ci: publish dep cache for bare-ubuntu too, not just bookworm

Adds a second publish job that builds the same versions outside the
bookworm container, on a plain ubuntu-22.04 runner. The cache key
includes the compiler binary, so bookworm gcc and ubuntu-22.04 gcc
get separate entries -- bare-ubuntu consumers (simple, cmdline,
smoke-test, seed-src, fips-ready, multi-compiler) now have something
to pull from ghcr instead of always rebuilding.

Matrix is openssl {master, latest, 3.0.17} x wolfssl {master, latest,
v5.8.4-stable} -- the tags those workflows actually request.
Replace-default / debug variants stay out of the publisher matrix for
now; they auto-populate from canonical master pushes (cheap, one
build per combo).

Author: aidangarske

.github/workflows/publish-dep-cache.yml

@@ -103,3 +103,55 @@ jobs:
           WOLFSSL_TAG: ${{ matrix.wolfssl_ref }}
           WOLFPROV_SKIP_TEST: '1'
         run: ./scripts/build-wolfprovider.sh --cache-publish
+
+  # Bare-ubuntu mirror of the publish job: same versions, no container, so
+  # consumers running directly on ubuntu-22.04 (simple, cmdline, smoke-test,
+  # seed-src, fips-ready, multi-compiler) hit the cache. Different compiler
+  # binary than bookworm gcc, so it lives at its own keys.
+  publish_bare:
+    needs: discover_versions
+    if: |
+      github.repository == 'wolfSSL/wolfProvider' &&
+      (
+        github.event_name != 'pull_request_target' ||
+        contains(fromJSON('["OWNER", "MEMBER"]'),
+                 github.event.pull_request.author_association)
+      )
+    runs-on: ubuntu-22.04
+    timeout-minutes: 60
+    strategy:
+      fail-fast: false
+      matrix:
+        openssl_ref:
+          - master
+          - ${{ needs.discover_versions.outputs.openssl_latest_ref }}
+          - openssl-3.0.17
+        wolfssl_ref:
+          - master
+          - ${{ needs.discover_versions.outputs.wolfssl_latest_ref }}
+          - v5.8.4-stable
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+          ref: ${{ github.event.pull_request.head.sha || github.sha }}
+
+      - name: Install ORAS
+        run: |
+          VERSION=1.2.0
+          curl -fsSL -o /tmp/oras.tar.gz \
+            "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz"
+          sudo tar -xzf /tmp/oras.tar.gz -C /usr/local/bin oras
+          rm -f /tmp/oras.tar.gz
+          oras version
+
+      - name: Log in to ghcr
+        run: echo "${{ secrets.GITHUB_TOKEN }}" \
+          | oras login ghcr.io -u ${{ github.actor }} --password-stdin
+
+      - name: Build and publish OpenSSL + wolfSSL (bare ubuntu, non-FIPS)
+        env:
+          OPENSSL_TAG: ${{ matrix.openssl_ref }}
+          WOLFSSL_TAG: ${{ matrix.wolfssl_ref }}
+          WOLFPROV_SKIP_TEST: '1'
+        run: ./scripts/build-wolfprovider.sh --cache-publish