From c6c5f3c8dd1b0e39a5fcefbc47e601b70dd4f034 Mon Sep 17 00:00:00 2001 From: Ilia Denisov Date: Wed, 13 May 2026 23:43:51 +0200 Subject: [PATCH] ci: skip TLS verify for actions/checkout on LAN Gitea MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The Gitea host serves https://gitea.iliadenisov.ru with a cert signed by host-Caddy's internal CA, which the runner-image's CA bundle does not trust. actions/checkout@v4 fails on `git fetch` as a result, so every workflow on gitea.lan has been failing — visible only now that we made gitea.lan the primary CI target. Sets GIT_SSL_NO_VERIFY=true on every workflow as a quick fix. Safe in practice because both endpoints sit on the same LAN. The long-term fix is to bake the Caddy root CA into the runner image and drop this env. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitea/workflows/dev-deploy.yaml | 6 ++++++ .gitea/workflows/go-unit.yaml | 9 +++++++++ .gitea/workflows/integration.yaml | 6 ++++++ .gitea/workflows/prod-build.yaml | 6 ++++++ .gitea/workflows/ui-test.yaml | 6 ++++++ 5 files changed, 33 insertions(+) diff --git a/.gitea/workflows/dev-deploy.yaml b/.gitea/workflows/dev-deploy.yaml index 91f7dce..13c4a92 100644 --- a/.gitea/workflows/dev-deploy.yaml +++ b/.gitea/workflows/dev-deploy.yaml @@ -24,6 +24,12 @@ on: - '.gitea/workflows/dev-deploy.yaml' - '!**/*.md' +env: + # See go-unit.yaml for the rationale; this disables TLS verify for + # actions/checkout against the LAN Gitea host signed by host-Caddy's + # internal CA. + GIT_SSL_NO_VERIFY: "true" + jobs: deploy: runs-on: ubuntu-latest diff --git a/.gitea/workflows/go-unit.yaml b/.gitea/workflows/go-unit.yaml index c33d1dd..200d15b 100644 --- a/.gitea/workflows/go-unit.yaml +++ b/.gitea/workflows/go-unit.yaml @@ -30,6 +30,15 @@ on: - '.gitea/workflows/go-unit.yaml' - '!**/*.md' +env: + # The Gitea host serves https://gitea.iliadenisov.ru with a cert + # signed by host-Caddy's internal CA. The runner-image's CA bundle + # does not include that root, so actions/checkout fails on `git + # fetch`. Disabling SSL verify is acceptable for this LAN-only + # infrastructure; the long-term fix is to mount the Caddy root CA + # into the runner image. + GIT_SSL_NO_VERIFY: "true" + jobs: test: runs-on: ubuntu-latest diff --git a/.gitea/workflows/integration.yaml b/.gitea/workflows/integration.yaml index 1f94fa8..240f244 100644 --- a/.gitea/workflows/integration.yaml +++ b/.gitea/workflows/integration.yaml @@ -37,6 +37,12 @@ on: - '.gitea/workflows/integration.yaml' - '!**/*.md' +env: + # See go-unit.yaml for the rationale; this disables TLS verify for + # actions/checkout against the LAN Gitea host signed by host-Caddy's + # internal CA. + GIT_SSL_NO_VERIFY: "true" + jobs: integration: runs-on: ubuntu-latest diff --git a/.gitea/workflows/prod-build.yaml b/.gitea/workflows/prod-build.yaml index 8018625..f511e81 100644 --- a/.gitea/workflows/prod-build.yaml +++ b/.gitea/workflows/prod-build.yaml @@ -21,6 +21,12 @@ on: - '.gitea/workflows/prod-build.yaml' - '!**/*.md' +env: + # See go-unit.yaml for the rationale; this disables TLS verify for + # actions/checkout against the LAN Gitea host signed by host-Caddy's + # internal CA. + GIT_SSL_NO_VERIFY: "true" + jobs: build: runs-on: ubuntu-latest diff --git a/.gitea/workflows/ui-test.yaml b/.gitea/workflows/ui-test.yaml index 6c923aa..5eff4ff 100644 --- a/.gitea/workflows/ui-test.yaml +++ b/.gitea/workflows/ui-test.yaml @@ -16,6 +16,12 @@ on: - '.gitea/workflows/ui-test.yaml' - '!**/*.md' +env: + # See go-unit.yaml for the rationale; this disables TLS verify for + # actions/checkout against the LAN Gitea host signed by host-Caddy's + # internal CA. + GIT_SSL_NO_VERIFY: "true" + jobs: test: runs-on: ubuntu-latest