From 4a88b24f4bc56aa74c7b6b119664e793893079ff Mon Sep 17 00:00:00 2001 From: Ilia Denisov Date: Thu, 14 May 2026 01:04:11 +0200 Subject: [PATCH] ci: drop GIT_SSL_NO_VERIFY now that runner is host-mode The act_runner now executes jobs natively on the host (no per-job container), so actions/checkout uses the host's system CA store, which already trusts the host-Caddy root CA. The workaround that disabled TLS verification for `git fetch` is no longer needed and just hides legitimate cert issues if they ever appear. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/dev-deploy.yaml | 6 ------ .gitea/workflows/go-unit.yaml | 9 --------- .gitea/workflows/integration.yaml | 6 ------ .gitea/workflows/prod-build.yaml | 6 ------ .gitea/workflows/ui-test.yaml | 6 ------ 5 files changed, 33 deletions(-) diff --git a/.gitea/workflows/dev-deploy.yaml b/.gitea/workflows/dev-deploy.yaml index 8337022..0ebf15f 100644 --- a/.gitea/workflows/dev-deploy.yaml +++ b/.gitea/workflows/dev-deploy.yaml @@ -24,12 +24,6 @@ on: - '.gitea/workflows/dev-deploy.yaml' - '!**/*.md' -env: - # See go-unit.yaml for the rationale; this disables TLS verify for - # actions/checkout against the LAN Gitea host signed by host-Caddy's - # internal CA. - GIT_SSL_NO_VERIFY: "true" - jobs: deploy: runs-on: ubuntu-latest diff --git a/.gitea/workflows/go-unit.yaml b/.gitea/workflows/go-unit.yaml index 7c2c10a..b961d6a 100644 --- a/.gitea/workflows/go-unit.yaml +++ b/.gitea/workflows/go-unit.yaml @@ -30,15 +30,6 @@ on: - '.gitea/workflows/go-unit.yaml' - '!**/*.md' -env: - # The Gitea host serves https://gitea.iliadenisov.ru with a cert - # signed by host-Caddy's internal CA. The runner-image's CA bundle - # does not include that root, so actions/checkout fails on `git - # fetch`. Disabling SSL verify is acceptable for this LAN-only - # infrastructure; the long-term fix is to mount the Caddy root CA - # into the runner image. - GIT_SSL_NO_VERIFY: "true" - jobs: test: runs-on: ubuntu-latest diff --git a/.gitea/workflows/integration.yaml b/.gitea/workflows/integration.yaml index dcdceec..85d61cd 100644 --- a/.gitea/workflows/integration.yaml +++ b/.gitea/workflows/integration.yaml @@ -37,12 +37,6 @@ on: - '.gitea/workflows/integration.yaml' - '!**/*.md' -env: - # See go-unit.yaml for the rationale; this disables TLS verify for - # actions/checkout against the LAN Gitea host signed by host-Caddy's - # internal CA. - GIT_SSL_NO_VERIFY: "true" - jobs: integration: runs-on: ubuntu-latest diff --git a/.gitea/workflows/prod-build.yaml b/.gitea/workflows/prod-build.yaml index fd4aa71..4e54788 100644 --- a/.gitea/workflows/prod-build.yaml +++ b/.gitea/workflows/prod-build.yaml @@ -21,12 +21,6 @@ on: - '.gitea/workflows/prod-build.yaml' - '!**/*.md' -env: - # See go-unit.yaml for the rationale; this disables TLS verify for - # actions/checkout against the LAN Gitea host signed by host-Caddy's - # internal CA. - GIT_SSL_NO_VERIFY: "true" - jobs: build: runs-on: ubuntu-latest diff --git a/.gitea/workflows/ui-test.yaml b/.gitea/workflows/ui-test.yaml index 93ee672..b064134 100644 --- a/.gitea/workflows/ui-test.yaml +++ b/.gitea/workflows/ui-test.yaml @@ -16,12 +16,6 @@ on: - '.gitea/workflows/ui-test.yaml' - '!**/*.md' -env: - # See go-unit.yaml for the rationale; this disables TLS verify for - # actions/checkout against the LAN Gitea host signed by host-Caddy's - # internal CA. - GIT_SSL_NO_VERIFY: "true" - jobs: test: runs-on: ubuntu-latest