From 76f7787a7b3ff016674c0035f04891315be8084b Mon Sep 17 00:00:00 2001
From: Codex <codex@openai.com>
Date: Tue, 19 May 2026 18:22:36 +0200
Subject: [PATCH] Harden Linux release apt installs

---
 .github/workflows/release-publish.yml | 13 +++++++++++--
 .github/workflows/release-verify.yml  | 13 +++++++++++--
 2 files changed, 22 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release-publish.yml b/.github/workflows/release-publish.yml
index 2be2cb74..4b456120 100644
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -150,8 +150,17 @@ jobs:
       - name: Install toolchain (linux)
         if: matrix.os == 'linux'
         run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
+          sudo sed -i -E 's|http://ports.ubuntu.com/ubuntu-ports|https://ports.ubuntu.com/ubuntu-ports|g' /etc/apt/sources.list /etc/apt/sources.list.d/*.sources 2>/dev/null || true
+          sudo apt-get \
+            -o Acquire::Retries=5 \
+            -o Acquire::http::Timeout=30 \
+            -o Acquire::https::Timeout=30 \
+            update
+          sudo apt-get \
+            -o Acquire::Retries=5 \
+            -o Acquire::http::Timeout=30 \
+            -o Acquire::https::Timeout=30 \
+            install -y --no-install-recommends \
             automake build-essential clang curl git pkg-config unzip \
             musl-tools php-cli composer re2c bison
 
diff --git a/.github/workflows/release-verify.yml b/.github/workflows/release-verify.yml
index b82ca892..623754b3 100644
--- a/.github/workflows/release-verify.yml
+++ b/.github/workflows/release-verify.yml
@@ -127,8 +127,17 @@ jobs:
       - name: Install toolchain (linux)
         if: matrix.os == 'linux'
         run: |
-          sudo apt-get update
-          sudo apt-get install -y --no-install-recommends \
+          sudo sed -i -E 's|http://ports.ubuntu.com/ubuntu-ports|https://ports.ubuntu.com/ubuntu-ports|g' /etc/apt/sources.list /etc/apt/sources.list.d/*.sources 2>/dev/null || true
+          sudo apt-get \
+            -o Acquire::Retries=5 \
+            -o Acquire::http::Timeout=30 \
+            -o Acquire::https::Timeout=30 \
+            update
+          sudo apt-get \
+            -o Acquire::Retries=5 \
+            -o Acquire::http::Timeout=30 \
+            -o Acquire::https::Timeout=30 \
+            install -y --no-install-recommends \
             automake build-essential clang curl git pkg-config unzip \
             musl-tools php-cli composer re2c bison