From d326e533e737b4b5d03dd303b84e5272855bd3cc Mon Sep 17 00:00:00 2001 From: Rob Taylor Date: Wed, 11 Mar 2026 02:49:13 +0000 Subject: [PATCH] feat: Add apt-sources parameter for GPG-signed third-party repositories The existing add-repository parameter only supports apt-add-repository (PPAs and simple repo formats). Many third-party repos (NVIDIA, Docker, GitHub CLI, etc.) require downloading a GPG signing key and adding a sources list entry with signed-by= referencing that keyring. The new apt-sources input accepts multi-line entries in the format: key_url | source_spec Features: - Downloads GPG keys, auto-detects armored vs binary format - Supports both URL-based source files and inline deb lines - Auto-detects deb822 (.sources) vs traditional (.list) format - Injects signed-by= into source entries when not already present - Removes conflicting pre-existing source files that reference the same repo URL with a different keyring path - Includes apt-sources content in cache key hash - Validates HTTPS-only key URLs and proper line format - Forces apt update when apt-sources is specified (bypasses staleness check) Co-developed-by: Claude Code v2.1.58 (claude-opus-4-6) --- README.md | 56 +++++++++ action.yml | 12 ++ install_and_cache_pkgs.sh | 12 +- lib.sh | 251 ++++++++++++++++++++++++++++++++++++++ post_cache_action.sh | 7 +- pre_cache_action.sh | 38 +++++- 6 files changed, 371 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c0d1c3b..0fbee13 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,7 @@ There are three kinds of version labels you can use. - `execute_install_scripts` - Execute Debian package pre and post install script upon restore. See [Caveats / Non-file Dependencies](#non-file-dependencies) for more information. - `empty_packages_behavior` - Desired behavior when the given `packages` is empty. `'error'` (default), `'warn'` or `'ignore'`. - `add-repository` - Space delimited list of repositories to add via `apt-add-repository` before installing packages. Supports PPA (e.g., `ppa:user/repo`) and other repository formats. +- `apt-sources` - Multi-line list of GPG-signed third-party repository sources. Each line has the format `key_url | source_spec` where `key_url` is an HTTPS URL to a GPG signing key and `source_spec` is either a URL to a `.list` file or an inline `deb` line. See [Using with Signed Third-party Repositories](#using-with-signed-third-party-repositories). ### Outputs @@ -121,6 +122,61 @@ install_from_multiple_repos: version: 1.0 ``` +### Using with Signed Third-party Repositories + +Many third-party repositories (Docker, NVIDIA, GitHub CLI, etc.) require a GPG signing key and a `signed-by=` source entry. The `apt-sources` parameter handles this two-step setup automatically. + +Each line in `apt-sources` has the format: +``` +key_url | source_spec +``` + +- `key_url` — HTTPS URL to the GPG signing key (will be dearmored and saved to `/usr/share/keyrings/`). Both ASCII-armored and binary keys are supported. +- `source_spec` — Either a URL to a source file (downloaded and `signed-by` injected) or an inline `deb` line. Both traditional `.list` format and modern deb822 `.sources` format are auto-detected and handled. + +```yaml +# NVIDIA Container Toolkit (source spec is a URL to a .list file) +install_nvidia_toolkit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: awalsh128/cache-apt-pkgs-action@latest + with: + packages: nvidia-container-toolkit + apt-sources: | + https://nvidia.github.io/libnvidia-container/gpgkey | https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list + version: 1.0 +``` + +```yaml +# Docker CE (inline deb line) +install_docker: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: awalsh128/cache-apt-pkgs-action@latest + with: + packages: docker-ce docker-ce-cli + apt-sources: | + https://download.docker.com/linux/ubuntu/gpg | deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable + version: 