feat: Add apt-sources parameter for GPG-signed third-party repositories

The existing add-repository parameter only supports apt-add-repository
(PPAs and simple repo formats). Many third-party repos (NVIDIA, Docker,
GitHub CLI, etc.) require downloading a GPG signing key and adding a
sources list entry with signed-by= referencing that keyring.

The new apt-sources input accepts multi-line entries in the format:
  key_url | source_spec

Features:
- Downloads GPG keys, auto-detects armored vs binary format
- Supports both URL-based source files and inline deb lines
- Auto-detects deb822 (.sources) vs traditional (.list) format
- Injects signed-by= into source entries when not already present
- Removes conflicting pre-existing source files that reference the
  same repo URL with a different keyring path
- Includes apt-sources content in cache key hash
- Validates HTTPS-only key URLs and proper line format
- Forces apt update when apt-sources is specified (bypasses staleness check)

Co-developed-by: Claude Code v2.1.58 (claude-opus-4-6)

README.md

@@ -37,6 +37,7 @@ There are three kinds of version labels you can use.
 - `execute_install_scripts` - Execute Debian package pre and post install script upon restore. See [Caveats / Non-file Dependencies](#non-file-dependencies) for more information.
 - `empty_packages_behavior` - Desired behavior when the given `packages` is empty. `'error'` (default), `'warn'` or `'ignore'`.
 - `add-repository` - Space delimited list of repositories to add via `apt-add-repository` before installing packages. Supports PPA (e.g., `ppa:user/repo`) and other repository formats.
+- `apt-sources` - Multi-line list of GPG-signed third-party repository sources. Each line has the format `key_url | source_spec` where `key_url` is an HTTPS URL to a GPG signing key and `source_spec` is either a URL to a `.list` file or an inline `deb` line. See [Using with Signed Third-party Repositories](#using-with-signed-third-party-repositories).
 
 ### Outputs
 
@@ -121,6 +122,61 @@ install_from_multiple_repos:
         version: 1.0
 ```
 
+### Using with Signed Third-party Repositories
+
+Many third-party repositories (Docker, NVIDIA, GitHub CLI, etc.) require a GPG signing key and a `signed-by=` source entry. The `apt-sources` parameter handles this two-step setup automatically.
+
+Each line in `apt-sources` has the format:
+```
+key_url | source_spec
+```
+
+- `key_url` — HTTPS URL to the GPG signing key (will be dearmored and saved to `/usr/share/keyrings/`). Both ASCII-armored and binary keys are supported.
+- `source_spec` — Either a URL to a source file (downloaded and `signed-by` injected) or an inline `deb` line. Both traditional `.list` format and modern deb822 `.sources` format are auto-detected and handled.
+
+```yaml
+# NVIDIA Container Toolkit (source spec is a URL to a .list file)
+install_nvidia_toolkit:
+  runs-on: ubuntu-latest
+  steps:
+    - uses: actions/checkout@v4
+    - uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: nvidia-container-toolkit
+        apt-sources: |
+          https://nvidia.github.io/libnvidia-container/gpgkey | https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list
+        version: 1.0
+```
+
+```yaml
+# Docker CE (inline deb line)
+install_docker:
+  runs-on: ubuntu-latest
+  steps:
+    - uses: actions/checkout@v4
+    - uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: docker-ce docker-ce-cli
+        apt-sources: |
+          https://download.docker.com/linux/ubuntu/gpg | deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable
+        version: 1.0
+```
+
+```yaml
+# Multiple signed sources
+install_multiple:
+  runs-on: ubuntu-latest
+  steps:
+    - uses: actions/checkout@v4
+    - uses: awalsh128/cache-apt-pkgs-action@latest
+      with:
+        packages: nvidia-container-toolkit docker-ce
+        apt-sources: |
+          https://nvidia.github.io/libnvidia-container/gpgkey | https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list
+          https://download.docker.com/linux/ubuntu/gpg | deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable
+        version: 1.0
+```
+
 ## Caveats
 
 ### Non-file Dependencies

action.yml

@@ -39,6 +39,14 @@ inputs:
     description: 'Space delimited list of repositories to add via apt-add-repository before installing packages. Supports PPA (ppa:user/repo) and other repository formats.'
     required: false
     default: ''
+  apt-sources:
+    description: >
+      Multi-line list of GPG-signed third-party repository sources. Each line has the format:
+      key_url | source_spec
+      Where key_url is an HTTPS URL to a GPG signing key, and source_spec is either a URL to
+      a .list file or an inline deb line (e.g. "deb [arch=amd64] https://example.com/repo distro main").
