ci: Rotate Docker cache keys#1816
Merged
real-or-random merged 3 commits intobitcoin-core:masterfrom Feb 2, 2026
Merged
Conversation
The LLVM apt repository uses legacy SHA1 signatures which are now rejected by the stricter Sequoia PGP policy. This change extends the 'sha1.second_preimage_resistance' cutoff date to 9999-01-01 in the default Sequoia config. This effectively whitelists the legacy signature algorithm, preventing "OpenPGP signature verification failed" errors during `apt-get update`. See llvm/llvm-project#153385.
Comment on lines
+70
to
+72
| # Temporarily work around Sequoia PGP policy deadline for legacy repositories. | ||
| # See https://github.com/llvm/llvm-project/issues/153385. | ||
| sed -i 's/\(sha1\.second_preimage_resistance =\).*/\1 9999-01-01/' /usr/share/apt/default-sequoia.config && \ |
Contributor
There was a problem hiding this comment.
What a sad thing to commit in this repo...
(Nothing to do here. I just wanted to point that out.)
Contributor
I'm not sure if we should take every snapshot. If we take only some snapshots, this will reduce the number of times we need to deal with random GCC breakage. My thinking is that we may want to take only every fourth one. I assume this is still good enough to catch changes introduced by new compiler optimizations, and this is what we care about. We could just take the ISO week number mod 4. That results in an off-by-one error after every (rare) year with 53 ISO weeks, but ok, who cares... And if the cache is evicted for whatever other reason, we'll also get the most recent snapshot, but also that seems acceptable. |
This forces a periodic clean build to ensure we do not rely on stale cache layers indefinitely.
hebasto
force-pushed
the
260201-ci-fix
branch
from
055818b to
2ccff6e
Compare
Member
Author
Thanks! Reworked. |
hebasto
changed the title
Contributor
|
Let me merge this right now because it contains the LLVM workaround that fixes CI... We can always adjust or revert if there are further comments, or if people have other opinions on how often we should rotate. |
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Feb 2, 2026
453949ab2a Merge bitcoin-core/secp256k1#1816: ci: Rotate Docker cache keys cd49c57e44 Merge bitcoin-core/secp256k1#1814: release process: mention the `[Unreleased]` link clearly 2ccff6eb73 ci: Add weekly schedule 2f18567d24 ci: Rotate Docker cache keys every 4 weeks 0ffb1749a5 ci, docker: Fix LLVM repository signature failure 0267b65512 release process: mention the `[Unreleased]` link clearly 1605b02f75 Merge bitcoin-core/secp256k1#1775: Add CMake build directory patterns to `.gitignore` 748c0fdd67 Add CMake build directory patterns to `.gitignore` 7eb86bdb01 autotools: Rename `build-aux` to `autotools-aux` git-subtree-dir: src/secp256k1 git-subtree-split: 453949ab2af80fe7f6ba39ffc7c2b767ec886bf7
fanquake
added a commit
to fanquake/bitcoin
that referenced
this pull request
Feb 2, 2026
57315a6985 Merge bitcoin-core/secp256k1#1813: Remove trailing spaces and introduce `-Wtrailing-whitespace=any` compiler flag 86cae58d2f build: Add `-Wleading-whitespace=spaces` compiler flag fb229e7602 build: Add `-Wtrailing-whitespace=any` compiler flag 13e3bee504 refactor: Remove trailing whitespace 453949ab2a Merge bitcoin-core/secp256k1#1816: ci: Rotate Docker cache keys cd49c57e44 Merge bitcoin-core/secp256k1#1814: release process: mention the `[Unreleased]` link clearly 2ccff6eb73 ci: Add weekly schedule 2f18567d24 ci: Rotate Docker cache keys every 4 weeks 0ffb1749a5 ci, docker: Fix LLVM repository signature failure 0267b65512 release process: mention the `[Unreleased]` link clearly 1605b02f75 Merge bitcoin-core/secp256k1#1775: Add CMake build directory patterns to `.gitignore` 748c0fdd67 Add CMake build directory patterns to `.gitignore` 7eb86bdb01 autotools: Rename `build-aux` to `autotools-aux` git-subtree-dir: src/secp256k1 git-subtree-split: 57315a69853c9bd4765fccf20b541d47f1b45ca9
real-or-random
added a commit
that referenced
