ci: drop GIT_SSL_NO_VERIFY now that runner is host-mode

The act_runner now executes jobs natively on the host (no per-job
container), so actions/checkout uses the host's system CA store,
which already trusts the host-Caddy root CA. The workaround that
disabled TLS verification for `git fetch` is no longer needed and
just hides legitimate cert issues if they ever appear.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.gitea/workflows/dev-deploy.yaml

@@ -24,12 +24,6 @@ on:
       - '.gitea/workflows/dev-deploy.yaml'
       - '!**/*.md'
 
-env:
-  # See go-unit.yaml for the rationale; this disables TLS verify for
-  # actions/checkout against the LAN Gitea host signed by host-Caddy's
-  # internal CA.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   deploy:
     runs-on: ubuntu-latest

.gitea/workflows/go-unit.yaml

@@ -30,15 +30,6 @@ on:
       - '.gitea/workflows/go-unit.yaml'
       - '!**/*.md'
 
-env:
-  # The Gitea host serves https://gitea.iliadenisov.ru with a cert
-  # signed by host-Caddy's internal CA. The runner-image's CA bundle
-  # does not include that root, so actions/checkout fails on `git
-  # fetch`. Disabling SSL verify is acceptable for this LAN-only
-  # infrastructure; the long-term fix is to mount the Caddy root CA
-  # into the runner image.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   test:
     runs-on: ubuntu-latest

.gitea/workflows/integration.yaml

@@ -37,12 +37,6 @@ on:
       - '.gitea/workflows/integration.yaml'
       - '!**/*.md'
 
-env:
-  # See go-unit.yaml for the rationale; this disables TLS verify for
-  # actions/checkout against the LAN Gitea host signed by host-Caddy's
-  # internal CA.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   integration:
     runs-on: ubuntu-latest

.gitea/workflows/prod-build.yaml

@@ -21,12 +21,6 @@ on:
       - '.gitea/workflows/prod-build.yaml'
       - '!**/*.md'
 
-env:
-  # See go-unit.yaml for the rationale; this disables TLS verify for
-  # actions/checkout against the LAN Gitea host signed by host-Caddy's
-  # internal CA.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   build:
     runs-on: ubuntu-latest

.gitea/workflows/ui-test.yaml

@@ -16,12 +16,6 @@ on:
       - '.gitea/workflows/ui-test.yaml'
       - '!**/*.md'
 
-env:
-  # See go-unit.yaml for the rationale; this disables TLS verify for
-  # actions/checkout against the LAN Gitea host signed by host-Caddy's
-  # internal CA.
-  GIT_SSL_NO_VERIFY: "true"
-
 jobs:
   test:
     runs-on: ubuntu-latest