CI: install all apt deps from ghcr bundles, drop actions/cache apt-deps layer

.github/actions/install-apt-deps/action.yml

@@ -1,5 +1,5 @@
 name: 'Install apt dependencies'
-description: 'Install apt packages with retry logic and caching'
+description: 'Install apt packages with retry logic and an optional offline ghcr bundle'
 inputs:
   packages:
     description: 'Space-separated list of apt packages to install'
@@ -16,16 +16,12 @@ inputs:
     description: 'Pass --no-install-recommends to apt-get install'
     required: false
     default: 'false'
-  cache:
-    description: 'Cache apt archives (disable for dynamic package names)'
-    required: false
-    default: 'true'
   ghcr-debs-tag:
     description: >
       Tag of a prebuilt .deb bundle published to
       ghcr.io/<owner>/wolfssl-ci-debs by the ci-deps-image workflow
       (e.g. "ubuntu-24.04-minimal"). When set, the packages are installed
-      offline from that bundle and the apt cache path below is skipped; on
+      offline from that bundle and the apt path below is skipped; on
       that happy path the apt mirror is not contacted. The offline install
       is all-or-nothing (a single --no-download install of the whole set),
       so any failure - bundle missing, not public, or not covering every
@@ -39,7 +35,7 @@ runs:
     # Preferred path: install from a prebuilt .deb bundle pulled from ghcr,
     # entirely offline (--no-download), so a flaky/timing-out apt mirror
     # cannot break the build. Best-effort: on any failure we leave
-    # "satisfied" unset and the apt steps below run unchanged. The bundle
+    # "satisfied" unset and the apt step below runs unchanged. The bundle
     # image must be PUBLIC so anonymous `docker pull` works (including from
     # fork PRs whose GITHUB_TOKEN cannot read private packages).
     - name: Install from ghcr .deb bundle (offline)
@@ -77,40 +73,9 @@ runs:
           echo "::notice::offline install incomplete for $IMG; using apt"
         fi
 
-    - name: Compute cache key
-      if: inputs.cache == 'true' && steps.ghcr.outputs.satisfied != 'true'
-      id: cache-key
-      shell: bash
-      run: |
-        SORTED_PKGS=$(echo "${{ inputs.packages }}" | tr ' ' '\n' | sort -u | tr '\n' ' ')
-        PKG_HASH=$(echo "$SORTED_PKGS" | sha256sum | cut -d' ' -f1 | head -c 16)
-        OS_VERSION=$(lsb_release -rs 2>/dev/null || echo "unknown")
-        echo "key=apt-deps-${{ runner.os }}-${{ runner.arch }}-${OS_VERSION}-${PKG_HASH}" >> $GITHUB_OUTPUT
-        echo "restore-key=apt-deps-${{ runner.os }}-${{ runner.arch }}-${OS_VERSION}-" >> $GITHUB_OUTPUT
-
-    - name: Restore apt cache
-      if: inputs.cache == 'true' && steps.ghcr.outputs.satisfied != 'true'
-      id: apt-cache
-      uses: actions/cache/restore@v5
-      with:
-        path: ~/apt-cache
-        key: ${{ steps.cache-key.outputs.key }}
-        restore-keys: ${{ steps.cache-key.outputs.restore-key }}
-
-    - name: Pre-seed apt archives from cache
-      if: inputs.cache == 'true' && steps.apt-cache.outputs.cache-hit == 'true' && steps.ghcr.outputs.satisfied != 'true'
-      shell: bash
-      run: |
-        if [ -d ~/apt-cache ] && ls ~/apt-cache/*.deb >/dev/null 2>&1; then
-          sudo cp ~/apt-cache/*.deb /var/cache/apt/archives/
-          echo "Restored $(ls ~/apt-cache/*.deb | wc -l) cached .deb files"
-        fi
-
     - name: Install packages
       if: steps.ghcr.outputs.satisfied != 'true'
       shell: bash
-      env:
-        APT_CACHE_HIT: ${{ steps.apt-cache.outputs.cache-hit }}
       run: |
         export DEBIAN_FRONTEND=noninteractive
         RETRIES=${{ inputs.retries }}
@@ -120,17 +85,6 @@ runs:
           NO_REC="--no-install-recommends"
         fi
 
