fixup! release: build unsigned Ubuntu .deb package

Currently, we target whatever GitHub Actions use as `ubuntu-latest`;
This, however, led to the unintentional requirement in v2.47.2.vfs.0.0
to run Ubuntu 24.04 (up from 22.04 in v2.47.1.vfs.0.1).

It is important to target a wider audience, though, especially in light
of CVE-2024-52005 which is only addressed in Git for Windows and
`microsoft/git`, but not Git.

We could now go back to 22.04; This would only be a temporary band-aid,
https://github.blog/changelog/2025-01-15-github-actions-ubuntu-20-runner-image-brownout-dates-and-other-breaking-changes/
already announced that 20.04 is phased out very soon, and 22.04 will be
next.

Let's just use a Docker container instead that targets the oldest Ubuntu
LTS that is still maintained in _some_ shape or form.

This requires a few modifications (`sudo` is not available, GitHub
Actions' node.js needs to be overridden, and we need to install a couple
of packages explicitly). In particular, we now need two jobs because it
turned out to be too convoluted to get `debsign` to work in a headless
workflow with Ubuntu 16.04; We still resort to `ubuntu-latest` for that
instead.

By still verifying the resulting binary in `validate-installers`, we
ensure that it installs and works on the latest Ubuntu version by virtue
of using `runs-on: ubuntu-latest` in _that_ matrix job.

Signed-off-by: Johannes Schindelin <[email protected]>

Author: dscho

.github/workflows/build-git-installers.yml

@@ -490,16 +490,30 @@ jobs:
   # End build and sign Mac OSX installers
 
   # Build and sign Debian package
-  create-linux-artifacts:
+  create-linux-unsigned-artifacts:
     runs-on: ubuntu-latest
+    container:
+      image: ubuntu:16.04 # expanded security maintenance until 04/02/2026, according to https://endoflife.date/ubuntu
+      volumes:
+        # override /__e/node20 because GitHub Actions uses a version that requires too-recent glibc, see "Install dependencies" below
+        - /tmp:/__e/node20
     needs: prereqs
-    environment: release
     steps:
-      - name: Install git dependencies
+      - name: Install dependencies
         run: |
           set -ex
-          sudo apt-get update -q
-          sudo apt-get install -y -q --no-install-recommends gettext libcurl4-gnutls-dev libpcre3-dev asciidoc xmlto
+          apt-get update -q
+          apt-get install -y -q --no-install-recommends \
+            build-essential \
+            tcl tk gettext asciidoc xmlto \
+            libcurl4-gnutls-dev libpcre2-dev zlib1g-dev libexpat-dev \
+            curl ca-certificates
+
+          # Install a Node.js version that works in older Ubuntu containers (read: does not require very recent glibc)
+          NODE_VERSION=v20.18.1 &&
+          NODE_URL=https://unofficial-builds.nodejs.org/download/release/$NODE_VERSION/node-$NODE_VERSION-linux-x64-glibc-217.tar.gz &&
+          curl -Lo /tmp/node.tar.gz $NODE_URL &&
+          tar -C /__e/node20 -x --strip-components=1 -f /tmp/node.tar.gz
 
       - name: Clone git
         uses: actions/checkout@v4
@@ -562,6 +576,18 @@ jobs:
           # Move Debian package for later artifact upload
           mv "$PKGNAME.deb" "$GITHUB_WORKSPACE"
 
+      - name: Upload artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: linux-unsigned-artifacts
+          path: |
+            *.deb
+
+  create-linux-artifacts:
+    runs-on: ubuntu-latest
+    needs: [prereqs, create-linux-unsigned-artifacts]
+    environment: release
+    steps:
       - name: Log into Azure
         uses: azure/login@v2
         with:
@@ -597,6 +623,11 @@ jobs:
           gpg-connect-agent RELOADAGENT /bye
           /usr/lib/gnupg2/gpg-preset-passphrase --preset "$keygrip" <<<"$passphrase"
 
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: linux-unsigned-artifacts
+
       - name: Sign Debian package
         run: |
           # Sign Debian package