From: Viktor Szakats <commit@vsz.me>
Date: Tue, 7 Apr 2026 23:35:37 +0000 (+0200)
Subject: GHA/linux: bump mbedTLS 3 to 3.6.5 (from 3.6.4), also verify hash
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f82ed74ed6f64c2bcfff17e8ea6b0806e9ac6cf5;p=thirdparty%2Fcurl.git

GHA/linux: bump mbedTLS 3 to 3.6.5 (from 3.6.4), also verify hash

Also:
- fix incorrect version in cache id.
  Follow-up to 3a305831d1a9d10b2bfd4fa3939ed41275fee7f7 #19077
- latest version 3.6.6 fails pytests. Seems similar to the v4.1.0
  regression.
  https://github.com/curl/curl/pull/21178
  https://github.com/Mbed-TLS/mbedtls/issues/10668

Closes #21262
---

diff --git a/.github/workflows/linux.yml b/.github/workflows/linux.yml
index ae5abc2a50..11cff3e174 100644
--- a/.github/workflows/linux.yml
+++ b/.github/workflows/linux.yml
@@ -40,7 +40,8 @@ env:
   # renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver registryUrl=https://github.com
   MBEDTLS_VERSION: 4.0.0
   # renovate: datasource=github-tags depName=Mbed-TLS/mbedtls versioning=semver:^3.0.0 registryUrl=https://github.com
-  MBEDTLS_VERSION_PREV: 3.6.4
+  MBEDTLS_VERSION_PREV: 3.6.5
+  MBEDTLS_SHA256_PREV: 4a11f1777bb95bf4ad96721cac945a26e04bf19f57d905f241fe77ebeddf46d8
   # renovate: datasource=github-tags depName=awslabs/aws-lc versioning=semver registryUrl=https://github.com
   AWSLC_VERSION: 1.69.0
   # renovate: datasource=github-tags depName=google/boringssl versioning=semver registryUrl=https://github.com
@@ -677,14 +678,14 @@ jobs:
           cache-name: cache-mbedtls-prev
         with:
           path: ~/mbedtls-prev
-          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MBEDTLS_VERSION }}
+          key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ env.MBEDTLS_VERSION_PREV }}
 
       - name: 'build mbedtls (prev)'
         if: ${{ contains(matrix.build.install_steps, 'mbedtls-prev') && steps.cache-mbedtls-prev.outputs.cache-hit != 'true' }}
         run: |
           curl --disable --fail --silent --show-error --connect-timeout 15 --max-time 120 --retry 6 --retry-connrefused \
             --location "https://github.com/Mbed-TLS/mbedtls/releases/download/mbedtls-${MBEDTLS_VERSION_PREV}/mbedtls-${MBEDTLS_VERSION_PREV}.tar.bz2" --output pkg.bin
-          sha256sum pkg.bin && tar -xjf pkg.bin && rm -f pkg.bin
+          sha256sum pkg.bin | tee /dev/stderr | grep -qwF -- "${MBEDTLS_SHA256_PREV}" && tar -xjf pkg.bin && rm -f pkg.bin
           cd "mbedtls-${MBEDTLS_VERSION_PREV}"
           ./scripts/config.py set MBEDTLS_THREADING_C
           ./scripts/config.py set MBEDTLS_THREADING_PTHREAD