[3.11] gh-123418: Update CI to use fresh OpenSSL releases (GH-123675)

[zware]

Also adds openssl/openssl GitHub URL template for newer OpenSSL downloads

(cherry picked from commit 56b00f4)

• Issue: OpenSSL vulnerability CVE-2024-2511 #123418

[zware]

Figured out that the issue was that the cached OpenSSLs were built on a newer OS. This now changes the cache key to include the OS version by using matrix.os rather than runner.os. If there's a better way to do that than introducing matrix.os with a single value, I'm open to it but don't know what it is :)

The other option is to update these jobs to ubuntu-22.04 to match 3.12+.

[hugovk]

Good find!

runner.os is only the name, like Linux. Here's what else is available in the runner context, nothing with the OS version:

https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#runner-context

We could use something like what we do in check_generated_files:

cpython/.github/workflows/build.yml

Lines 58 to 63 in ef530ce

	- name: Restore config.cache
	uses: actions/cache@v4
	with:
	path: config.cache
	# Include env.pythonLocation in key to avoid changes in environment when setup-python updates Python
	key: ${{ github.job }}-${{ runner.os }}-${{ env.IMAGE_VERSION }}-${{ needs.check_source.outputs.config_hash }}-${{ env.pythonLocation }}

This evaluates to

key: check_generated_files-Linux-20240908.1.0-70ac7f9d1848eb0ae8c5155b3ccbe3eacadc823620d7539b753b09940356f994-/opt/hostedtoolcache/Python/3.12.5/x64

https://github.com/python/cpython/actions/runs/10877514251/job/30179004543#step:5:4

So a ${{ github.job }}-${{ runner.os }}-${{ env.IMAGE_VERSION }} prefix will also give us fresh caches when the image version (for example 20240908.1.0) changes.

And let's forward-port these key changes to 3.12-3.14 as well.

The other option is to update these jobs to ubuntu-22.04 to match 3.12+.

It's worth doing this as well, Ubuntu 20.04 is EOL next April and at some point GitHub will stop updating ubuntu-20.04. We need to keep testing Python 3.11 until its EOL in 2027.

[zware]

GH-124403 is the forward-port. I opted not to add ${{github.job}}, because I don't think we really care if the image is updated. The build should be fine for the lifetime of the OS (and probably even later OS versions), the main issue is just that we can't use a build from a newer version on an older version.