From 0d631b5c91d1190f36fdecf179a37a68b4b137ec Mon Sep 17 00:00:00 2001
From: forbes <zoe.forbes@kindred-systems.com>
Date: Wed, 28 Jan 2026 09:50:45 -0600
Subject: [PATCH] CI: Add FreeIPA CA certificate trust for artifact uploads

- Download and verify FreeIPA CA cert at job start
- Install cert to system trust store
- Set NODE_EXTRA_CA_CERTS for Node.js actions
- Test SSL connection to Gitea before proceeding
- Restore artifact upload step now that SSL should work
---
 .gitea/workflows/build.yml   | 24 ++++++++++++++++++++++++
 .gitea/workflows/release.yml | 24 ++++++++++++++++++++++++
 2 files changed, 48 insertions(+)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 852c0ae851..dfb686483f 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -20,6 +20,30 @@ jobs:
       CCACHE_SLOPPINESS: "include_file_ctime,include_file_mtime,pch_defines,time_macros"
 
     steps:
+      - name: Trust FreeIPA CA certificate
+        shell: bash
+        run: |
+          # Download and install the FreeIPA CA certificate for SSL verification
+          echo "Downloading FreeIPA CA certificate..."
+          curl -fsSL -o /tmp/ipa-ca.crt https://ipa.kindred.internal/ipa/config/ca.crt
+
+          # Verify the certificate is valid
+          echo "Verifying certificate..."
+          openssl x509 -in /tmp/ipa-ca.crt -text -noout | head -20
+
+          # Install to system trust store
+          sudo cp /tmp/ipa-ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
+          sudo update-ca-certificates
+
+          # Set NODE_EXTRA_CA_CERTS for Node.js-based actions
+          echo "NODE_EXTRA_CA_CERTS=/tmp/ipa-ca.crt" >> $GITHUB_ENV
+
+          # Verify SSL connection to Gitea works
+          echo "Testing SSL connection to Gitea..."
+          curl -fsSL --cacert /tmp/ipa-ca.crt https://gitea.kindred.internal/api/v1/version
+          echo ""
+          echo "SSL certificate setup complete"
+
       - name: Install node if needed
         shell: bash
         run: |
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 1718ad5bf2..55e0fdb9e9 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -28,6 +28,30 @@ jobs:
       CXXFLAGS: "-march=x86-64-v3 -O3"
 
     steps:
+      - name: Trust FreeIPA CA certificate
+        shell: bash
+        run: |
+          # Download and install the FreeIPA CA certificate for SSL verification
+          echo "Downloading FreeIPA CA certificate..."
+          curl -fsSL -o /tmp/ipa-ca.crt https://ipa.kindred.internal/ipa/config/ca.crt
+
+          # Verify the certificate is valid
+          echo "Verifying certificate..."
+          openssl x509 -in /tmp/ipa-ca.crt -text -noout | head -20
+
+          # Install to system trust store
+          sudo cp /tmp/ipa-ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
+          sudo update-ca-certificates
+
+          # Set NODE_EXTRA_CA_CERTS for Node.js-based actions
+          echo "NODE_EXTRA_CA_CERTS=/tmp/ipa-ca.crt" >> $GITHUB_ENV
+
+          # Verify SSL connection to Gitea works
+          echo "Testing SSL connection to Gitea..."
+          curl -fsSL --cacert /tmp/ipa-ca.crt https://gitea.kindred.internal/api/v1/version
+          echo ""
+          echo "SSL certificate setup complete"
+
       - name: Install node if needed
         shell: bash
         run: |