From 84230ae4e3a10fccfb4750b832d2c70fe56df128 Mon Sep 17 00:00:00 2001
From: Evgeny Vereshchagin <evvers@ya.ru>
Date: Sun, 26 Dec 2021 01:11:00 +0000
Subject: [PATCH] ci: replace apt-key with signed-by

to limit the scope of the key to apt.llvm.org only.

This is mostly inspired by https://blog.cloudflare.com/dont-use-apt-key/

(cherry picked from commit bfa6bd1be098adc4710e1819b9cd34d65b3855da)
(cherry picked from commit c92297a20c13b7e15b0026b1f36ebe99d86cfce8)

Conflict:NA
Reference:https://github.com/systemd/systemd/commit/84230ae4e3a10fccfb4750b832d2c70fe56df128
---
 .github/workflows/build_test.sh | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh
index 10fa1ea9b0..db38554d97 100755
--- a/.github/workflows/build_test.sh
+++ b/.github/workflows/build_test.sh
@@ -77,9 +77,10 @@ if [[ "$COMPILER" == clang ]]; then
     # llvm package if available in such cases to avoid that.
     if ! apt show --quiet "llvm-$COMPILER_VERSION" &>/dev/null; then
         # Latest LLVM stack deb packages provided by https://apt.llvm.org/
-        # Following snippet was borrowed from https://apt.llvm.org/llvm.sh
-        wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
-        add-apt-repository -y "deb http://apt.llvm.org/$RELEASE/   llvm-toolchain-$RELEASE-$COMPILER_VERSION  main"
+        # Following snippet was partly borrowed from https://apt.llvm.org/llvm.sh
+        wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | gpg --yes --dearmor --output /usr/share/keyrings/apt-llvm-org.gpg
+        printf "deb [signed-by=/usr/share/keyrings/apt-llvm-org.gpg] http://apt.llvm.org/%s/   llvm-toolchain-%s-%s  main\n" \
+		"$RELEASE" "$RELEASE" "$COMPILER_VERSION" >/etc/apt/sources.list.d/llvm-toolchain.list
         PACKAGES+=("clang-$COMPILER_VERSION" "lldb-$COMPILER_VERSION" "lld-$COMPILER_VERSION" "clangd-$COMPILER_VERSION")
     fi
 elif [[ "$COMPILER" == gcc ]]; then
-- 
2.33.0