This change aims to simplify the following commit.

This change simplifies running examples on Windows, because the DLL
must reside either in the same folder where the executable is or
somewhere in PATH.

The group element checks `secp256k1_{ge,gej}_verify` have first been
implemented and added in commit f202667
(PR #1299). This commit adds additional verification calls in group
functions, to match the ones that were originally proposed in commit
09dbba561fdb9d57a2cc9842ce041d9ba29a6189 of WIP-PR #1032 (which is
obviously not rebased on #1299 yet).

Also, for easier review, all functions handling group elements are
structured in the following wasy for easier review (idea suggested by
Tim Ruffing):

- on entry, verify all input ge, gej (and fe)
- empty line
- actual function body
- empty line
- on exit, verify all output ge, gej

Co-authored-by: Peter Dettman <[email protected]>
Co-authored-by: Tim Ruffing <[email protected]>

Co-authored-by: Tim Ruffing <[email protected]>

Remove also the explicit magnitude restriction `a->x.magnitude <= 31`
in `secp256k1_gej_eq_x_var` (introduced in commit
07c0e8b), as this is implied by the
new limits.

Co-authored-by: Sebastian Falbesoner <[email protected]>

…stive test

- `secp256k1_scalar_set_int` in scalar_low uses input mod EXHAUSTIVE_TEST_ORDER
- directly store s in sig64 without reducing it mod the group order for testing

secp256k1_scalar_verify checks that scalars are reduced mod the
group order

- adjust test methods that randomize magnitudes

Co-authored-by: Sebastian Falbesoner <[email protected]>
Co-authored-by: Jonas Nick <[email protected]>

Also update the operations count comments in each of the affected
functions accordingly and remove a redundant VERIFY_CHECK in
secp256k1_gej_add_ge (the infinity value range check [0,1] is already
covered by secp256k1_gej_verify above).

Co-authored-by: Sebastian Falbesoner <[email protected]>
Co-authored-by: Tim Ruffing <[email protected]>
Co-authored-by: Jonas Nick <[email protected]>

…calar_{zero,one}` constants (part 2)

a1bd497 refactor: take use of `secp256k1_scalar_{zero,one}` constants (part 2) (Sebastian Falbesoner)

Pull request description:

ACKs for top commit:
  real-or-random:
    utACK bitcoin-core/secp256k1@a1bd497
  jonasnick:
    ACK a1bd497

Tree-SHA512: 09ef6d9be1d3f9c19f8fe4614fe629de5c45197027e0e3f9dd8d4679a510a7b57f8aa499707a6daf652041f255c87316c9883bf7cf9a08bd41a3651bff54299e

…for examples on Windows

175db31 ci: Drop no longer needed `PATH` variable update on Windows (Hennadii Stepanov)
116d2ab cmake: Set `ENVIRONMENT` property for examples on Windows (Hennadii Stepanov)
cef3739 cmake, refactor: Use helper function instead of interface library (Hennadii Stepanov)

Pull request description:

  This PR simplifies running examples on Windows, because the DLL must reside either in the same folder where the executable is or somewhere in PATH.

  It is an alternative to #1233.

ACKs for top commit:
  real-or-random:
    utACK 175db31

Tree-SHA512: 8188018589a5bcf0179647a039cdafcce661dc103a70a5bb9e6b6f680b899332ba30b1e9ef5dad2a8c22c315d7794747e49d8cf2e391eebea21e3d8505ee334b

… GitHub Actions

a2f7ccd ci: Run "Windows (VS 2022)" job on GitHub Actions (Hennadii Stepanov)

Pull request description:

  This PR solves one item in bitcoin-core/secp256k1#1392.

  In response to upcoming [limiting free usage of Cirrus CI](https://cirrus-ci.org/blog/2023/07/17/limiting-free-usage-of-cirrus-ci/), suggesting to move (partially?) CI tasks/jobs from Cirrus CI to [GitHub Actions](https://docs.github.com/actions) (GHA).

  Here is example from my personal repo: https://github.com/hebasto/secp256k1/actions/runs/5806269046.

