From 44b9b4e8df3a3fddb1dee7b6c7ee11d4efdbd877 Mon Sep 17 00:00:00 2001
From: forbes-0023 <joseph.forbes@kindred-systems.com>
Date: Mon, 9 Feb 2026 12:59:21 -0600
Subject: [PATCH] fix: set NODE_EXTRA_CA_CERTS for artifact upload/download
 actions

Node.js actions (checkout, cache, upload-artifact, download-artifact)
use their own TLS stack and don't trust the system CA store. Setting
NODE_EXTRA_CA_CERTS points Node to the system bundle which includes
the Cloudflare origin CA.
---
 .gitea/workflows/build.yml   | 1 +
 .gitea/workflows/release.yml | 2 ++
 2 files changed, 3 insertions(+)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index cd65e72532..f9e239d263 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -20,6 +20,7 @@ jobs:
       CCACHE_SLOPPINESS: "include_file_ctime,include_file_mtime,pch_defines,time_macros"
       CCACHE_BASEDIR: ${{ github.workspace }}
       DEBIAN_FRONTEND: noninteractive
+      NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
 
     steps:
       - name: Trust Cloudflare origin CA
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 7a42021948..cea4cd4c16 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -29,6 +29,7 @@ jobs:
       CFLAGS: "-O3"
       CXXFLAGS: "-O3"
       DEBIAN_FRONTEND: noninteractive
+      NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
 
     steps:
       - name: Trust Cloudflare origin CA
@@ -323,6 +324,7 @@ jobs:
 
     env:
       BUILD_TAG: ${{ github.ref_name || inputs.tag }}
+      NODE_EXTRA_CA_CERTS: /etc/ssl/certs/ca-certificates.crt
 
     steps:
       - name: Trust Cloudflare origin CA