this pull request
Feb 3, 2026
4fb7ccf ci: Enforce base-10 evaluation (Hennadii Stepanov) Pull request description: This PR is a follow-up to #1816. It enforces base-10 evaluation the week number to prevent Bash from interpreting weeks "08" and "09" as invalid octal numbers. It was present in my initial [proposal](#1807 (review)), but somehow I missed it in #1816. ACKs for top commit: real-or-random: ACK 4fb7ccf Tree-SHA512: dc6d1e5d692ac82616c5c64e1093c19693aa81d3b693834fb0999130b5e3357340b8ed0a5322cfa8d2f9fefbfeb8285abbd580662d257529d9d767afa009e9ef
fjahr
added a commit
to fjahr/bitcoin
that referenced
this pull request
Feb 8, 2026
4d79f01fd6 fullagg: Add docs 0227909997 fullagg: Add to build system 5f8445fbb4 fullagg: Add to CI 31151b5ce1 fullagg: Add example 6fc2f996ae fullagg: Add include file 51aec0a6ed fullagg: Add module b6f2b94ec0 refactor: Move parsing helpers from musig to eckey 7f237a8789 Experimental: Add incremental half-aggregation for Schnorr signatures 4dffc4ce47 batch: make add functions void & introduce reset 6bd5cf1d6b batch: remove `batch_usable` api ea2aee51a9 batch: make tests functions internal & static 3ca67a134e fix typos & index the right inputs for benchmarks 999067412b batch: remove experimental status 5febd610bf test: fix ci failures 0f18ef9955 batch: Generate speedup graphs d69ff1a774 batch, extrakeys: Add benchmarks 4d50e05cb3 batch: Add tests for batch_add_* APIs 4661eced0a batch,ecmult: Add tests for core batch APIs and strauss_batch refactor e7766bce41 batch: Add example 6a9bcc29ac batch: Add batch_add_* APIs 646c4e5ecb batch, ecmult: Add batch_verify and refactor strauss_batch 58c589af10 batch: Add create and destroy APIs 99c297cede batch: Initialize an experimental batch module 97de5120cf Merge bitcoin-core/secp256k1#1804: test: show both CMake and Autotools usage for ctime_tests 57315a6985 Merge bitcoin-core/secp256k1#1813: Remove trailing spaces and introduce `-Wtrailing-whitespace=any` compiler flag 86cae58d2f build: Add `-Wleading-whitespace=spaces` compiler flag fb229e7602 build: Add `-Wtrailing-whitespace=any` compiler flag 13e3bee504 refactor: Remove trailing whitespace 453949ab2a Merge bitcoin-core/secp256k1#1816: ci: Rotate Docker cache keys cd49c57e44 Merge bitcoin-core/secp256k1#1814: release process: mention the `[Unreleased]` link clearly 2ccff6eb73 ci: Add weekly schedule 2f18567d24 ci: Rotate Docker cache keys every 4 weeks 0ffb1749a5 ci, docker: Fix LLVM repository signature failure 0267b65512 release process: mention the `[Unreleased]` link clearly 1605b02f75 Merge bitcoin-core/secp256k1#1775: Add CMake build directory patterns to `.gitignore` 14e56970cb Merge bitcoin-core/secp256k1#1794: ecmult: Use size_t for array indices c7a52400d6 Merge bitcoin-core/secp256k1#1809: release cleanup: bump version after 0.7.1 ae7eb729c0 release cleanup: bump version after 0.7.1 1a53f4961f Merge bitcoin-core/secp256k1#1808: Prepare for 0.7.1 20a209f11c release: prepare for 0.7.1 c4b6a81a60 changelog: update in preparation for the v0.7.1 release ebb35882da Merge bitcoin-core/secp256k1#1796: bench: fail early if user inputs invalid value for SECP256K1_BENCH_ITERS c09215f7af bench: fail early if user inputs invalid value for SECP256K1_BENCH_ITERS 1bc74a22f8 test: show both Autotools and CMake usage for ctime_tests 471e3a130d Merge bitcoin-core/secp256k1#1800: sage: verify Eisenstein integer connection for GLV constants 29ac4d8491 sage: verify Eisenstein integer connection for GLV constants 4721e077b4 Merge bitcoin-core/secp256k1#1793: doc/bench: added help text for SECP256K1_BENCH_ITERS env var for bench_ecmult bd5ced1fe1 doc/bench: added help text for SECP256K1_BENCH_ITERS env var for bench_ecmult 47eb70959a ecmult: Use size_t for array indices in _odd_multiplies_table bb1d199de5 ecmult: Use size_t for array indices into tables 2d9137ce9d Merge bitcoin-core/secp256k1#1764: group: Avoid using infinity field directly in other modules f9a944ff2d Merge bitcoin-core/secp256k1#1790: doc: