CI: Add FreeIPA CA certificate trust for artifact uploads

- Download and verify FreeIPA CA cert at job start - Install cert to system trust store - Set NODE_EXTRA_CA_CERTS for Node.js actions - Test SSL connection to Gitea before proceeding - Restore artifact upload step now that SSL should work
2026-01-28 09:50:45 -06:00
parent e92762f8ec
commit 0d631b5c91
2 changed files with 48 additions and 0 deletions
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -20,6 +20,30 @@ jobs:
      CCACHE_SLOPPINESS: "include_file_ctime,include_file_mtime,pch_defines,time_macros"

    steps:
+      - name: Trust FreeIPA CA certificate
+        shell: bash
+        run: |
+          # Download and install the FreeIPA CA certificate for SSL verification
+          echo "Downloading FreeIPA CA certificate..."
+          curl -fsSL -o /tmp/ipa-ca.crt https://ipa.kindred.internal/ipa/config/ca.crt
+
+          # Verify the certificate is valid
+          echo "Verifying certificate..."
+          openssl x509 -in /tmp/ipa-ca.crt -text -noout | head -20
+
+          # Install to system trust store
+          sudo cp /tmp/ipa-ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
+          sudo update-ca-certificates
+
+          # Set NODE_EXTRA_CA_CERTS for Node.js-based actions
+          echo "NODE_EXTRA_CA_CERTS=/tmp/ipa-ca.crt" >> $GITHUB_ENV
+
+          # Verify SSL connection to Gitea works
+          echo "Testing SSL connection to Gitea..."
+          curl -fsSL --cacert /tmp/ipa-ca.crt https://gitea.kindred.internal/api/v1/version
+          echo ""
+          echo "SSL certificate setup complete"
+
      - name: Install node if needed
        shell: bash
        run: |
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -28,6 +28,30 @@ jobs:
      CXXFLAGS: "-march=x86-64-v3 -O3"

    steps:
+      - name: Trust FreeIPA CA certificate
+        shell: bash
+        run: |
+          # Download and install the FreeIPA CA certificate for SSL verification
+          echo "Downloading FreeIPA CA certificate..."
+          curl -fsSL -o /tmp/ipa-ca.crt https://ipa.kindred.internal/ipa/config/ca.crt
+
+          # Verify the certificate is valid
+          echo "Verifying certificate..."
+          openssl x509 -in /tmp/ipa-ca.crt -text -noout | head -20
+
+          # Install to system trust store
+          sudo cp /tmp/ipa-ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
+          sudo update-ca-certificates
+
+          # Set NODE_EXTRA_CA_CERTS for Node.js-based actions
+          echo "NODE_EXTRA_CA_CERTS=/tmp/ipa-ca.crt" >> $GITHUB_ENV
+
+          # Verify SSL connection to Gitea works
+          echo "Testing SSL connection to Gitea..."
+          curl -fsSL --cacert /tmp/ipa-ca.crt https://gitea.kindred.internal/api/v1/version
+          echo ""
+          echo "SSL certificate setup complete"
+
      - name: Install node if needed
        shell: bash
        run: |