From 079dbb8360944bcc9f557cfb39631dc7e94a2772 Mon Sep 17 00:00:00 2001
From: Fedor Chelnokov <fedor.chelnokov@meshinspector.com>
Date: Thu, 23 Apr 2026 00:22:19 +0300
Subject: [PATCH] ci(ubuntu22): install CMake from GitHub tarball, not
 apt.kitware.com

Replace the apt.kitware.com recipe in docker/ubuntu22Dockerfile with a
curl+tar install of the upstream Kitware CMake tarball published on
GitHub Releases.

Motivation: apt.kitware.com has been unreliable in ways our CI is
bound to hit. Recent evidence:

  - ubuntu22-arm64 image build on feat/zlib-compress-stream-zlib-ng
    (run 24800811051) failed with
      Could not connect to apt.kitware.com:443 (66.194.253.25)
      - connect (111: Connection refused)
      ...
      E: Unable to locate package kitware-archive-keyring
    while the identical recipe on x64 in the same run succeeded.

  - Dec 2024: full-day outage documented on CMake Discourse
    (https://discourse.cmake.org/t/kitware-apt-repo-down/13184),
    caused by a mis-issued SSL certificate (for vtk.org, not
    apt.kitware.com).

Kitware's apt repo is a single origin with no published HA strategy.
GitHub Releases, by contrast, is served through GitHub's CDN -- the
same infrastructure MeshLib CI already depends on for git clones,
actions/checkout, and every submodule fetch. Moving this dependency
off apt.kitware.com therefore removes a single point of failure
without adding any new one.

Side benefits of the tarball approach:
  * Version is pinned (ENV CMAKE_VERSION=4.3.2) rather than "whatever
    Kitware's apt index was advertising at image-build time", which
    makes the Docker image reproducible.
  * Drops the transitive apt dependencies the old recipe pulled in
    just to run apt-add-repository (software-properties-common,
    lsb-release) and the apt-key dance.
  * Shorter per-image build time -- one curl+tar instead of three
    sequential apt updates.
  * Works uniformly on x86_64 and aarch64 via $(uname -m); no
    architecture-specific branching.

Only docker/ubuntu22Dockerfile is affected: docker/ubuntu24Dockerfile
never upgraded CMake beyond Ubuntu's apt-supplied version (3.28 on
noble), so it has no kitware recipe to replace.
---
 docker/ubuntu22Dockerfile | 34 +++++++++++++++++++++-------------
 1 file changed, 21 insertions(+), 13 deletions(-)

diff --git a/docker/ubuntu22Dockerfile b/docker/ubuntu22Dockerfile
index 058a0ad4be60..710567031f74 100644
--- a/docker/ubuntu22Dockerfile
+++ b/docker/ubuntu22Dockerfile
@@ -68,19 +68,27 @@ RUN export DEBIAN_FRONTEND=noninteractive; \
  && apt-get clean \
  && rm -rf /var/lib/apt/lists/*
 
-# update cmake
-RUN apt remove --purge --auto-remove -y cmake \
- && apt update \
- && apt install -y software-properties-common lsb-release \
- && apt clean all \
- && wget -O - https://apt.kitware.com/keys/kitware-archive-latest.asc 2>/dev/null | gpg --dearmor - | tee /etc/apt/trusted.gpg.d/kitware.gpg >/dev/null \
- && apt-add-repository "deb https://apt.kitware.com/ubuntu/ $(lsb_release -cs) main" \
- && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys 42D5A192B819C5DA \
- && apt update \
- && apt install -y kitware-archive-keyring \
- && rm /etc/apt/trusted.gpg.d/kitware.gpg \
- && apt update \
- && apt install -y cmake
+# Install a pinned CMake from the upstream Kitware release tarball published
+# on GitHub. Ubuntu 22.04's apt ships CMake 3.22, too old for several MeshLib
+# thirdparty submodules; previously we pulled CMake from apt.kitware.com, but
+# that mirror has been unreliable (connection-refused outages on arm64 runners,
+# Dec 2024 SSL-cert misconfiguration, etc.). GitHub Releases is served from
+# the same CDN we already hit on every run for git submodule checkouts, so
+# this path adds zero new points of failure relative to what we already depend
+# on. Bump CMAKE_VERSION to get a newer CMake; the tarball is the exact same
+# binary Kitware publishes through its apt repo.
+ENV CMAKE_VERSION=4.3.2
+RUN set -eux; \
+    apt remove --purge --auto-remove -y cmake; \
+    ARCH=$(uname -m); \
+    curl -fL -o /tmp/cmake.tar.gz \
+        "https://github.com/Kitware/CMake/releases/download/v${CMAKE_VERSION}/cmake-${CMAKE_VERSION}-linux-${ARCH}.tar.gz"; \
+    mkdir -p /opt/cmake; \
+    tar -xzf /tmp/cmake.tar.gz -C /opt/cmake --strip-components=1; \
+    rm /tmp/cmake.tar.gz; \
+    ln -s /opt/cmake/bin/cmake /usr/local/bin/cmake; \
+    ln -s /opt/cmake/bin/ctest /usr/local/bin/ctest; \
+    ln -s /opt/cmake/bin/cpack /usr/local/bin/cpack
 
 RUN ./scripts/install_thirdparty.sh && \
     echo '/usr/local/lib' | tee -a  /etc/ld.so.conf && \