  For security concerns, see:
  - bitcoin/bitcoin#28098 (comment)
  - bitcoin/bitcoin#28098 (comment)

  I'm suggesting the repository "Actions permissions" as follows:

  ![image](https://github.com/bitcoin-core/secp256k1/assets/32963518/bd18d489-784f-48ba-b599-ed1c4dfc34fa)

  ![image](https://github.com/bitcoin-core/secp256k1/assets/32963518/632280e0-9c26-42eb-a0ed-24f9a8142faa)

  ---

  See build logs in my personal repo: https://github.com/hebasto/secp256k1/actions/runs/5692587475.

ACKs for top commit:
  real-or-random:
    utACK a2f7ccd

Tree-SHA512: b6329a29391146e3cdee9a56f6151b6672aa45837dfaacb708ba4209719801ed029a6928d638d314b71c7533d927d771b3eca4b9e740cfcf580a40ba07970ae4

…k from Cirrus CI

f1774e5 ci, gha: Make MSVC job presentation more explicit (Hennadii Stepanov)
5ee039b ci: Remove "Windows (VS 2022)" task from Cirrus CI (Hennadii Stepanov)

Pull request description:

  A follow-up for bitcoin-core/secp256k1#1389.

  bitcoin-core/secp256k1#1389 (comment):
  > Or actually... hebasto Can you remove the second commit for now, if we're unsure whether this works at all.

  ---

  Second commit effect:
  - [before (master branch)](https://github.com/bitcoin-core/secp256k1/actions/runs/5809860925):
  ![image](https://github.com/bitcoin-core/secp256k1/assets/32963518/041439a5-8d1a-4740-85c3-4223e8cd9f70)

  - [after (this PR)](https://github.com/bitcoin-core/secp256k1/actions/runs/5810140851):
  ![image](https://github.com/bitcoin-core/secp256k1/assets/32963518/9e0c8f2c-1ba6-4df9-8720-542788b24da6)

ACKs for top commit:
  real-or-random:
    utACK f1774e5

Tree-SHA512: ed36c5cef3ba4cf6769d480358f753ecc4a8a150103201f586b05d8d364c580ff637fe5b915918c695c8f7067c1bd7de6384eea1a12d1b8575ba5b629779ebf4

This reverts commit d8d5485.

… on GitHub Actions

8408dfd Revert "ci: Run sage prover on CI" (Hennadii Stepanov)
c8d9914 ci, gha: Run "SageMath prover" job on GitHub Actions (Hennadii Stepanov)

Pull request description:

ACKs for top commit:
  real-or-random:
    utACK 8408dfd
  jonasnick:
    ACK 8408dfd

Tree-SHA512: 4de628b6d5535023c5351faebfd98d2bd9effe6592f14ffe0d0f7c6eeedd7426b9891da70aa3ea7fa830f0abc054f6b015af01fb6e26f50d45eb26177a7a6310

…KMEM macros also for ellswift

9c91ea4 ci: Enable ellswift module where it's missing (Tim Ruffing)
db32a24 ctimetests: Use new SECP256K1_CHECKMEM macros also for ellswift (Tim Ruffing)

Pull request description:

ACKs for top commit:
  hebasto:
    ACK 9c91ea4.
  jonasnick:
    ACK 9c91ea4

Tree-SHA512: e918236cb38b2bb6e69f84fcfa5f550c54f0df018103627082646a8fd731c238ce68b1b85badf042f08300208015012677143a96f9b97d94065b9a00c1da7876

…ve normalize_weak calls in group add methods (revival of #1032)

b7c685e Save _normalize_weak calls in group add methods (Peter Dettman)
c83afa6 Tighten group magnitude limits (Peter Dettman)
173e8d0 Implement current magnitude assumptions (Peter Dettman)
49afd2f Take use of _fe_verify_magnitude in field_impl.h (Sebastian Falbesoner)
4e9661f Add _fe_verify_magnitude (no-op unless VERIFY is enabled) (Peter Dettman)
690b0fc add missing group element invariant checks (Sebastian Falbesoner)

Pull request description:

  This PR picks up #1032 by peterdettman. It's essentially a rebase on master; the original first commit (09dbba561fdb9d57a2cc9842ce041d9ba29a6189) which introduced group verification methods has mostly been replaced by PR #1299 (commit f202667) and what remains now is only adding a few missing checks at some places. The remaining commits are unchanged, though some (easy-to-solve) conflicts appeared through cherry-picking. The last commit which actually removes the `normalize_weak` calls is obviously the critical one and needs the most attention for review.

