.gitea/workflows/dev-deploy.yaml

@@ -24,6 +24,12 @@ on:
       - '.gitea/workflows/dev-deploy.yaml'
       - '!**/*.md'
 
+env:
+  # See go-unit.yaml for the rationale; this disables TLS verify for
+  # actions/checkout against the LAN Gitea host signed by host-Caddy's
+  # internal CA.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   deploy:
     runs-on: ubuntu-latest

.gitea/workflows/go-unit.yaml

@@ -30,6 +30,15 @@ on:
       - '.gitea/workflows/go-unit.yaml'
       - '!**/*.md'
 
+env:
+  # The Gitea host serves https://gitea.iliadenisov.ru with a cert
+  # signed by host-Caddy's internal CA. The runner-image's CA bundle
+  # does not include that root, so actions/checkout fails on `git
+  # fetch`. Disabling SSL verify is acceptable for this LAN-only
+  # infrastructure; the long-term fix is to mount the Caddy root CA
+  # into the runner image.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   test:
     runs-on: ubuntu-latest

.gitea/workflows/integration.yaml

@@ -37,6 +37,12 @@ on:
       - '.gitea/workflows/integration.yaml'
       - '!**/*.md'
 
+env:
+  # See go-unit.yaml for the rationale; this disables TLS verify for
+  # actions/checkout against the LAN Gitea host signed by host-Caddy's
+  # internal CA.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   integration:
     runs-on: ubuntu-latest

.gitea/workflows/prod-build.yaml

@@ -21,6 +21,12 @@ on:
       - '.gitea/workflows/prod-build.yaml'
       - '!**/*.md'
 
+env:
+  # See go-unit.yaml for the rationale; this disables TLS verify for
+  # actions/checkout against the LAN Gitea host signed by host-Caddy's
+  # internal CA.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   build:
     runs-on: ubuntu-latest

.gitea/workflows/ui-test.yaml

@@ -16,6 +16,12 @@ on:
       - '.gitea/workflows/ui-test.yaml'
       - '!**/*.md'
 
+env:
+  # See go-unit.yaml for the rationale; this disables TLS verify for
+  # actions/checkout against the LAN Gitea host signed by host-Caddy's
+  # internal CA.
+  GIT_SSL_NO_VERIFY: "true"
+
 jobs:
   test:
     runs-on: ubuntu-latest