ci: Rotate Docker cache keys #1816

1. 
   hebasto commented at 10:36 pm on February 1, 2026: member

   This is an alternative to #1807 that avoids introducing a new workflow with the write permissions.

   Closes #1691.

   The 4-week rotation interval was chosen based on the following rationale:

   My thinking is that we may want to take only every fourth one. I assume this is still good enough to catch changes introduced by new compiler optimizations, and this is what we care about.

   We could just take the ISO week number mod 4. That results in an off-by-one error after every (rare) year with 53 ISO weeks, but ok, who cares… And if the cache is evicted for whatever other reason, we’ll also get the most recent snapshot, but also that seems acceptable.

   ---

   IMPORTANT NOTE: Due to a mere coincidence, LLVM apt signatures became rejected by Debian Trixie today. A commit containing a temporary workaround has been included to address this.

2. ci, docker: Fix LLVM repository signature failure

   The LLVM apt repository uses legacy SHA1 signatures which are now
   rejected by the stricter Sequoia PGP policy.
   
   This change extends the 'sha1.second_preimage_resistance' cutoff date to
   9999-01-01 in the default Sequoia config. This effectively whitelists
   the legacy signature algorithm, preventing "OpenPGP signature
   verification failed" errors during `apt-get update`.
   
   See https://github.com/llvm/llvm-project/issues/153385.

   0ffb1749a5
3. hebasto closed this on Feb 1, 2026

   ---

4. hebasto reopened this on Feb 1, 2026

   ---

5. in ci/linux-debian.Dockerfile:72 in 0ffb1749a5 outdated

   66@@ -67,6 +67,9 @@ RUN \
   67     wget -qO- https://apt.llvm.org/llvm-snapshot.gpg.key | tee /etc/apt/trusted.gpg.d/apt.llvm.org.asc && \
   68     # Add repository for this Debian release
   69     . /etc/os-release && echo "deb http://apt.llvm.org/${VERSION_CODENAME} llvm-toolchain-${VERSION_CODENAME} main" >> /etc/apt/sources.list && \
   70+    # Temporarily work around Sequoia PGP policy deadline for legacy repositories.
   71+    # See https://github.com/llvm/llvm-project/issues/153385.
   72+    sed -i 's/\(sha1\.second_preimage_resistance =\).*/\1 9999-01-01/' /usr/share/apt/default-sequoia.config && \
   

   ---

   ---

   

   real-or-random commented at 7:28 am on February 2, 2026:

   What a sad thing to commit in this repo…

   (Nothing to do here. I just wanted to point that out.)

6. 
   real-or-random commented at 7:57 am on February 2, 2026: contributor

   The pace of the rotation of cache keys is synchronized with the announcements of new GCC snapshots.

   I’m not sure if we should take every snapshot. If we take only some snapshots, this will reduce the number of times we need to deal with random GCC breakage.

   My thinking is that we may want to take only every fourth one. I assume this is still good enough to catch changes introduced by new compiler optimizations, and this is what we care about.

   We could just take the ISO week number mod 4. That results in an off-by-one error after every (rare) year with 53 ISO weeks, but ok, who cares… And if the cache is evicted for whatever other reason, we’ll also get the most recent snapshot, but also that seems acceptable.

7. real-or-random added the label ci on Feb 2, 2026
8. real-or-random added the label tweak/refactor on Feb 2, 2026
9. ci: Rotate Docker cache keys every 4 weeks

   This forces a periodic clean build to ensure we do not rely on stale
   cache layers indefinitely.

   2f18567d24
10. ci: Add weekly schedule 2ccff6eb73
11. hebasto force-pushed on Feb 2, 2026
12. 
    hebasto commented at 11:21 am on February 2, 2026: member

    The pace of the rotation of cache keys is synchronized with the announcements of new GCC snapshots.

    I’m not sure if we should take every snapshot. If we take only some snapshots, this will reduce the number of times we need to deal with random GCC breakage.

    My thinking is that we may want to take only every fourth one. I assume this is still good enough to catch changes introduced by new compiler optimizations, and this is what we care about.

    We could just take the ISO week number mod 4. That results in an off-by-one error after every (rare) year with 53 ISO weeks, but ok, who cares… And if the cache is evicted for whatever other reason, we’ll also get the most recent snapshot, but also that seems acceptable.

    Thanks! Reworked.

13. real-or-random approved
14. 
    real-or-random commented at 12:32 pm on February 2, 2026: contributor

    ACK 2ccff6eb73665b72cd4b2019a68f90ffcadad18c
15. hebasto renamed this:
    ci: Rotate Docker cache keys weekly
    ci: Rotate Docker cache keys
    on Feb 2, 2026
16. 
    real-or-random commented at 12:43 pm on February 2, 2026: contributor

    Let me merge this right now because it contains the LLVM workaround that fixes CI…

    We can always adjust or revert if there are further comments, or if people have other opinions on how often we should rotate.

17. real-or-random merged this on Feb 2, 2026
18. real-or-random closed this on Feb 2, 2026

    ---

19. fanquake referenced this in commit eac590217a on Feb 2, 2026
20. hebasto deleted the branch on Feb 2, 2026

Contributors
hebasto real-or-random

Labels
ci tweak/refactor