diff --git a/.github/workflows/action-tests.yml b/.github/workflows/action-tests.yml
index 6e66a94..e67d38c 100644
--- a/.github/workflows/action-tests.yml
+++ b/.github/workflows/action-tests.yml
@@ -520,3 +520,196 @@ jobs:
           rolldice 2d6
           echo "rolldice binary works after cache restore."
         shell: bash
+
+  # === apt-sources Tests ===
+
+  apt_sources_empty:
+    runs-on: ubuntu-latest
+    name: "Empty apt-sources has no effect (backward compat)."
+    steps:
+      - uses: actions/checkout@v4
+      - name: Execute
+        id: execute
+        uses: ./
+        with:
+          packages: xdot
+          apt-sources: ""
+          version: ${{ github.run_id }}-${{ github.run_attempt }}-apt_sources_empty
+          debug: ${{ env.DEBUG }}
+      - name: Verify
+        run: |
+          test "${{ steps.execute.outputs.cache-hit }}" = "false"
+          echo "${{ steps.execute.outputs.package-version-list }}" | grep -q "xdot="
+        shell: bash
+
+  apt_sources_inline_install:
+    runs-on: ubuntu-latest
+    name: "apt-sources with inline deb line - install."
+    steps:
+      - uses: actions/checkout@v4
+      - name: Execute
+        id: execute
+        uses: ./
+        with:
+          packages: gh
+          apt-sources: |
+            https://cli.github.com/packages/githubcli-archive-keyring.gpg | deb [arch=amd64] https://cli.github.com/packages stable main
+          version: ${{ github.run_id }}-${{ github.run_attempt }}-apt_sources_inline
+          debug: ${{ env.DEBUG }}
+      - name: Verify
+        run: |
+          test "${{ steps.execute.outputs.cache-hit }}" = "false"
+          echo "${{ steps.execute.outputs.package-version-list }}" | grep -q "gh="
+          # Verify the keyring was created.
+          test -f /usr/share/keyrings/cli-github-com-packages-githubcli-archive-keyring-gpg.gpg
+          # Verify the source list was created.
+          test -f /etc/apt/sources.list.d/cli-github-com-packages-githubcli-archive-keyring-gpg.list
+        shell: bash
+
+  apt_sources_inline_restore:
+    needs: apt_sources_inline_install
+    runs-on: ubuntu-latest
+    name: "apt-sources with inline deb line - restore."
+    steps:
+      - uses: actions/checkout@v4
+      - name: Execute
+        id: execute
+        uses: ./
+        with:
+          packages: gh
+          apt-sources: |
+            https://cli.github.com/packages/githubcli-archive-keyring.gpg | deb [arch=amd64] https://cli.github.com/packages stable main
+          version: ${{ github.run_id }}-${{ github.run_attempt }}-apt_sources_inline
+          debug: ${{ env.DEBUG }}
+      - name: Verify
+        if: steps.execute.outputs.cache-hit != 'true'
+        run: |
+          echo "cache-hit = ${{ steps.execute.outputs.cache-hit }}"
+          exit 1
+        shell: bash
+
+  apt_sources_cache_key_changes:
+    runs-on: ubuntu-latest
+    name: "apt-sources changes invalidate cache."
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install with one source
+        id: install1
+        uses: ./
+        with:
+          packages: xdot
+          apt-sources: |
+            https://cli.github.com/packages/githubcli-archive-keyring.gpg | deb [arch=amd64] https://cli.github.com/packages stable main
+          version: ${{ github.run_id }}-${{ github.run_attempt }}-apt_sources_cache_key
+          debug: ${{ env.DEBUG }}
+      - name: Verify first install is cache miss
+        run: test "${{ steps.install1.outputs.cache-hit }}" = "false"
+        shell: bash
+
+  apt_sources_validation_missing_pipe:
+    runs-on: ubuntu-latest
+    name: "apt-sources rejects lines missing pipe separator."