include arg -DSECP256K1_USE_EXTERNAL_DEFAULT_CALLBACKS=ON for cmake 0406cfc4d1 doc: include arg -DUSE_EXTERNAL_DEFAULT_CALLBACKS=1 for cmake 8d445730ec Merge bitcoin-core/secp256k1#1783: Add VERIFY_CHECKs and documentation that flags must be 0 or 1 aa2a39c1a7 Merge bitcoin-core/secp256k1#1778: doc/bench: Added cmake build options to bench error messages 540fec8ae9 Merge bitcoin-core/secp256k1#1788: test: split monolithic ellswift test into independent cases d822b29021 test: split monolithic ellswift test into independent cases ae00c552df Add VERIFY_CHECKs that flags are 0 or 1 5c75183344 Merge bitcoin-core/secp256k1#1784: refactor: remove ret from secp256k1_ec_pubkey_serialize be5e4f02fd Merge bitcoin-core/secp256k1#1779: Add ARG_CHECKs to ensure "array of pointers" elements are non-NULL 3daab83a60 refactor: remove ret from secp256k1_ec_pubkey_serialize 8bcda186d2 test: Add non-NULL checks for "pointer of array" API functions 5a08c1bcdc Add ARG_CHECKs to ensure "array of pointers" elements are non-NULL 3b5b03f301 doc/bench: Added cmake build options to bench error messages e7f7083b53 Merge bitcoin-core/secp256k1#1774: refactor: split up internal pubkey serialization function into compressed/uncompressed variants 748c0fdd67 Add CMake build directory patterns to `.gitignore` 7eb86bdb01 autotools: Rename `build-aux` to `autotools-aux` b6c2a3cd77 Merge bitcoin-core/secp256k1#1761: ecmult_multi: reduce strauss memory usage by 30% f5e815f430 remove secp256k1_eckey_pubkey_serialize function 0d3659c547 use new `_eckey_pubkey_serialize{33,65}` functions in modules (ellswift,musig) adb76f82ea use new `_eckey_pubkey_serialize{33,65}` functions in public API fc7458ca3e introduce `secp256k1_eckey_pubkey_serialize{33,65}` functions 2f73e5281d group: Avoid using infinity field directly in other modules 26166c4f5f ecmult_multi: reduce strauss memory usage by 30% REVERT: 15ea24cb8c batch: make add functions void & introduce reset REVERT: bfcc479a35 batch: remove `batch_usable` api REVERT: 15e388e096 batch: make tests functions internal & static REVERT: aac054a373 fix typos & index the right inputs for benchmarks REVERT: c07e710003 batch: remove experimental status REVERT: 49fb753393 test: fix ci failures REVERT: e96dabb4af batch: Generate speedup graphs REVERT: b0b3425cd4 batch, extrakeys: Add benchmarks REVERT: 9d5115156b batch: Add tests for batch_add_* APIs REVERT: 668199c917 batch,ecmult: Add tests for core batch APIs and strauss_batch refactor REVERT: 53a158203f batch: Add example REVERT: b40b4186b8 batch: Add batch_add_* APIs REVERT: 2bed1cb6ee batch, ecmult: Add batch_verify and refactor strauss_batch REVERT: 8f13eeae31 batch: Add create and destroy APIs REVERT: 0b6b0c87ad batch: Initialize an experimental batch module git-subtree-dir: src/secp256k1 git-subtree-split: 4d79f01fd63f5f8ada532ce58911e64a964628d8
real-or-random
added a commit
to BlockstreamResearch/secp256k1-zkp
that referenced
this pull request
Mar 4, 2026
…17, 1815, 1819, 1823, 1821, 1760, 1828, 1829, 1825, 1832, 1811 48cbd78 modules: Port bitcoin-core/secp256k1#1825 to zkp-specific code (mllwchrry) 126501f modules: Port bitcoin-core/secp256k1#1815 to zkp-specific code (mllwchrry) c49c9be bench: Update help functions in bench and bench_internal (kevkevinpal) 8d0eda0 testrand: Remove testrand_finish (Tim Ruffing) f48b1bf hash: add midstate initializer and use it for tagged hashes (w0xlt) 79e9f25 ci: Fix leftover use of old ECMULTGENPRECISION (Tim Ruffing) 76e92cf Revert "ci, docker: Fix LLVM repository signature failure" (Hennadii Stepanov) 8354618 cmake: Set `LABELS` property for tests (Hennadii Stepanov) 29f26ec cmake: Integrate DiscoverTests and normalize test names (Hennadii Stepanov) f95b263 cmake: Add DiscoverTests module (Hennadii Stepanov) 4ac6511 cmake, refactor: Deduplicate test-related code (Hennadii Stepanov) b99a94c Add tests for bad scalar inputs in ellswift XDH (gzJx0DuTRHytnHe7P5RmMbPf3wKy2BztweVGXTf) 307b49f ellswift: fix overflow flag handling in