+    required: false
+    default: ''
 
 outputs:
   cache-hit:
@@ -64,6 +72,7 @@ runs:
           "$EXEC_INSTALL_SCRIPTS" \
           "$DEBUG" \
           "$ADD_REPOSITORY" \
+          "$APT_SOURCES" \
           "$PACKAGES"
         if [ -f ~/cache-apt-pkgs/cache_key.md5 ]; then
           echo "CACHE_KEY=$(cat ~/cache-apt-pkgs/cache_key.md5)" >> $GITHUB_ENV
@@ -77,6 +86,7 @@ runs:
          EMPTY_PACKAGES_BEHAVIOR: "${{ inputs.empty_packages_behavior }}"
          DEBUG: "${{ inputs.debug }}"
          ADD_REPOSITORY: "${{ inputs.add-repository }}"
+         APT_SOURCES: "${{ inputs.apt-sources }}"
          PACKAGES: "${{ inputs.packages }}"
 
     - id: load-cache
@@ -96,6 +106,7 @@ runs:
           "$EXEC_INSTALL_SCRIPTS" \
           "$DEBUG" \
           "$ADD_REPOSITORY" \
+          "$APT_SOURCES" \
           "$PACKAGES"
         function create_list { local list=$(cat ~/cache-apt-pkgs/manifest_${1}.log | tr '\n' ','); echo ${list:0:-1}; };
         echo "package-version-list=$(create_list main)" >> $GITHUB_OUTPUT
@@ -106,6 +117,7 @@ runs:
          EXEC_INSTALL_SCRIPTS: "${{ inputs.execute_install_scripts }}"
          DEBUG: "${{ inputs.debug }}"
          ADD_REPOSITORY: "${{ inputs.add-repository }}"
+         APT_SOURCES: "${{ inputs.apt-sources }}"
          PACKAGES: "${{ inputs.packages }}"
 
     - id: upload-logs

install_and_cache_pkgs.sh

@@ -18,8 +18,11 @@ cache_dir="${1}"
 # Repositories to add before installing packages.
 add_repository="${3}"
 
+# GPG-signed third-party repository sources.
+apt_sources="${4}"
+
 # List of the packages to use.
-input_packages="${@:4}"
+input_packages="${@:5}"
 
 if ! apt-fast --version > /dev/null 2>&1; then
   log "Installing apt-fast for optimized installs..."
@@ -41,8 +44,13 @@ if [ -n "${add_repository}" ]; then
   log_empty_line
 fi
 
+# Set up GPG-signed third-party apt sources if specified
+setup_apt_sources "${apt_sources}"
+
 log "Updating APT package list..."
-if [[ -z "$(find -H /var/lib/apt/lists -maxdepth 0 -mmin -5)" ]]; then
+# Force update when custom sources were added — the staleness check only
+# reflects the last update, which may predate the newly added repos.
+if [ -n "${apt_sources}" ] || [ -n "${add_repository}" ] || [[ -z "$(find -H /var/lib/apt/lists -maxdepth 0 -mmin -5)" ]]; then
   sudo apt-fast update > /dev/null
   log "done"
 else

lib.sh

@@ -135,6 +135,257 @@ function get_tar_relpath {
   fi
 }
 
+###############################################################################
+# Injects signed-by into a deb line if not already present.
+# Arguments:
+#   The deb line to process.
+#   The keyring filepath to reference.
+# Returns:
+#   The deb line with signed-by injected.
+###############################################################################
+function inject_signed_by {
+  local line="${1}"
+  local keyring="${2}"
+
+  # Already has signed-by, return unchanged.
+  if echo "${line}" | grep -q 'signed-by='; then
+    echo "${line}"
+    return
+  fi
+
+  # Match deb or deb-src lines with existing options bracket.