+    steps:
+      - uses: actions/checkout@v4
+      - name: Execute
+        id: execute
+        uses: ./
+        with:
+          packages: xdot
+          apt-sources: |
+            https://example.com/key.gpg deb https://example.com/repo stable main
+          version: ${{ github.run_id }}-${{ github.run_attempt }}-apt_sources_no_pipe
+          debug: ${{ env.DEBUG }}
+        continue-on-error: true
+      - name: Verify
+        if: steps.execute.outcome != 'failure'
+        run: |
+          echo "Expected failure but got: ${{ steps.execute.outcome }}"
+          exit 1
+        shell: bash
+
+  apt_sources_validation_http_key:
+    runs-on: ubuntu-latest
+    name: "apt-sources rejects non-HTTPS key URLs."
+    steps:
+      - uses: actions/checkout@v4
+      - name: Execute
+        id: execute
+        uses: ./
+        with:
+          packages: xdot
+          apt-sources: |
+            http://example.com/key.gpg | deb https://example.com/repo stable main
+          version: ${{ github.run_id }}-${{ github.run_attempt }}-apt_sources_http_key
+          debug: ${{ env.DEBUG }}
+        continue-on-error: true
+      - name: Verify
+        if: steps.execute.outcome != 'failure'
+        run: |
+          echo "Expected failure but got: ${{ steps.execute.outcome }}"
+          exit 1
+        shell: bash
+
+  apt_sources_conflicting_source:
+    runs-on: ubuntu-latest
+    name: "apt-sources replaces conflicting pre-existing source."
+    steps:
+      - uses: actions/checkout@v4
+      - name: Pre-create conflicting source
+        run: |
+          # Simulate a runner that already has the GitHub CLI repo configured
+          # with a different keyring path (like NVIDIA runners have for CUDA).
+          echo "deb [arch=amd64 signed-by=/usr/share/keyrings/fake-old-keyring.gpg] https://cli.github.com/packages stable main" \
+            | sudo tee /etc/apt/sources.list.d/existing-gh-repo.list
+          # Create a dummy keyring file so the source looks legitimate.
+          sudo touch /usr/share/keyrings/fake-old-keyring.gpg
+        shell: bash
+      - name: Execute
+        id: execute
+        uses: ./
+        with:
+          packages: gh
+          apt-sources: |
+            https://cli.github.com/packages/githubcli-archive-keyring.gpg | deb [arch=amd64] https://cli.github.com/packages stable main
+          version: ${{ github.run_id }}-${{ github.run_attempt }}-apt_sources_conflict
+          debug: ${{ env.DEBUG }}
+      - name: Verify
+        run: |
+          # Action should succeed despite the pre-existing conflicting source.
+          test "${{ steps.execute.outputs.cache-hit }}" = "false"
+          echo "${{ steps.execute.outputs.package-version-list }}" | grep -q "gh="
+          # The conflicting source file should have been removed.
+          test ! -f /etc/apt/sources.list.d/existing-gh-repo.list
+          # Our source file should exist.
+          test -f /etc/apt/sources.list.d/cli-github-com-packages-githubcli-archive-keyring-gpg.list
+          # gh should be callable.
+          gh --version
+        shell: bash
+
+  apt_sources_force_update:
+    runs-on: ubuntu-latest
+    name: "apt-sources forces apt update even if lists are fresh."
+    steps:
+      - uses: actions/checkout@v4
+      - name: Freshen apt lists
+        run: |
+          # Ensure apt lists are fresh so the 5-minute staleness check would
+          # normally skip the update. The action should force update anyway
+          # because apt-sources is specified.
+          sudo apt-get update -qq
+        shell: bash
+      - name: Execute
+        id: execute
+        uses: ./
+        with:
+          packages: gh
+          apt-sources: |
+            https://cli.github.com/packages/githubcli-archive-keyring.gpg | deb [arch=amd64] https://cli.github.com/packages stable main
+          version: ${{ github.run_id }}-${{ github.run_attempt }}-apt_sources_force_update
+          debug: ${{ env.DEBUG }}
+      - name: Verify
+        run: |
+          test "${{ steps.execute.outputs.cache-hit }}" = "false"
+          echo "${{ steps.execute.outputs.package-version-list }}" | grep -q "gh="
+          gh --version
+        shell: bash