1.0 +``` + +```yaml +# Multiple signed sources +install_multiple: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: awalsh128/cache-apt-pkgs-action@latest + with: + packages: nvidia-container-toolkit docker-ce + apt-sources: | + https://nvidia.github.io/libnvidia-container/gpgkey | https://nvidia.github.io/libnvidia-container/stable/deb/nvidia-container-toolkit.list + https://download.docker.com/linux/ubuntu/gpg | deb [arch=amd64] https://download.docker.com/linux/ubuntu jammy stable + version: 1.0 +``` + ## Caveats ### Non-file Dependencies diff --git a/action.yml b/action.yml index 4b30ff6..1d08181 100644 --- a/action.yml +++ b/action.yml @@ -39,6 +39,14 @@ inputs: description: 'Space delimited list of repositories to add via apt-add-repository before installing packages. Supports PPA (ppa:user/repo) and other repository formats.' required: false default: '' + apt-sources: + description: > + Multi-line list of GPG-signed third-party repository sources. Each line has the format: + key_url | source_spec + Where key_url is an HTTPS URL to a GPG signing key, and source_spec is either a URL to + a .list file or an inline deb line (e.g. "deb [arch=amd64] https://example.com/repo distro main"). + required: false + default: '' outputs: cache-hit: @@ -64,6 +72,7 @@ runs: "$EXEC_INSTALL_SCRIPTS" \ "$DEBUG" \ "$ADD_REPOSITORY" \ + "$APT_SOURCES" \ "$PACKAGES" if [ -f ~/cache-apt-pkgs/cache_key.md5 ]; then echo "CACHE_KEY=$(cat ~/cache-apt-pkgs/cache_key.md5)" >> $GITHUB_ENV @@ -77,6 +86,7 @@ runs: EMPTY_PACKAGES_BEHAVIOR: "${{ inputs.empty_packages_behavior }}" DEBUG: "${{ inputs.debug }}" ADD_REPOSITORY: "${{ inputs.add-repository }}" + APT_SOURCES: "${{ inputs.apt-sources }}" PACKAGES: "${{ inputs.packages }}" - id: load-cache @@ -96,6 +106,7 @@ runs: "$EXEC_INSTALL_SCRIPTS" \ "$DEBUG" \ "$ADD_REPOSITORY" \ + "$APT_SOURCES" \ "$PACKAGES" function create_list { local list=$(cat ~/cache-apt-pkgs/manifest_${1}.log | tr '\n' ','); echo ${list:0:-1}; }; echo "package-version-list=$(create_list main)" >> $GITHUB_OUTPUT @@ -106,6 +117,7 @@ runs: EXEC_INSTALL_SCRIPTS: "${{ inputs.execute_install_scripts }}" DEBUG: "${{ inputs.debug }}" ADD_REPOSITORY: "${{ inputs.add-repository }}" + APT_SOURCES: "${{ inputs.apt-sources }}" PACKAGES: "${{ inputs.packages }}" - id: upload-logs diff --git a/install_and_cache_pkgs.sh b/install_and_cache_pkgs.sh index 9c7742a..75bfe46 100755 --- a/install_and_cache_pkgs.sh +++ b/install_and_cache_pkgs.sh @@ -18,8 +18,11 @@ cache_dir="${1}" # Repositories to add before installing packages. add_repository="${3}" +# GPG-signed third-party repository sources. +apt_sources="${4}" + # List of the packages to use. -input_packages="${@:4}" +input_packages="${@:5}" if ! apt-fast --version > /dev/null 2>&1; then log "Installing apt-fast for optimized installs..." @@ -41,8 +44,13 @@ if [ -n "${add_repository}" ]; then log_empty_line fi +# Set up GPG-signed third-party apt sources if specified +setup_apt_sources "${apt_sources}" + log "Updating APT package list..." -if [[ -z "$(find -H /var/lib/apt/lists -maxdepth 0 -mmin -5)" ]]; then +# Force update when custom sources were added — the staleness check only +# reflects the last update, which may predate the newly added repos. +if [ -n "${apt_sources}" ] || [ -n "${add_repository}" ] || [[ -z "$(find -H /var/lib/apt/lists -maxdepth 0 -mmin -5)" ]]; then sudo apt-fast update > /dev/null log "done" else diff --git a/lib.sh b/lib.sh index b0cb54a..859fd91 100755 --- a/lib.sh +++ b/lib.sh @@ -135,6 +135,257 @@ function get_tar_relpath { fi } +############################################################################### +# Injects signed-by into a deb line if not already present. +# Arguments: +# The deb line to process. +# The keyring filepath to reference. +# Returns: +# The deb line with signed-by injected. +############################################################################### +function inject_signed_by { + local line="${1}" + local keyring="${2}" + + # Already has signed-by, return unchanged. + if echo "${line}" | grep -q 'signed-by='; then + echo "${line}" + return + fi + + # Match deb or deb-src lines with existing options bracket. + # e.g. "deb [arch=amd64] https://..." -> "deb [arch=amd64 signed-by=...] https://..." + if echo "${line}" | grep -qE '^deb(-src)?