developer/galaxy-game
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

ci: skip TLS verify for actions/checkout on LAN Gitea
go-unit / test (push) Successful in 2m28s
Details
go-unit / test (pull_request) Successful in 2m30s
Details
integration / integration (pull_request) Successful in 2m20s
Details
ui-test / test (push) Successful in 13m5s
Details
ui-test / test (pull_request) Successful in 14m31s
Details

Browse Source 
The Gitea host serves https://gitea.iliadenisov.ru with a cert signed
by host-Caddy's internal CA, which the runner-image's CA bundle does
not trust. actions/checkout@v4 fails on `git fetch` as a result, so
every workflow on gitea.lan has been failing — visible only now that
we made gitea.lan the primary CI target.

Sets GIT_SSL_NO_VERIFY=true on every workflow as a quick fix. Safe in
practice because both endpoints sit on the same LAN. The long-term
fix is to bake the Caddy root CA into the runner image and drop this
env.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Ilia Denisov
2026-05-13 23:43:51 +02:00
parent f00c8efd18
commit c6c5f3c8dd
5 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/dev-deploy.yaml
+6
View File
@@ -24,6 +24,12 @@ on:
- '.gitea/workflows/dev-deploy.yaml' - '.gitea/workflows/dev-deploy.yaml'
- '!**/*.md' - '!**/*.md'
env:
# See go-unit.yaml for the rationale; this disables TLS verify for
# actions/checkout against the LAN Gitea host signed by host-Caddy's
# internal CA.
GIT_SSL_NO_VERIFY: "true"
jobs: jobs:
deploy: deploy:
runs-on: ubuntu-latest runs-on: ubuntu-latest
.gitea/workflows/go-unit.yaml
+9
View File
@@ -30,6 +30,15 @@ on:
- '.gitea/workflows/go-unit.yaml' - '.gitea/workflows/go-unit.yaml'
- '!**/*.md' - '!**/*.md'
env:
# The Gitea host serves https://gitea.iliadenisov.ru with a cert
# signed by host-Caddy's internal CA. The runner-image's CA bundle
# does not include that root, so actions/checkout fails on `git
# fetch`. Disabling SSL verify is acceptable for this LAN-only
# infrastructure; the long-term fix is to mount the Caddy root CA
# into the runner image.
GIT_SSL_NO_VERIFY: "true"
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
.gitea/workflows/integration.yaml
+6
View File
@@ -37,6 +37,12 @@ on:
- '.gitea/workflows/integration.yaml' - '.gitea/workflows/integration.yaml'
- '!**/*.md' - '!**/*.md'
env:
# See go-unit.yaml for the rationale; this disables TLS verify for
# actions/checkout against the LAN Gitea host signed by host-Caddy's
# internal CA.
GIT_SSL_NO_VERIFY: "true"
jobs: jobs:
integration: integration:
runs-on: ubuntu-latest runs-on: ubuntu-latest
.gitea/workflows/prod-build.yaml
+6
View File
@@ -21,6 +21,12 @@ on:
- '.gitea/workflows/prod-build.yaml' - '.gitea/workflows/prod-build.yaml'
- '!**/*.md' - '!**/*.md'
env:
# See go-unit.yaml for the rationale; this disables TLS verify for
# actions/checkout against the LAN Gitea host signed by host-Caddy's
# internal CA.
GIT_SSL_NO_VERIFY: "true"
jobs: jobs:
build: build:
runs-on: ubuntu-latest runs-on: ubuntu-latest
.gitea/workflows/ui-test.yaml
+6
View File
@@ -16,6 +16,12 @@ on:
- '.gitea/workflows/ui-test.yaml' - '.gitea/workflows/ui-test.yaml'
- '!**/*.md' - '!**/*.md'
env:
# See go-unit.yaml for the rationale; this disables TLS verify for
# actions/checkout against the LAN Gitea host signed by host-Caddy's
# internal CA.
GIT_SSL_NO_VERIFY: "true"
jobs: jobs:
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest