bitcoin-core · real-or-random · Feb 2, 2026 · Feb 1, 2026 · Feb 2, 2026 · Feb 2, 2026
diff --git a/.github/actions/run-in-docker-action/action.yml b/.github/actions/run-in-docker-action/action.yml
@@ -6,8 +6,7 @@ inputs:
     required: true
   scope:
     description: 'A cached image scope'
-    required: false
-    default: ${{ runner.arch }}
+    required: true
   command:
     description: 'A command to run in a container'
     required: true

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -6,6 +6,10 @@ on:
       - '**'
     tags-ignore:
       - '**'
+  schedule:
+    # Run on the default branch every Monday morning.
+    # This also warms the Docker caches after key rotation.
+    - cron: '22 2 * * 1'
 
 concurrency:
   group: ${{ github.event_name != 'pull_request' && github.run_id || github.ref }}
@@ -48,6 +52,8 @@ jobs:
   docker_cache:
     name: "Build ${{ matrix.arch }} Docker image"
     runs-on: ${{ matrix.runner }}
+    outputs:
+      cache_scope: ${{ steps.cache_timestamp.outputs.period }}
 
     strategy:
       fail-fast: false
@@ -59,6 +65,10 @@ jobs:
             runner: ubuntu-24.04-arm
 
     steps:
+      - name: Get cache validity period
+        id: cache_timestamp
+        run: echo "period=$(($(date +%V) / 4))" >> "$GITHUB_OUTPUT"
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
         with:
@@ -70,8 +80,8 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           file: ./ci/linux-debian.Dockerfile
-          cache-from: type=gha,scope=${{ runner.arch }}
-          cache-to: type=gha,scope=${{ runner.arch }},mode=min
+          cache-from: type=gha,scope=${{ runner.arch }}-${{ steps.cache_timestamp.outputs.period }}
+          cache-to: type=gha,scope=${{ runner.arch }}-${{ steps.cache_timestamp.outputs.period }},mode=min
 
   x86_64-debian:
     name: "x86_64: Linux (Debian stable)"
@@ -117,6 +127,7 @@ jobs:
         uses: ./.github/actions/run-in-docker-action
         with:
           dockerfile: ./ci/linux-debian.Dockerfile
+          scope: ${{ runner.arch }}-${{ needs.docker_cache.outputs.cache_scope }}
           command: ./ci/ci.sh
 
       - &PRINT_LOGS
@@ -636,6 +647,7 @@ jobs:
         uses: ./.github/actions/run-in-docker-action
         with:
           dockerfile: ./ci/linux-debian.Dockerfile
+          scope: ${{ runner.arch }}-${{ needs.docker_cache.outputs.cache_scope }}
           command: |
             g++ -Werror include/*.h
             clang -Werror -x c++-header include/*.h

diff --git a/ci/linux-debian.Dockerfile b/ci/linux-debian.Dockerfile
@@ -67,6 +67,9 @@ RUN \
     wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc && \
     # Add repository for this Debian release
     . /etc/os-release && echo "deb http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME} main" >> /etc/apt/sources.list && \
+    # Temporarily work around Sequoia PGP policy deadline for legacy repositories.
+    # See https://github.com/llvm/llvm-project/issues/153385.
+    sed -i 's/\(sha1\.second_preimage_resistance =\).*/\1 9999-01-01/' /usr/share/apt/default-sequoia.config && \
     apt-get update && \
     # Determine the version number of the LLVM development branch
     LLVM_VERSION=$(apt-cache search --names-only '^clang-[0-9]+$' | sort -V | tail -1 | cut -f1 -d" " | cut -f2 -d"-" ) && \