ACKs for top commit:
  sipa:
    utACK b7c685e
  real-or-random:
    ACK b7c685e
  jonasnick:
    ACK b7c685e

Tree-SHA512: f15167eff7ef6ed971c726a4d738de9a15be95b0c947d7e38329e7b16656202b7113497d36625304e784866349f2293f6f1d8cb97df35393af9ea465a4156da3

It is not neccessary for the second argument in `secp256k1_fe_equal_var`
(or `secp256k1_fe_equal`) to have magnitude = 1.
Hence, removed the `secp256k1_fe_normalize_weak` call for those argument.

`fe_equal_var` hits a fast path only when the inputs are unequal, which is
uncommon among its callers (public key parsing, ECDSA verify).

Co-authored-by: Tim Ruffing <[email protected]>

…acOS task

d62db57 ci: Use Homebrew's gcc in native macOS task (Hennadii Stepanov)

Pull request description:

  Fixes an issue noticed in bitcoin-core/secp256k1#1394 (comment):

  > This uses the wrong GCC, namely Clang

  When `CC=gcc`:

  - on the [master](https://api.cirrus-ci.com/v1/task/5074854529990656/logs/test.log) branch:
  ```
  + gcc -v
  Apple clang version 14.0.3 (clang-1403.0.22.14.1)
  Target: arm64-apple-darwin22.5.0
  Thread model: posix
  InstalledDir: /Library/Developer/CommandLineTools/usr/bin
  ```

  - with this [PR](https://api.cirrus-ci.com/v1/task/5460539170619392/logs/test.log):
  ```
  + gcc -v
  Using built-in specs.
  COLLECT_GCC=gcc
  COLLECT_LTO_WRAPPER=/opt/homebrew/Cellar/gcc/13.1.0/bin/../libexec/gcc/aarch64-apple-darwin22/13/lto-wrapper
  Target: aarch64-apple-darwin22
  Configured with: ../configure --prefix=/opt/homebrew/opt/gcc --libdir=/opt/homebrew/opt/gcc/lib/gcc/current --disable-nls --enable-checking=release --with-gcc-major-version-only --enable-languages=c,c++,objc,obj-c++,fortran --program-suffix=-13 --with-gmp=/opt/homebrew/opt/gmp --with-mpfr=/opt/homebrew/opt/mpfr --with-mpc=/opt/homebrew/opt/libmpc --with-isl=/opt/homebrew/opt/isl --with-zstd=/opt/homebrew/opt/zstd --with-pkgversion='Homebrew GCC 13.1.0' --with-bugurl=https://github.com/Homebrew/homebrew-core/issues --with-system-zlib --build=aarch64-apple-darwin22 --with-sysroot=/Library/Developer/CommandLineTools/SDKs/MacOSX13.sdk
  Thread model: posix
  Supported LTO compression algorithms: zlib zstd
  gcc version 13.1.0 (Homebrew GCC 13.1.0)
  ```

ACKs for top commit:
  real-or-random:
    ACK d62db57, it works: https://cirrus-ci.com/task/6200190252613632?logs=test#L27

Tree-SHA512: 34b3aa86584fc04b57301731ebf811cd5b457cebb13e64593b8efb776aec48c1be5d2662b1af3f482d39fdb43308dafa5f4bfc18bd2cf350f0f61f0be799346e

…about Valgrind code on macOS x86_64

747ada3 test: Silent noisy clang warnings about Valgrind code on macOS x86_64 (Hennadii Stepanov)

Pull request description:

  Since #1206, on macOS x86_64 with Valgrind installed, clang emits a massive amount of `-Wreserved-identifier` and `-Wreserved-macro-identifier` warnings from the `valgrind/valgrind.h` and `valgrind/memcheck.h` headers.

  This PR prevents warnings emitted for the Valgrind code.

ACKs for top commit:
  real-or-random:
    utACK 747ada3

Tree-SHA512: dd1b2b9db2d471939fdc30f9d8fd106a12f21ec5008ca98d8ebe3087d7ea352d564e8bbd0cec59a004e084af3a84d4680cb81f2ef6fe13cf164b7691e33f437d

Co-authored-by: Tim Ruffing <[email protected]>

…a" job on GitHub Actions

8e54a34 ci, gha: Run "x86_64: macOS Ventura" job on GitHub Actions (Hennadii Stepanov)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK 8e54a34
  jonasnick:
    ACK 8e54a34

Tree-SHA512: c10f9d8d677409b37f1d8a49e580f3160a920fed78add3437184e5dabf79083b1ba6df920a233f27485630e5bbee9ff9825e908cc6fb64b0c9959c131bc9f070

…task from Cirrus CI

c2f6435 ci: Add comment about switching macOS to M1 on GHA later (Tim Ruffing)
4a24fae ci: Remove "arm64: macOS Ventura" task from Cirrus CI (Hennadii Stepanov)

Pull request description:

ACKs for top commit:
  hebasto:
    ACK c2f6435
  jonasnick:
    ACK c2f6435

Tree-SHA512: a930f2a58fdf3624d03ffd07f6db236e804100eb9d4320c943a65b5a2afb89a5da82df8e0207b87e0e8f858974af07c876c9e56495246dfd24146dfb3b10b591

…ted `_fe_normalize_weak` calls (in tests)

54058d1 field: remove `secp256k1_fe_equal_var` (siv2r)
bb4efd6 tests: remove unwanted `secp256k1_fe_normalize_weak` call (siv2r)

Pull request description:

  Fixes #946 and #1061

  Changes:
  - removes unwanted `fe_normalize_weak` calls to the second argument of `fe_equal`
  - removes `fe_equal_var`

ACKs for top commit:
  real-or-random:
    utACK 54058d1
  jonasnick:
    ACK 54058d1

Tree-SHA512: 89bfd1c205f760d0736b995adebb96d15b0df0a42ece25885c57ae7f4318f6816eb009a7fe94b5987a4cbb8588f0fffbdc275234b406a2d1f80d7695b4bd89db

…dows natively

d78bec7 ci: Remove Windows MSVC tasks from Cirrus CI (Hennadii Stepanov)
3545dc2 ci, gha: Run all MSVC tests on Windows natively (Hennadii Stepanov)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK d78bec7
  jonasnick:
    ACK d78bec7

Tree-SHA512: b58162a9f0827dceb1c7eb6fb7c759c0bffcf3e0d24cc7e6628ad71d1faaabaffb9d8de6fcd3d07bfcaca409632a13f711f9ad871a30718139557544cf91b4bf

…normalize)

`random_fe_non_zero` contains a loop iteration limit that ensures that
we abort if `random_fe` ever yielded zero more than ten times in a row.
This construct was first introduced in PR BlockstreamResearch#19 (commit 09ca4f3) for
random non-square field elements and was later refactored into the
non-zero helper in PR BlockstreamResearch#25 (commit 6d6102f). The copy-over to the
exhaustive tests happened recently in PR #1118 (commit 0f86420).

This case seems to be practically irrelevant and I'd argue for keeping
things simple and removing it; if there's really a worry that the test's
random generator is heavily biased towards certain values or value
ranges then there should consequently be checks at other places too
(e.g. directly in `random_fe` for 256-bit values that repeatedly
overflow, i.e. >= p).

Also, the _fe_normalize call is not needed and can be removed, as the
result of `random_fe` is already normalized.

