From 65db9ce93c04b1ce829d78ae0671eeeedfed4952 Mon Sep 17 00:00:00 2001
From: forbes <zoe.forbes@kindred-systems.com>
Date: Wed, 28 Jan 2026 10:01:53 -0600
Subject: [PATCH] CI: Remove sudo commands from certificate setup

- Skip system trust store installation (requires sudo)
- Rely on NODE_EXTRA_CA_CERTS for Node.js actions
- Use --cacert for curl verification
---
 .gitea/workflows/build.yml   | 10 +++-------
 .gitea/workflows/release.yml | 10 +++-------
 2 files changed, 6 insertions(+), 14 deletions(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index d9af8c02ed..75a0dfb152 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -31,16 +31,12 @@ jobs:
           echo "Verifying certificate..."
           openssl x509 -in /tmp/ipa-ca.crt -subject -dates -noout
 
-          # Install to system trust store
-          sudo cp /tmp/ipa-ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
-          sudo update-ca-certificates
-
-          # Set NODE_EXTRA_CA_CERTS for Node.js-based actions
+          # Set NODE_EXTRA_CA_CERTS for Node.js-based actions (used by upload-artifact)
           echo "NODE_EXTRA_CA_CERTS=/tmp/ipa-ca.crt" >> $GITHUB_ENV
 
-          # Verify SSL connection to Gitea works
+          # Verify SSL connection to Gitea works with the CA cert
           echo "Testing SSL connection to Gitea..."
-          curl -fsSL https://gitea.kindred.internal/api/v1/version
+          curl -fsSL --cacert /tmp/ipa-ca.crt https://gitea.kindred.internal/api/v1/version
           echo ""
           echo "SSL certificate setup complete"
 
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index c3047fa971..674933509b 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -39,16 +39,12 @@ jobs:
           echo "Verifying certificate..."
           openssl x509 -in /tmp/ipa-ca.crt -subject -dates -noout
 
-          # Install to system trust store
-          sudo cp /tmp/ipa-ca.crt /usr/local/share/ca-certificates/ipa-ca.crt
-          sudo update-ca-certificates
-
-          # Set NODE_EXTRA_CA_CERTS for Node.js-based actions
+          # Set NODE_EXTRA_CA_CERTS for Node.js-based actions (used by upload-artifact)
           echo "NODE_EXTRA_CA_CERTS=/tmp/ipa-ca.crt" >> $GITHUB_ENV
 
-          # Verify SSL connection to Gitea works
+          # Verify SSL connection to Gitea works with the CA cert
           echo "Testing SSL connection to Gitea..."
-          curl -fsSL https://gitea.kindred.internal/api/v1/version
+          curl -fsSL --cacert /tmp/ipa-ca.crt https://gitea.kindred.internal/api/v1/version
           echo ""
           echo "SSL certificate setup complete"