diff --git a/.gitea/workflows/dev-deploy.yaml b/.gitea/workflows/dev-deploy.yaml
index 91f7dce..13c4a92 100644
--- a/.gitea/workflows/dev-deploy.yaml
+++ b/.gitea/workflows/dev-deploy.yaml
@@ -24,6 +24,12 @@ on:
       - '.gitea/workflows/dev-deploy.yaml'
       - '!**/*.md'
 
+env:
+  # See go-unit.yaml for the rationale; this disables TLS verify for
+  # actions/checkout against the LAN Gitea host signed by host-Caddy's
+  # internal CA.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
diff --git a/.gitea/workflows/go-unit.yaml b/.gitea/workflows/go-unit.yaml
index c33d1dd..200d15b 100644
--- a/.gitea/workflows/go-unit.yaml
+++ b/.gitea/workflows/go-unit.yaml
@@ -30,6 +30,15 @@ on:
       - '.gitea/workflows/go-unit.yaml'
       - '!**/*.md'
 
+env:
+  # The Gitea host serves https://gitea.iliadenisov.ru with a cert
+  # signed by host-Caddy's internal CA. The runner-image's CA bundle
+  # does not include that root, so actions/checkout fails on `git
+  # fetch`. Disabling SSL verify is acceptable for this LAN-only
+  # infrastructure; the long-term fix is to mount the Caddy root CA
+  # into the runner image.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   test:
     runs-on: ubuntu-latest
diff --git a/.gitea/workflows/integration.yaml b/.gitea/workflows/integration.yaml
index 1f94fa8..240f244 100644
--- a/.gitea/workflows/integration.yaml
+++ b/.gitea/workflows/integration.yaml
@@ -37,6 +37,12 @@ on:
       - '.gitea/workflows/integration.yaml'
       - '!**/*.md'
 
+env:
+  # See go-unit.yaml for the rationale; this disables TLS verify for
+  # actions/checkout against the LAN Gitea host signed by host-Caddy's
+  # internal CA.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   integration:
     runs-on: ubuntu-latest
diff --git a/.gitea/workflows/prod-build.yaml b/.gitea/workflows/prod-build.yaml
index 8018625..f511e81 100644
--- a/.gitea/workflows/prod-build.yaml
+++ b/.gitea/workflows/prod-build.yaml
@@ -21,6 +21,12 @@ on:
       - '.gitea/workflows/prod-build.yaml'
       - '!**/*.md'
 
+env:
+  # See go-unit.yaml for the rationale; this disables TLS verify for
+  # actions/checkout against the LAN Gitea host signed by host-Caddy's
+  # internal CA.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/.gitea/workflows/ui-test.yaml b/.gitea/workflows/ui-test.yaml
index 6c923aa..5eff4ff 100644
--- a/.gitea/workflows/ui-test.yaml
+++ b/.gitea/workflows/ui-test.yaml
@@ -16,6 +16,12 @@ on:
       - '.gitea/workflows/ui-test.yaml'
       - '!**/*.md'
 
+env:
+  # See go-unit.yaml for the rationale; this disables TLS verify for
+  # actions/checkout against the LAN Gitea host signed by host-Caddy's
+  # internal CA.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   test:
     runs-on: ubuntu-latest