Make toolchain install resilient to apt outages

Only install tools that are actually missing (gitea/runner-images
already ships curl/jq/tar), and point apt at mirrors.aliyun.com when
we do need to install something so archive.ubuntu.com timeouts stop
blocking the build. Handles both Noble's DEB822 ubuntu.sources and
the legacy sources.list.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/release.yml

@@ -45,17 +45,53 @@ jobs:
         with:
           fetch-depth: 0
 
-      - name: Install toolchain
+      - name: Install toolchain (only what's missing)
         run: |
           set -euo pipefail
+
+          MISSING=()
+          for tool in shellcheck jq curl tar sha256sum; do
+            command -v "$tool" >/dev/null 2>&1 || MISSING+=("$tool")
+          done
+
+          if [[ ${#MISSING[@]} -eq 0 ]]; then
+            echo "所有工具已就绪，跳过安装。"
+            exit 0
+          fi
+          echo "需要安装: ${MISSING[*]}"
+
           if [[ $EUID -ne 0 ]] && command -v sudo >/dev/null 2>&1; then
             SUDO=sudo
           else
             SUDO=
           fi
+
+          # 切换到阿里云镜像以避开 archive.ubuntu.com / security.ubuntu.com 出境超时。
+          if [[ -f /etc/apt/sources.list.d/ubuntu.sources ]]; then
+            $SUDO sed -i \
+              -e 's|http://archive.ubuntu.com/ubuntu|https://mirrors.aliyun.com/ubuntu|g' \
+              -e 's|http://security.ubuntu.com/ubuntu|https://mirrors.aliyun.com/ubuntu|g' \
+              /etc/apt/sources.list.d/ubuntu.sources
+          fi
+          if [[ -f /etc/apt/sources.list ]]; then
+            $SUDO sed -i \
+              -e 's|http://archive.ubuntu.com/ubuntu|https://mirrors.aliyun.com/ubuntu|g' \
+              -e 's|http://security.ubuntu.com/ubuntu|https://mirrors.aliyun.com/ubuntu|g' \
+              /etc/apt/sources.list
+          fi
+
+          # 实际安装的包名映射（coreutils 提供 sha256sum）。
+          PKGS=()
+          for tool in "${MISSING[@]}"; do
+            case "$tool" in
+              sha256sum) PKGS+=(coreutils) ;;
+              *) PKGS+=("$tool") ;;
+            esac
+          done
+
           $SUDO apt-get update -qq
-          DEBIAN_FRONTEND=noninteractive $SUDO apt-get install -y -qq \
-            shellcheck jq curl tar coreutils ca-certificates
+          DEBIAN_FRONTEND=noninteractive $SUDO apt-get install -y -qq --no-install-recommends \
+            "${PKGS[@]}" ca-certificates
 
       - name: Run shellcheck
         run: |