diff options
author | Evgeny Vereshchagin <evvers@ya.ru> | 2021-12-26 01:11:00 +0000 |
---|---|---|
committer | Frantisek Sumsal <frantisek@sumsal.cz> | 2021-12-26 15:38:42 +0000 |
commit | bfa6bd1be098adc4710e1819b9cd34d65b3855da (patch) | |
tree | 3880a96fc230ca4d8b7e2c7688ea916fe7c9d546 /.github | |
parent | 04b457d8ef9c93be3b2048c6f545cdbcf1b893a1 (diff) | |
download | systemd-bfa6bd1be098adc4710e1819b9cd34d65b3855da.tar.gz |
ci: replace apt-key with signed-by
to limit the scope of the key to apt.llvm.org only.
This is mostly inspired by https://blog.cloudflare.com/dont-use-apt-key/
Diffstat (limited to '.github')
-rwxr-xr-x | .github/workflows/build_test.sh | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh index 713a413bf9..78bc35a43b 100755 --- a/.github/workflows/build_test.sh +++ b/.github/workflows/build_test.sh @@ -80,9 +80,10 @@ if [[ "$COMPILER" == clang ]]; then # llvm package if available in such cases to avoid that. if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then # Latest LLVM stack deb packages provided by https://apt.llvm.org/ - # Following snippet was borrowed from https://apt.llvm.org/llvm.sh - wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - - add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/ llvm-toolchain-$RELEASE-$COMPILER_VERSION main" + # Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh + wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg + printf "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/%s/ llvm-toolchain-%s-%s main\n" \ + "$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION") fi elif [[ "$COMPILER" == gcc ]]; then |