…` helpers)

d23da6d use secp256k1_scalar_verify checks (stratospher)
c7d0454 add verification for scalars (stratospher)
ad15215 update max scalar in scalar_cmov_test and fix schnorrsig_verify exhaustive test (stratospher)

Pull request description:

  From #1360. This PR:
  1. adds `secp256k1_scalar_verify` to make sure scalars are reduced mod the group order in VERIFY mode
  2. uses `secp256k1_scalar_verify` in all the scalar functions except `secp256k1_scalar_clear`, `secp256k1_scalar_reduce_512`, `secp256k1_scalar_mul_512` and `secp256k1_scalar_*_var` functions in `scalar_low_impl.h`

ACKs for top commit:
  real-or-random:
    utACK d23da6d
  theStack:
    Code-review ACK d23da6d

Tree-SHA512: a371b319d948198c4038d35c9ea58f4b94de4dc312215e2b78a323c2acd4ae1355d97935c558b388774832d6d0058b97ff8ca50c3aab40b9ede5307760d0a505

…flow processes `github.ref` at a time

b0886fd ci, gha: Ensure only a single workflow processes `github.ref` at a time (Hennadii Stepanov)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK b0886fd
  jonasnick:
    ACK b0886fd

Tree-SHA512: 8edda9259fc07bda3a35286ab97238b2f2749fbc629030da52e5a352988e5562cf62255c7d4917b7f0c8dbc9a0bd3a36b5e725d3d5a4c635ae8239faef829d1b

This makes sense in the process of moving stuff to GitHub Actions.

… Linux image

87d35f3 ci: Rename `cirrus.sh` to more general `ci.sh` (Hennadii Stepanov)
d6281dd ci: Remove Windows tasks from Cirrus CI (Hennadii Stepanov)
2b6f9cd ci, gha: Add Windows jobs based on Linux image (Hennadii Stepanov)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK 87d35f3
  jonasnick:
    ACK 87d35f3

Tree-SHA512: bab005041692f52ed26899d50ee9114e6dd57a21ffa36b4d0b99e8b5b394a64a956cbc99ae2767fdf64f242970ebbeb0df4f5b373e059ecb187174f471b1a95e

This change is aimed at significantly reducing the frequency of failures
caused by intermittent network timeouts.

The https://sourceware.org/bugzilla/show_bug.cgi?id=27008 bug has been
resolved since libc 2.33.

Debian Bookworm has libc 2.36.

ef9fe95 ci: Drop no longer needed workaround (Hennadii Stepanov)

Pull request description:

  The https://sourceware.org/bugzilla/show_bug.cgi?id=27008 bug has been resolved since libc 2.33.

  Debian Bookworm has [libc](https://packages.debian.org/bookworm/libc6) 2.36.

  I've separated this change from moving CI tasks to GitHub Actions intentionally.

ACKs for top commit:
  real-or-random:
    ACK ef9fe95

Tree-SHA512: 4e8ce1232fcb581fa4700da75e5f63ff3da359416e5c5c1966f6aae079219fd697554db03d0b1729ea62cca42aae74bd36621a85d6ec7e4ee18e2c20b879cfa6

…n stable)" GitHub Actions job

e10878f ci, gha: Drop `driver-opts.network` input for `setup-buildx-action` (Hennadii Stepanov)
4ad4914 ci, gha: Add `retry_builder` Docker image builder (Hennadii Stepanov)
6617a62 ci: Remove "x86_64: Linux (Debian stable)" task from Cirrus CI (Hennadii Stepanov)
03c9e65 ci, gha: Add "x86_64: Linux (Debian stable)" GitHub Actions job (Hennadii Stepanov)
ad3e65d ci: Remove GCC build files and sage to reduce size of Docker image (Tim Ruffing)

Pull request description:

  Solves one item in bitcoin-core/secp256k1#1392 partially.

ACKs for top commit:
  real-or-random:
    ACK e10878f

Tree-SHA512: 1e685b1a6a41b4be97b9b5bb0fe546c3f1f7daac9374146ca05ab29803d5945a038294ce3ab77489bd971ffce9789ece722e0e0f268b6a7e6483a3aa782d532d

…s from Cirrus CI to GitHub Actions

fc3dea2 ci: Move "ppc64le: Linux..." from Cirrus to GitHub Actions (Hennadii Stepanov)
7782dc8 ci: Move "ARM64: Linux..." from Cirrus to GitHub Actions (Hennadii Stepanov)
0a16de6 ci: Move "ARM32: Linux..." from Cirrus to GitHub Actions (Hennadii Stepanov)
ea33914 ci: Move "s390x (big-endian): Linux..." from Cirrus to GitHub Actions (Hennadii Stepanov)
880be8a ci: Move "i686: Linux (Debian stable)" from Cirrus to GiHub Actions (Hennadii Stepanov)

Pull request description:

  Move more non-x86_64 tasks from Cirrus CI to GitHub Actions.