+  # e.g. "deb [arch=amd64] https://..." -> "deb [arch=amd64 signed-by=...] https://..."
+  if echo "${line}" | grep -qE '^deb(-src)?\s+\['; then
+    echo "${line}" | sed -E "s|^(deb(-src)?)\s+\[([^]]*)\]|\1 [\3 signed-by=${keyring}]|"
+    return
+  fi
+
+  # Match deb or deb-src lines without options bracket.
+  # e.g. "deb https://..." -> "deb [signed-by=...] https://..."
+  if echo "${line}" | grep -qE '^deb(-src)?\s+'; then
+    echo "${line}" | sed -E "s|^(deb(-src)?)\s+|\1 [signed-by=${keyring}] |"
+    return
+  fi
+
+  # Not a deb line, return unchanged.
+  echo "${line}"
+}
+
+###############################################################################
+# Injects Signed-By into deb822-format (.sources) content if not already
+# present. deb822 uses multi-line key-value blocks separated by blank lines.
+# Arguments:
+#   The full deb822 content string.
+#   The keyring filepath to reference.
+# Returns:
+#   The content with Signed-By injected into each block that lacks it.
+###############################################################################
+function inject_signed_by_deb822 {
+  local content="${1}"
+  local keyring="${2}"
+
+  # If Signed-By already present anywhere, return unchanged.
+  if echo "${content}" | grep -qi '^Signed-By:'; then
+    echo "${content}"
+    return
+  fi
+
+  # Insert Signed-By after the Types: line in each block.
+  echo "${content}" | sed "/^Types:/a\\
+Signed-By: ${keyring}
+"
+}
+
+###############################################################################
+# Detects whether content is in deb822 format (.sources) or traditional
+# one-line format (.list).
+# Arguments:
+#   The source file content.
+# Returns:
+#   Exit code 0 if deb822, 1 if traditional.
+###############################################################################
+function is_deb822_format {
+  echo "${1}" | grep -qE '^Types:\s+'
+}
+
+###############################################################################
+# Derives a keyring name from a URL.
+# Arguments:
+#   URL to derive name from.
+# Returns:
+#   A sanitized name suitable for a keyring filename (without extension).
+###############################################################################
+function derive_keyring_name {
+  local url="${1}"
+  # Use full URL (minus scheme) with non-alphanumeric chars replaced by hyphens.
+  # This avoids collisions when two keys share a domain but differ in path.
+  echo "${url}" | sed -E 's|https?://||; s|[/.]+|-|g; s|-+$||'
+}
+
+###############################################################################
+# Extracts the repo URL from a deb line, stripping the deb prefix and options.
+# Arguments:
+#   A deb or deb-src line.
+# Returns:
+#   The repo URL (first URL after stripping prefix and options bracket).
+###############################################################################
+function extract_repo_url {
+  echo "${1}" | sed -E 's/^deb(-src)?[[:space:]]+(\[[^]]*\][[:space:]]+)?//' | awk '{print $1}'
+}
+
+###############################################################################
+# Removes existing apt source files that reference the same repo URL.
+# This prevents "Conflicting values set for option Signed-By" errors when
+# the runner already has a source configured (e.g., NVIDIA CUDA repo on
+# GPU runners) and we add a new source with a different keyring path.
+# Arguments:
+#   The repo URL to check for conflicts.
+#   The file path we're about to write (excluded from removal).
+###############################################################################
+function remove_conflicting_sources {
+  local repo_url="${1}"
+  local our_list_path="${2}"
+
+  # Nothing to check if repo_url is empty.
+  if [ -z "${repo_url}" ]; then
+    return
+  fi
+
+  for src_file in /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources; do
+    # Skip if glob didn't match any files.
+    test -f "${src_file}" || continue
+    # Skip our own file.
+    test "${src_file}" = "${our_list_path}" && continue
+    # Check if this file references the same repo URL (fixed-string match).
+    if grep -qF "${repo_url}" "${src_file}" 2>/dev/null; then
+      log "  Removing conflicting source: ${src_file}"
+      sudo rm -f "${src_file}"
+    fi
+  done
+}
+
+###############################################################################
+# Sets up GPG-signed third-party apt sources.