secp256k1_ellswift_xdh (gzJx0DuTRHytnHe7P5RmMbPf3wKy2BztweVGXTf) ed02466 ci: Load Docker image by ID from builder step (Hennadii Stepanov) f47bbc0 test: add unit tests for secp256k1_scalar_check_overflow (Rohit Yadav) 97b3c47 refactor: remove unnecessary `malloc` result casts (Sebastian Falbesoner) 3ae72e7 ci: Disable Docker build summary generation (Hennadii Stepanov) 4fb7ccf ci: Enforce base-10 evaluation (Hennadii Stepanov) 1bc74a2 test: show both Autotools and CMake usage for ctime_tests (8144225309) 86cae58 build: Add `-Wleading-whitespace=spaces` compiler flag (Hennadii Stepanov) fb229e7 build: Add `-Wtrailing-whitespace=any` compiler flag (Hennadii Stepanov) 13e3bee refactor: Remove trailing whitespace (Hennadii Stepanov) 2ccff6e ci: Add weekly schedule (Hennadii Stepanov) 2f18567 ci: Rotate Docker cache keys every 4 weeks (Hennadii Stepanov) 0ffb174 ci, docker: Fix LLVM repository signature failure (Hennadii Stepanov) 0267b65 release process: mention the `[Unreleased]` link clearly (Jonas Nick) 748c0fd Add CMake build directory patterns to `.gitignore` (Hennadii Stepanov) 7eb86bd autotools: Rename `build-aux` to `autotools-aux` (Hennadii Stepanov) 47eb709 ecmult: Use size_t for array indices in _odd_multiplies_table (Tim Ruffing) bb1d199 ecmult: Use size_t for array indices into tables (Tim Ruffing) Pull request description: Merge bitcoin-core/secp256k1#1794: ecmult: Use size_t for array indices Merge bitcoin-core/secp256k1#1775: Add CMake build directory patterns to `.gitignore` Merge bitcoin-core/secp256k1#1814: release process: mention the `[Unreleased]` link clearly Merge bitcoin-core/secp256k1#1816: ci: Rotate Docker cache keys Merge bitcoin-core/secp256k1#1813: Remove trailing spaces and introduce `-Wtrailing-whitespace=any` compiler flag Merge bitcoin-core/secp256k1#1804: test: show both CMake and Autotools usage for ctime_tests Merge bitcoin-core/secp256k1#1818: ci: Enforce base-10 evaluation Merge bitcoin-core/secp256k1#1817: ci: Disable Docker build summary generation Merge bitcoin-core/secp256k1#1815: refactor: remove unnecessary `malloc` result casts Merge bitcoin-core/secp256k1#1819: tests: Improve secp256k1_scalar_check_overflow tests (Issue #1812) Merge bitcoin-core/secp256k1#1823: ci: Load Docker image by ID from builder step Merge bitcoin-core/secp256k1#1821: ellswift: fix overflow flag handling in secp256k1_ellswift_xdh Merge bitcoin-core/secp256k1#1760: cmake: Add dynamic test discovery to improve parallelism Merge bitcoin-core/secp256k1#1828: Revert "ci, docker: Fix LLVM repository signature failure" Merge bitcoin-core/secp256k1#1829: ci: Fix leftover use of old ECMULTGENPRECISION Merge bitcoin-core/secp256k1#1825: hash: remove redundant `secp256k1_sha256_initialize` in tagged hash midstate functions Merge bitcoin-core/secp256k1#1832: testrand: Remove testrand_finish Merge bitcoin-core/secp256k1#1811: bench: Update help functions in bench and bench_internal This PR can be recreated with `./contrib/sync-upstream.sh -b master range c0a2aba`. Tips: * Use `git show --remerge-diff <pr-branch>` to show the conflict resolution in the merge commit. * Use `git read-tree --reset -u <pr-branch>` to replay these resolutions during the conflict resolution stage when recreating the PR branch locally. Be aware that this may discard your index as well as the uncommitted changes and untracked files in your worktree. ACKs for top commit: real-or-random: ACK 48cbd78 Tree-SHA512: 1ea96bf3b7458c02bb472ca7423eb21defe6640ea58a993ac24603d6a8d44ac9bbeab7e2ca5f993918fa1388b9e69b308dcc67277afffd55cb833ecf07051c75
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an alternative to #1807 that avoids introducing a new workflow with the write permissions.
Closes #1691.
The 4-week rotation interval was chosen based on the following rationale:
IMPORTANT NOTE: Due to a mere coincidence, LLVM apt signatures became rejected by Debian Trixie today. A commit containing a temporary workaround has been included to address this.