@@ -100,14 +100,14 @@ jobs:
100100 uses : actions/cache@v4
101101 with :
102102 path : /tmp/nss-build
103- key : nss-debian-source-${{ hashFiles('.github/workflows/wolfpkcs11-nss-debian.patch') }}-${{ env.WOLFSSL_VERSION }}
103+ key : nss-debian-source-${{ hashFiles('.github/workflows/wolfpkcs11-nss-debian.patch', '.github/workflows/nss-pk12util-debian-test.yml' ) }}-${{ env.WOLFSSL_VERSION }}
104104
105105 - name : Cache NSS built packages
106106 id : cache-nss-packages
107107 uses : actions/cache@v4
108108 with :
109109 path : /tmp/nss-packages
110- key : nss-debian-packages-${{ hashFiles('.github/workflows/wolfpkcs11-nss-debian.patch') }}-${{ env.WOLFSSL_VERSION }}
110+ key : nss-debian-packages-${{ hashFiles('.github/workflows/wolfpkcs11-nss-debian.patch', '.github/workflows/nss-pk12util-debian-test.yml' ) }}-${{ env.WOLFSSL_VERSION }}
111111
112112 - name : Get NSS Debian sources and apply wolfPKCS11 patch
113113 if : steps.cache-nss-source.outputs.cache-hit != 'true'
@@ -135,6 +135,16 @@ jobs:
135135 # Copy patch file from workspace to current directory for reliable access
136136 cp "${GITHUB_WORKSPACE}/.github/workflows/wolfpkcs11-nss-debian.patch" ./wolfpkcs11-nss-debian.patch
137137
138+ # Prepend the wolfPKCS11 changelog entry. Done inline (rather than in
139+ # the patch) so future Debian security uploads do not break the hunk
140+ # context every time a new entry lands at the top of debian/changelog.
141+ # `dch --local` derives the new version from whatever is currently at
142+ # the top, so this works regardless of which deb12uN the apt mirror
143+ # currently ships.
144+ DEBEMAIL="support@wolfssl.com" DEBFULLNAME="wolfSSL" \
145+ dch --local "+wolfSSL-" --distribution bookworm-security \
146+ "First build with wolfPKCS11 backend"
147+
138148 # Apply the patch
139149 patch -p1 < ./wolfpkcs11-nss-debian.patch
140150
0 commit comments