-        # Fast path: on cache hit the .debs are already pre-seeded into
-        # /var/cache/apt/archives. Try installing directly first; if that
-        # fails (e.g. the cached .debs were superseded in the index) fall
-        # through to the regular update + install path.
-        if [ "$APT_CACHE_HIT" = "true" ]; then
-          if sudo apt-get install -y $NO_REC ${{ inputs.packages }}; then
-            exit 0
-          fi
-          echo "::warning::install from cached .debs failed, falling back to apt-get update"
-        fi
-
         for i in $(seq 1 $RETRIES); do
           if sudo apt-get update -q && \
              sudo apt-get install -y $NO_REC ${{ inputs.packages }}; then
@@ -144,21 +98,3 @@ runs:
           sleep $DELAY
           DELAY=$((DELAY * 2))
         done
-
-    # PR runs never write the apt cache (no churn); only push/schedule runs
-    # refresh it. The make-check family does not need it anyway - it installs
-    # from the ghcr bundle above.
-    - name: Collect .deb files for cache
-      if: inputs.cache == 'true' && github.event_name != 'pull_request' && steps.apt-cache.outputs.cache-hit != 'true' && steps.ghcr.outputs.satisfied != 'true'
-      shell: bash
-      run: |
-        mkdir -p ~/apt-cache
-        cp /var/cache/apt/archives/*.deb ~/apt-cache/ 2>/dev/null || true
-        echo "Cached $(ls ~/apt-cache/*.deb 2>/dev/null | wc -l) .deb files"
-
-    - name: Save apt cache
-      if: inputs.cache == 'true' && github.event_name != 'pull_request' && steps.apt-cache.outputs.cache-hit != 'true' && steps.ghcr.outputs.satisfied != 'true'
-      uses: actions/cache/save@v5
-      with:
-        path: ~/apt-cache
-        key: ${{ steps.cache-key.outputs.key }}

.github/ci-deps/packages-ubuntu-22.04-full.txt

@@ -4,6 +4,7 @@
 # Keep sorted; add a package when an interop workflow adds one.
 autoconf
 automake
+binutils-dev
 bison
 bridge-utils
 build-essential
@@ -17,6 +18,7 @@ crossbuild-essential-arm64
 crossbuild-essential-armel
 crossbuild-essential-armhf
 crossbuild-essential-riscv64
+curl
 device-tree-compiler
 dfu-util
 diffstat
@@ -39,12 +41,19 @@ help2man
 iproute2
 lcov
 libcairo2-dev
+libcurl4-openssl-dev
+libdbus-1-dev
 libglib2.0-dev
 libgtk2.0-0
+libiberty-dev
 liblocale-gettext-perl
 libmagic1
 libncurses5-dev
+libnl-3-dev
+libnl-genl-3-dev
+libnl-route-3-dev
 libpcap-dev
+libpcap0.8
 libpopt0
 libsdl1.2-dev
 libsdl2-dev
@@ -63,6 +72,7 @@ python-is-python3
 python3-dev
 python3-pip
 python3-ply
+python3-pycryptodome
 python3-setuptools
 python3-tk
 python3-wheel
@@ -73,6 +83,7 @@ socat
 srecord
 sudo
 texinfo
+tshark
 uml-utilities
 unzip
 wget

.github/ci-deps/packages-ubuntu-24.04-embedded.txt

@@ -0,0 +1,15 @@
+# membrowse embedded-target apt packages for ubuntu-24.04 (the
+# '-embedded' bundle: ghcr.io/<owner>/wolfssl-ci-debs:ubuntu-24.04-embedded).
+# Kept separate from -full because the ARM cross-toolchain is large (~0.5 GB)
+# and unrelated to the interop workflows that pull -full. Keep sorted.
+build-essential
+ca-certificates
+cmake
+gcc-arm-none-eabi
+git
+libnewlib-arm-none-eabi
+libstdc++-arm-none-eabi-newlib
+ninja-build
+python3
+unzip
+wget

.github/ci-deps/packages-ubuntu-24.04-full.txt

@@ -8,6 +8,7 @@ autoconf
 autoconf-archive
 automake
 autopoint
+bc
 bubblewrap
 build-essential
 ccache
@@ -51,6 +52,8 @@ libidn2-dev
 libio-socket-ssl-perl
 libjansson-dev
 libkrb5-dev
+libldb-dev
+libldb2
 liblz4-dev
 liblzma-dev
 liblzo2-dev
@@ -87,6 +90,7 @@ pkgconf
 psmisc
 python3-docutils
 python3-impacket
+python3-ldb
 python3-psutil
 shellcheck
 uuid-dev