  Solves one item in bitcoin-core/secp256k1#1392 partially.

ACKs for top commit:
  real-or-random:
    ACK fc3dea2 but still waiting for Cirrus

Tree-SHA512: 9a910b3ee500aa34fc4db827f8b2a50bcfb637a9e59f4ad32545634772b397ce80b31a18723f4605dc42aa19a5632292943102099f7720f87de1da454da068b0

Otherwise, any previously pending workflow will be canceled on the
following push.

…sts only

ee1be62 ci: Use concurrency for pull requests only (Hennadii Stepanov)

Pull request description:

  This PR is an amendment for bitcoin-core/secp256k1#1403.

  It avoids skipping builds when some pushes were done consequentially.

  From GitHub Actions [docs](https://docs.github.com/en/actions/using-jobs/using-concurrency):

  > When a concurrent ... workflow is queued, if another ... workflow using the same concurrency group in the repository is in progress, the queued ... workflow will be pending. **Any previously pending ... workflow in the concurrency group will be canceled.**

  No behavior change for pull requests.

  Same as bitcoin/bitcoin#28322.

ACKs for top commit:
  real-or-random:
    ACK ee1be62

Tree-SHA512: ce26378c3224a7647eb3b351d19e9308650ad49b933a68d37a0eca8516767a63f55580a33b02864caa539392c9aab0b4b54ecbace85bea6082bf533539a37c9c

… to GitHub Actions

676ed8f ci: Move "C++ (public headers)" from Cirrus to GitHub Actions (Hennadii Stepanov)
61fc3a2 ci: Move "C++ -fpermissive..." from Cirrus to GitHub Actions (Hennadii Stepanov)
d51fb0a ci: Move "MSan" from Cirrus to GitHub Actions (Hennadii Stepanov)
c22ac27 ci: Move sanitizers task from Cirrus to GitHub Actions (Hennadii Stepanov)

Pull request description:

  This PR concludes the migration from Cirrus CI to GitHub Actions.

ACKs for top commit:
  real-or-random:
    ACK 676ed8f

Tree-SHA512: d8ea91a20297ff4c2c11a02c0a52f19413fde442c71e2e8b660737c09d62e55e4ae3f9bdbdeb0d967f6720a3dffa1566b7f94e0e32bcd490ac052819d5427c84

…fault one

cce0456 ci: Make repetitive command the default one (Hennadii Stepanov)
317a4c4 ci: Move `git config ...` to `run-in-docker-action` (Hennadii Stepanov)

Pull request description:

  This PR addresses the bitcoin-core/secp256k1#1409 (comment):
  > couldn't we add this to `run-in-docker-action` to avoid duplication?

ACKs for top commit:
  real-or-random:
    ACK cce0456

Tree-SHA512: 793cec3d99853a23e06680fe35a7cae2dc8771f22e3940c4a4f36357273164f2d92e196768118d146e956ffca9ef59d4e5f86e1cba5576ebfdc59343581c9924

…onterey and add Valgrind

c223d7e ci: Switch macOS from Ventura to Monterey and add Valgrind (Hennadii Stepanov)

Pull request description:

  This PR switches the macOS native job from Ventura to Monterey, which allows to support Valgrind.

  Both runners--`macos-12` and `macos-13`--have the same clang compilers installed:
  - https://github.com/actions/runner-images/blob/main/images/macos/macos-12-Readme.md
  - https://github.com/actions/runner-images/blob/main/images/macos/macos-13-Readme.md

  But Valgrind works fine on macOS Monterey, but not on Ventura.

  See: bitcoin-core/secp256k1#1392 (comment).

  The Homebrew's Valgrind package is cached once it has been built (as it was before bitcoin-core/secp256k1#1152). Therefore, the `actions/cache@*` action is needed to be added to the list of the allowed actions.

  bitcoin-core/secp256k1#1412 (comment):
  > By the way, this solves #1151.

