CI: address Skoll review (reseed coverage, ghcr owner, restore key)

- os-check.yml linux shard: add a schedule-gated CCACHE_RECACHE=1 step so
  the weekday seed reseeds from clean compiles rather than only accumulating
  deltas. This shard manages ccache directly (its own restore/save) and so
  was not covered by the ccache-setup composite's reseed.
- install-apt-deps: hardcode the ghcr bundle owner to wolfssl. The bundle is
  only published under ghcr.io/wolfssl by ci-deps-image, so fork PRs now read
  the public upstream image instead of a nonexistent ghcr.io/<fork>/wolfssl-ci-debs.
- ccache-setup: document that the read-only restore key reuses the save
  key shape for symmetry and is never an exact hit by design.

Skoll F3 (a packages-subset-of-bundle CI guard) is deferred to a follow-up;
F4 (release-branch ccache saves) is left as the intended seed-on-schedule /
everything-else-reads model.

Author: julek-wolfssl

.github/actions/ccache-setup/action.yml

@@ -72,6 +72,9 @@ runs:
       uses: actions/cache/restore@v4
       with:
         path: ~/.ccache
+        # Same key shape as the save branch, for symmetry. This branch never
+        # saves, so the run_id/run_attempt primary key is never an exact hit -
+        # the restore-keys below always supply the most recent seeded cache.
         key: ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.config-hash }}-${{ github.run_id }}-${{ github.run_attempt }}
         restore-keys: |
           ccache-${{ inputs.workflow-id }}-${{ runner.os }}-${{ runner.arch }}-${{ inputs.config-hash }}-

.github/actions/install-apt-deps/action.yml

@@ -49,8 +49,11 @@ runs:
       run: |
         set -u
         command -v docker >/dev/null 2>&1 || { echo "::notice::docker unavailable; using apt"; exit 0; }
-        OWNER=$(echo "${{ github.repository_owner }}" | tr '[:upper:]' '[:lower:]')
-        IMG="ghcr.io/$OWNER/wolfssl-ci-debs:${{ inputs.ghcr-debs-tag }}"
+        # Hardcode the upstream owner: the bundle is only ever published under
+        # ghcr.io/wolfssl by ci-deps-image (gated to the wolfssl org), so fork
+        # PRs read the public upstream image too rather than a nonexistent
+        # ghcr.io/<fork>/wolfssl-ci-debs.
+        IMG="ghcr.io/wolfssl/wolfssl-ci-debs:${{ inputs.ghcr-debs-tag }}"
         if ! docker pull -q "$IMG" >/dev/null 2>&1; then
           echo "::notice::ghcr bundle $IMG unavailable; using apt"
           exit 0

.github/workflows/os-check.yml

@@ -105,6 +105,13 @@ jobs:
             os-check-linux-ccache-${{ matrix.shard }}-
             os-check-linux-ccache-
 
+      # On the weekday seed, force clean recompiles (CCACHE_RECACHE) so the
+      # saved master ccache is reseeded from scratch rather than only
+      # accumulating deltas. PR/push runs leave it unset and keep their warm hits.
+      - name: Force fresh compiles on scheduled reseed
+        if: github.event_name == 'schedule'
+        run: echo "CCACHE_RECACHE=1" >> "$GITHUB_ENV"
+
       - name: autogen
         run: |
           ccache -z