\s+\['; then + echo "${line}" | sed -E "s|^(deb(-src)?)\s+\[([^]]*)\]|\1 [\3 signed-by=${keyring}]|" + return + fi + + # Match deb or deb-src lines without options bracket. + # e.g. "deb https://..." -> "deb [signed-by=...] https://..." + if echo "${line}" | grep -qE '^deb(-src)?\s+'; then + echo "${line}" | sed -E "s|^(deb(-src)?)\s+|\1 [signed-by=${keyring}] |" + return + fi + + # Not a deb line, return unchanged. + echo "${line}" +} + +############################################################################### +# Injects Signed-By into deb822-format (.sources) content if not already +# present. deb822 uses multi-line key-value blocks separated by blank lines. +# Arguments: +# The full deb822 content string. +# The keyring filepath to reference. +# Returns: +# The content with Signed-By injected into each block that lacks it. +############################################################################### +function inject_signed_by_deb822 { + local content="${1}" + local keyring="${2}" + + # If Signed-By already present anywhere, return unchanged. + if echo "${content}" | grep -qi '^Signed-By:'; then + echo "${content}" + return + fi + + # Insert Signed-By after the Types: line in each block. + echo "${content}" | sed "/^Types:/a\\ +Signed-By: ${keyring} +" +} + +############################################################################### +# Detects whether content is in deb822 format (.sources) or traditional +# one-line format (.list). +# Arguments: +# The source file content. +# Returns: +# Exit code 0 if deb822, 1 if traditional. +############################################################################### +function is_deb822_format { + echo "${1}" | grep -qE '^Types:\s+' +} + +############################################################################### +# Derives a keyring name from a URL. +# Arguments: +# URL to derive name from. +# Returns: +# A sanitized name suitable for a keyring filename (without extension). +############################################################################### +function derive_keyring_name { + local url="${1}" + # Use full URL (minus scheme) with non-alphanumeric chars replaced by hyphens. + # This avoids collisions when two keys share a domain but differ in path. + echo "${url}" | sed -E 's|https?://||; s|[/.]+|-|g; s|-+$||' +} + +############################################################################### +# Extracts the repo URL from a deb line, stripping the deb prefix and options. +# Arguments: +# A deb or deb-src line. +# Returns: +# The repo URL (first URL after stripping prefix and options bracket). +############################################################################### +function extract_repo_url { + echo "${1}" | sed -E 's/^deb(-src)?[[:space:]]+(\[[^]]*\][[:space:]]+)?//' | awk '{print $1}' +} + +############################################################################### +# Removes existing apt source files that reference the same repo URL. +# This prevents "Conflicting values set for option Signed-By" errors when +# the runner already has a source configured (e.g., NVIDIA CUDA repo on +# GPU runners) and we add a new source with a different keyring path. +# Arguments: +# The repo URL to check for conflicts. +# The file path we're about to write (excluded from removal). +############################################################################### +function remove_conflicting_sources { + local repo_url="${1}" + local our_list_path="${2}" + + # Nothing to check if repo_url is empty. + if [ -z "${repo_url}" ]; then + return + fi + + for src_file in /etc/apt/sources.list.d/*.list /etc/apt/sources.list.d/*.sources; do + # Skip if glob didn't match any files. + test -f "${src_file}" || continue + # Skip our own file. + test "${src_file}" = "${our_list_path}" && continue + # Check if this file references the same repo URL (fixed-string match). + if grep -qF "${repo_url}" "${src_file}" 2>/dev/null; then + log " Removing conflicting source: ${src_file}" + sudo rm -f "${src_file}" + fi + done +} + +############################################################################### +# Sets up GPG-signed third-party apt sources. +# Arguments: +# Multi-line string where each line is: key_url | source_spec +# Returns: +# Log lines from setup. +############################################################################### +function setup_apt_sources { + local apt_sources="${1}" + + if [ -z "${apt_sources}" ]; then + return + fi + + log "Setting up GPG-signed apt sources..." + + while IFS= read -r line; do + # Skip empty lines. + if [ -z "$(echo "${line}" | tr -d '[:space:]')" ]; then + continue + fi + + # Split on pipe separator, trim whitespace with sed instead of xargs. + local key_url=$(echo "${line}" | cut -d'|' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//') + local source_spec=$(echo "${line}" | cut -d'|' -f2- | sed 's/^[[:space:]]*//;s/[[:space:]]*$//') + + if [ -z "${key_url}" ] || [ -z "${source_spec}" ]; then + log_err "Invalid apt-sources line (missing key_url or source_spec): ${line}" + exit 7 + fi + + local keyring_name=$(derive_keyring_name "${key_url}") + local keyring_path="/usr/share/keyrings/${keyring_name}.gpg" + + # Download GPG key to temp file, then detect format and convert if needed. + log "- Downloading GPG key from ${key_url}..." + local tmpkey=$(mktemp) + if ! curl -fsSL "${key_url}" -o "${tmpkey}"; then + log_err "Failed to download GPG key from ${key_url}" + rm -f "${tmpkey}" + exit 7 + fi + + # Detect if key is ASCII-armored or already binary. + # "PGP public key block" = ASCII-armored, needs dearmoring. + # "PGP/GPG key public ring" or other = already binary, copy directly. + if file "${tmpkey}" | grep -qi 'PGP public key block$'; then + # ASCII-armored key, dearmor it. + if ! sudo gpg --batch --yes --dearmor -o "${keyring_path}" < "${tmpkey}"; then + log_err "Failed to dearmor GPG key from ${key_url}" + rm -f "${tmpkey}" + exit 7 + fi + else + # Already in binary format, copy directly. + sudo cp "${tmpkey}" "${keyring_path}" + fi + rm -f "${tmpkey}" + log " Keyring saved to ${keyring_path}" + + # Determine if source_spec is a URL (download source file) or inline deb line. + if echo "${source_spec}" | grep -qE '^https?://'; then + # Source spec is a URL to a source file - download it. + local list_name="${keyring_name}" + log "- Downloading source list from ${source_spec}..." + local list_content + if ! list_content=$(curl -fsSL "${source_spec}"); then + log_err "Failed to download source list from ${source_spec}" + exit 7 + fi + + if is_deb822_format "${list_content}"; then + # deb822 format (.sources file) - inject Signed-By as a field. + local list_path="/etc/apt/sources.list.d/${list_name}.sources" + # Remove any existing source files that reference the same repo URLs + # to prevent signed-by conflicts. + local repo_urls=$(echo "${list_content}" | grep -i '^URIs:' | sed 's/^URIs:[[:space:]]*//') + for url in ${repo_urls}; do + remove_conflicting_sources "${url}" "${list_path}" + done + local processed_content=$(inject_signed_by_deb822 "${list_content}" "${keyring_path}") + echo "${processed_content}" | sudo tee "${list_path}" > /dev/null + log " Source list (deb822) written to ${list_path}" + else + # Traditional one-line format (.list file) - inject signed-by per line. + local list_path="/etc/apt/sources.list.d/${list_name}.list" + # Remove conflicting sources for each deb line's repo URL. + while IFS= read -r deb_line; do + if echo "${deb_line}" | grep -qE '^deb(-src)?