail-Extensions#68
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds `[trusted=yes]` to the `focal-security` apt source line in pr.yaml's "Install OpenSSL 1.1 for .NET 5.0" step.
Why
The step is currently failing on newer GitHub-hosted Ubuntu runners with:
```
E: Package 'libssl1.1' has no installation candidate
```
Root cause: the focal Ubuntu archive signing key is not always present on newer runner images. apt silently `Ign`'s the source (`Ign:55 ... focal-security InRelease`), `apt-get update` succeeds without it, so `libssl1.1` isn't in the package index when install runs.
`[trusted=yes]` skips GPG signature verification, letting the source be used regardless of key availability.
Testing approach
This is a "test in one repo first" change. If CI on this PR (or a re-run of #68) succeeds at the install step, propagate the fix to canonical `repo-template` and roll out to the other ~19 repos that have .NET 5.0 in their test matrix.
Note about CI on this PR itself
The PR uses `pull_request_target`, which runs the workflow from `main` (not from the PR branch). So this PR's own CI will run the unfixed step — and likely still fail. The fix only takes effect once it's on main. Validation will be by re-running an existing PR (e.g. #68) after this lands.
🤖 Generated with Claude Code