From 40cda51142296120fd4952b8c3baa866a0e4dab9 Mon Sep 17 00:00:00 2001
From: forbes <zoe.forbes@kindred-systems.com>
Date: Tue, 3 Feb 2026 17:57:53 -0600
Subject: [PATCH] ci: install internal CA from IPA instead of skipping SSL
 verification

Fetches the Kindred CA cert from ipa.kindred.internal and installs it
into the system trust store before checkout. Removes GIT_SSL_NO_VERIFY.
---
 .gitea/workflows/ci.yaml | 25 ++++++++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/.gitea/workflows/ci.yaml b/.gitea/workflows/ci.yaml
index efecf3c..ba51099 100644
--- a/.gitea/workflows/ci.yaml
+++ b/.gitea/workflows/ci.yaml
@@ -26,7 +26,6 @@ on:
 env:
   PIP_CACHE_DIR: /tmp/pip-cache-solver
   TORCH_INDEX: https://download.pytorch.org/whl/cpu
-  GIT_SSL_NO_VERIFY: "true"
 
 jobs:
   # ---------------------------------------------------------------------------
@@ -35,6 +34,12 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
+      - name: Trust internal CA
+        run: |
+          curl -sk https://ipa.kindred.internal/ipa/config/ca.crt \
+            -o /usr/local/share/ca-certificates/kindred-internal.crt
+          update-ca-certificates
+
       - name: Checkout
         uses: https://github.com/actions/checkout@v4
 
@@ -54,6 +59,12 @@ jobs:
   type-check:
     runs-on: ubuntu-latest
     steps:
+      - name: Trust internal CA
+        run: |
+          curl -sk https://ipa.kindred.internal/ipa/config/ca.crt \
+            -o /usr/local/share/ca-certificates/kindred-internal.crt
+          update-ca-certificates
+
       - name: Checkout
         uses: https://github.com/actions/checkout@v4
 
@@ -75,6 +86,12 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
+      - name: Trust internal CA
+        run: |
+          curl -sk https://ipa.kindred.internal/ipa/config/ca.crt \
+            -o /usr/local/share/ca-certificates/kindred-internal.crt
+          update-ca-certificates
+
       - name: Checkout
         uses: https://github.com/actions/checkout@v4
 
@@ -99,6 +116,12 @@ jobs:
       (github.event_name == 'push' && github.ref == 'refs/heads/main')
     needs: [test]
     steps:
+      - name: Trust internal CA
+        run: |
+          curl -sk https://ipa.kindred.internal/ipa/config/ca.crt \
+            -o /usr/local/share/ca-certificates/kindred-internal.crt
+          update-ca-certificates
+
       - name: Checkout
         uses: https://github.com/actions/checkout@v4