ACKs for top commit:
  real-or-random:
    ACK c223d7e I tested that a cttest failure makes CI fail: https://github.com/real-or-random/secp256k1/actions/runs/6010365844

Tree-SHA512: 5e72d89fd4d82acbda8adeda7106db0dad85162cca03abe8eae9a40393997ba36a84ad7b12c4b32aec5e9230f275738ef12169994cd530952e2b0b963449b231

This commit switches to a new strategy to make sure we're installing the
most recent LLVM packages. Before this commit, we used the unversioned
LLVM packages (e.g., `clang` instead of `clang-18`), which are supposed
to provide the latest snapshot, but this is broken for arm64 [1],
which we want to add in a later PR.

Anyway, the new approach is cleaner because it does not require us to
fiddle with the installed `clang` package by removing a symlink.

[1] llvm/llvm-project#64790

Co-authored-by: Hennadii Stepanov <[email protected]>

The underlying issue does not affect our CI hosts, but is an issue on my
development machine (Arch Linux). In particular, this affects the vanilla
configuration of Docker on systemd, which has effectively no limit:
https://github.com/docker/packaging/blob/11400a3f5a20f2e3eecc3e6347a2ad9ce41278c7/pkg/docker-engine/common/systemd/docker.service#L31

I hope this saves future generations some precious hours of their life.

 - No need to have wget installed
 - Clean up rm -rf /var/lib/apt/lists/, see
   https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#apt-get

…ang and clang-snapshot

2635068 ci/gha: Let MSan continue checking after errors in all jobs (Tim Ruffing)
e78c7b6 ci/Dockerfile: Reduce size of Docker image further (Tim Ruffing)
2f0d3bb ci/Dockerfile: Warn if `ulimit -n` is too high when running Docker (Tim Ruffing)
4b8a647 ci/gha: Add ARM64 QEMU jobs for clang and clang-snapshot (Tim Ruffing)
6ebe7d2 ci/Dockerfile: Always use versioned clang packages (Tim Ruffing)

Pull request description:

  Solves one item in bitcoin-core/secp256k1#1392.

  This PR also has a few tweaks to the Dockerfile, see individual commits.

  ---

  I'll follow up soon with a PR for ARM64/gcc. This will rely on Cirrus CI.

ACKs for top commit:
  hebasto:
    ACK 2635068.

Tree-SHA512: d290bdd8e8e2a2a2b6ccb1b25ecdc9662c51dab745068a98044b9abed75232d13cb9d2ddc2c63c908dcff6a12317f0c7a35db3288c57bc3b814793f7fce059fd

This test tested whether setting the callback works correctly which should be
tested in the context tests.

The new job runs checks outlined in the `doc/release-process.md`.

8659a01 ci: Add `release` job (Hennadii Stepanov)
f9b3889 ci: Update `actions/checkout` version (Hennadii Stepanov)

Pull request description:

  This PR introduces a new "Release" job that conducts sanity checks as defined in [`doc/release-process.md`](https://github.com/bitcoin-core/secp256k1/blob/master/doc/release-process.md#sanity-checks).

ACKs for top commit:
  sipa:
    ACK 8659a01
  real-or-random:
    ACK 8659a01

Tree-SHA512: 84e03fa07f8c41aec0f6d1ccb4ac3643e85d370ef7e388b335365deadb555f2d9ef7e5d80e1255a18e790a774e04ca66f265b9441402b183d4c535a97688f20f

Co-authored-by: Tim Ruffing <[email protected]>

This commit also explicitly initializes shortpubkey. For some reason, removing
surrounding, unrelated lines results in gcc warnings when configured with
--enable-ctime-tests=no --with-valgrind=no.

1633980 release: Prepare for 0.4.0 (Tim Ruffing)
d9a8506 changelog: Catch up in preparation of release (Tim Ruffing)

Pull request description:

ACKs for top commit:
  hebasto:
    re-ACK 1633980.
  sipa:
    ACK 1633980
  jonasnick:
    ACK 1633980

Tree-SHA512: 9b29edc8beece44cb8456de9844bf22e13f41b43bb5567b3f37dcbdcb7cd5ca6a976a0f805973ddfa7666509aa452247a4d8297e3cfb362acaf4f0fa942daa21