+# Arguments:
+#   Multi-line string where each line is: key_url | source_spec
+# Returns:
+#   Log lines from setup.
+###############################################################################
+function setup_apt_sources {
+  local apt_sources="${1}"
+
+  if [ -z "${apt_sources}" ]; then
+    return
+  fi
+
+  log "Setting up GPG-signed apt sources..."
+
+  while IFS= read -r line; do
+    # Skip empty lines.
+    if [ -z "$(echo "${line}" | tr -d '[:space:]')" ]; then
+      continue
+    fi
+
+    # Split on pipe separator, trim whitespace with sed instead of xargs.
+    local key_url=$(echo "${line}" | cut -d'|' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+    local source_spec=$(echo "${line}" | cut -d'|' -f2- | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+
+    if [ -z "${key_url}" ] || [ -z "${source_spec}" ]; then
+      log_err "Invalid apt-sources line (missing key_url or source_spec): ${line}"
+      exit 7
+    fi
+
+    local keyring_name=$(derive_keyring_name "${key_url}")
+    local keyring_path="/usr/share/keyrings/${keyring_name}.gpg"
+
+    # Download GPG key to temp file, then detect format and convert if needed.
+    log "- Downloading GPG key from ${key_url}..."
+    local tmpkey=$(mktemp)
+    if ! curl -fsSL "${key_url}" -o "${tmpkey}"; then
+      log_err "Failed to download GPG key from ${key_url}"
+      rm -f "${tmpkey}"
+      exit 7
+    fi
+
+    # Detect if key is ASCII-armored or already binary.
+    # "PGP public key block" = ASCII-armored, needs dearmoring.
+    # "PGP/GPG key public ring" or other = already binary, copy directly.
+    if file "${tmpkey}" | grep -qi 'PGP public key block$'; then
+      # ASCII-armored key, dearmor it.
+      if ! sudo gpg --batch --yes --dearmor -o "${keyring_path}" < "${tmpkey}"; then
+        log_err "Failed to dearmor GPG key from ${key_url}"
+        rm -f "${tmpkey}"
+        exit 7
+      fi
+    else
+      # Already in binary format, copy directly.
+      sudo cp "${tmpkey}" "${keyring_path}"
+    fi
+    rm -f "${tmpkey}"
+    log "  Keyring saved to ${keyring_path}"
+
+    # Determine if source_spec is a URL (download source file) or inline deb line.
+    if echo "${source_spec}" | grep -qE '^https?://'; then
+      # Source spec is a URL to a source file - download it.
+      local list_name="${keyring_name}"
+      log "- Downloading source list from ${source_spec}..."
+      local list_content
+      if ! list_content=$(curl -fsSL "${source_spec}"); then
+        log_err "Failed to download source list from ${source_spec}"
+        exit 7
+      fi
+
+      if is_deb822_format "${list_content}"; then
+        # deb822 format (.sources file) - inject Signed-By as a field.
+        local list_path="/etc/apt/sources.list.d/${list_name}.sources"
+        # Remove any existing source files that reference the same repo URLs
+        # to prevent signed-by conflicts.
+        local repo_urls=$(echo "${list_content}" | grep -i '^URIs:' | sed 's/^URIs:[[:space:]]*//')
+        for url in ${repo_urls}; do
+          remove_conflicting_sources "${url}" "${list_path}"
+        done
+        local processed_content=$(inject_signed_by_deb822 "${list_content}" "${keyring_path}")
+        echo "${processed_content}" | sudo tee "${list_path}" > /dev/null
+        log "  Source list (deb822) written to ${list_path}"
+      else
+        # Traditional one-line format (.list file) - inject signed-by per line.
+        local list_path="/etc/apt/sources.list.d/${list_name}.list"
+        # Remove conflicting sources for each deb line's repo URL.
+        while IFS= read -r deb_line; do
+          if echo "${deb_line}" | grep -qE '^deb(-src)?[[:space:]]+'; then
+            local repo_url=$(extract_repo_url "${deb_line}")
+            remove_conflicting_sources "${repo_url}" "${list_path}"
+          fi
+        done <<< "${list_content}"
+        local processed_content=""
+        while IFS= read -r deb_line; do
+          if [ -n "${deb_line}" ]; then
+            processed_content="${processed_content}$(inject_signed_by "${deb_line}" "${keyring_path}")
+"
+          fi
+        done <<< "${list_content}"
+        echo "${processed_content}" | sudo tee "${list_path}" > /dev/null
+        log "  Source list written to ${list_path}"
+      fi
+
+    else
+      # Source spec is an inline deb line.