[[:space:]]+'; then + local repo_url=$(extract_repo_url "${deb_line}") + remove_conflicting_sources "${repo_url}" "${list_path}" + fi + done <<< "${list_content}" + local processed_content="" + while IFS= read -r deb_line; do + if [ -n "${deb_line}" ]; then + processed_content="${processed_content}$(inject_signed_by "${deb_line}" "${keyring_path}") +" + fi + done <<< "${list_content}" + echo "${processed_content}" | sudo tee "${list_path}" > /dev/null + log " Source list written to ${list_path}" + fi + + else + # Source spec is an inline deb line. + local list_name="${keyring_name}" + local list_path="/etc/apt/sources.list.d/${list_name}.list" + # Remove any existing source files that reference the same repo URL. + local repo_url=$(extract_repo_url "${source_spec}") + remove_conflicting_sources "${repo_url}" "${list_path}" + local processed_line=$(inject_signed_by "${source_spec}" "${keyring_path}") + echo "${processed_line}" | sudo tee "${list_path}" > /dev/null + log "- Inline source written to ${list_path}" + fi + + done <<< "${apt_sources}" + + log "done" + log_empty_line +} + function log { echo "${@}"; } function log_err { >&2 echo "${@}"; } diff --git a/post_cache_action.sh b/post_cache_action.sh index a6a5689..7dfc369 100755 --- a/post_cache_action.sh +++ b/post_cache_action.sh @@ -28,13 +28,16 @@ test "${debug}" = "true" && set -x # Repositories to add before installing packages. add_repository="${6}" +# GPG-signed third-party repository sources. +apt_sources="${7}" + # List of the packages to use. -packages="${@:7}" +packages="${@:8}" if test "${cache_hit}" = "true"; then ${script_dir}/restore_pkgs.sh "${cache_dir}" "${cache_restore_root}" "${execute_install_scripts}" "${debug}" else - ${script_dir}/install_and_cache_pkgs.sh "${cache_dir}" "${debug}" "${add_repository}" ${packages} + ${script_dir}/install_and_cache_pkgs.sh "${cache_dir}" "${debug}" "${add_repository}" "${apt_sources}" ${packages} fi log_empty_line diff --git a/pre_cache_action.sh b/pre_cache_action.sh index 7c06450..e12eee6 100755 --- a/pre_cache_action.sh +++ b/pre_cache_action.sh @@ -27,8 +27,11 @@ debug="${4}" # Repositories to add before installing packages. add_repository="${5}" +# GPG-signed third-party repository sources. +apt_sources="${6}" + # List of the packages to use. -input_packages="${@:6}" +input_packages="${@:7}" # Trim commas, excess spaces, and sort. log "Normalizing package list..." @@ -80,6 +83,32 @@ if [ -n "${add_repository}" ]; then log "done" fi +# Validate apt-sources parameter +if [ -n "${apt_sources}" ]; then + log "Validating apt-sources parameter..." + while IFS= read -r line; do + # Skip empty lines. + if [ -z "$(echo "${line}" | tr -d '[:space:]')" ]; then + continue + fi + # Each line must contain a pipe separator. + if ! echo "${line}" | grep -q '|'; then + log "aborted" + log "apt-sources line missing '|' separator: ${line}" >&2 + log "Expected format: key_url | source_spec" >&2 + exit 7 + fi + # Key URL must start with https:// + key_url_check=$(echo "${line}" | cut -d'|' -f1 | sed 's/^[[:space:]]*//;s/[[:space:]]*$//') + if ! echo "${key_url_check}" | grep -qE '^https://'; then + log "aborted" + log "apt-sources key URL must start with https:// but got: ${key_url_check}" >&2 + exit 7 + fi + done <<< "${apt_sources}" + log "done" +fi + log "done" log_empty_line @@ -105,6 +134,13 @@ if [ -n "${add_repository}" ]; then log "- Repositories '${add_repository}' added to value." fi +# Include apt-sources in cache key (normalize to single line for stable hashing) +if [ -n "${apt_sources}" ]; then + normalized_sources=$(echo "${apt_sources}" | sed '/^[[:space:]]*$/d' | sort | tr '\n' '|') + value="${value} apt-sources:${normalized_sources}" + log "- Apt sources added to value." +fi + # Don't invalidate existing caches for the standard Ubuntu runners if [ "${cpu_arch}" != "x86_64" ]; then value="${value} ${cpu_arch}"