+      local list_name="${keyring_name}"
+      local list_path="/etc/apt/sources.list.d/${list_name}.list"
+      # Remove any existing source files that reference the same repo URL.
+      local repo_url=$(extract_repo_url "${source_spec}")
+      remove_conflicting_sources "${repo_url}" "${list_path}"
+      local processed_line=$(inject_signed_by "${source_spec}" "${keyring_path}")
+      echo "${processed_line}" | sudo tee "${list_path}" > /dev/null
+      log "- Inline source written to ${list_path}"
+    fi
+
+  done <<< "${apt_sources}"
+
+  log "done"
+  log_empty_line
+}
+
 function log { echo "${@}"; }
 function log_err { >&2 echo "${@}"; }
 

post_cache_action.sh

@@ -28,13 +28,16 @@ test "${debug}" = "true" && set -x
 # Repositories to add before installing packages.
 add_repository="${6}"
 
+# GPG-signed third-party repository sources.
+apt_sources="${7}"
+
 # List of the packages to use.
-packages="${@:7}"
+packages="${@:8}"
 
 if test "${cache_hit}" = "true"; then
   ${script_dir}/restore_pkgs.sh "${cache_dir}" "${cache_restore_root}" "${execute_install_scripts}" "${debug}"
 else
-  ${script_dir}/install_and_cache_pkgs.sh "${cache_dir}" "${debug}" "${add_repository}" ${packages}
+  ${script_dir}/install_and_cache_pkgs.sh "${cache_dir}" "${debug}" "${add_repository}" "${apt_sources}" ${packages}
 fi
 
 log_empty_line

pre_cache_action.sh

@@ -27,8 +27,11 @@ debug="${4}"
 # Repositories to add before installing packages.
 add_repository="${5}"
 
+# GPG-signed third-party repository sources.
+apt_sources="${6}"
+
 # List of the packages to use.
-input_packages="${@:6}"
+input_packages="${@:7}"
 
 # Trim commas, excess spaces, and sort.
 log "Normalizing package list..."
@@ -80,6 +83,32 @@ if [ -n "${add_repository}" ]; then
   log "done"
 fi
 
+# Validate apt-sources parameter
+if [ -n "${apt_sources}" ]; then
+  log "Validating apt-sources parameter..."
+  while IFS= read -r line; do
+    # Skip empty lines.
+    if [ -z "$(echo "${line}" | tr -d '[:space:]')" ]; then
+      continue
+    fi
+    # Each line must contain a pipe separator.
+    if ! echo "${line}" | grep -q '|'; then
+      log "aborted"
+      log "apt-sources line missing '|' separator: ${line}" >&2
+      log "Expected format: key_url | source_spec" >&2
+      exit 7
+    fi
+    # Key URL must start with https://
+    key_url_check=$(echo "${line}" | cut -d'|' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//')
+    if ! echo "${key_url_check}" | grep -qE '^https://'; then
+      log "aborted"
+      log "apt-sources key URL must start with https:// but got: ${key_url_check}" >&2
+      exit 7
+    fi
+  done <<< "${apt_sources}"
+  log "done"
+fi
+
 log "done"
 
 log_empty_line
@@ -105,6 +134,13 @@ if [ -n "${add_repository}" ]; then
   log "- Repositories '${add_repository}' added to value."
 fi
 
+# Include apt-sources in cache key (normalize to single line for stable hashing)
+if [ -n "${apt_sources}" ]; then
+  normalized_sources=$(echo "${apt_sources}" | sed '/^[[:space:]]*$/d' | sort | tr '\n' '|')
+  value="${value} apt-sources:${normalized_sources}"
+  log "- Apt sources added to value."
+fi
+
 # Don't invalidate existing caches for the standard Ubuntu runners
 if [ "${cpu_arch}" != "x86_64" ]; then
   value="${value} ${cpu_arch}"