From e5c537a967781fbf0c11159d86d42d06e0aa9dea Mon Sep 17 00:00:00 2001 From: Gabriel Radureau Date: Wed, 24 Jun 2026 11:22:54 +0200 Subject: [PATCH] fix(ci): run factory tofu workflows on the CA-trusting runner After the move to the self-signed internal DNS (gitea.arcodange.lab / vault.arcodange.lab), the default `ubuntu-latest` runner image does not trust the homelab CA, so the `uses:` clone of the vault-action over HTTPS fails TLS verification. webapp's workflows already moved to the `ubuntu-latest-ca` runner (whose image ships the homelab CA); apply the same to the factory `iac` and `postgres` tofu workflows. Co-Authored-By: Claude Opus 4.8 --- .gitea/workflows/iac.yaml | 4 ++-- .gitea/workflows/postgres.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/.gitea/workflows/iac.yaml b/.gitea/workflows/iac.yaml index eff0f6c..3bd5b05 100644 --- a/.gitea/workflows/iac.yaml +++ b/.gitea/workflows/iac.yaml @@ -36,7 +36,7 @@ concurrency: jobs: gitea_vault_auth: name: Auth with gitea for vault - runs-on: ubuntu-latest + runs-on: ubuntu-latest-ca outputs: gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}} steps: @@ -50,7 +50,7 @@ jobs: name: Tofu needs: - gitea_vault_auth - runs-on: ubuntu-latest + runs-on: ubuntu-latest-ca env: OPENTOFU_VERSION: 1.8.2 TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }} diff --git a/.gitea/workflows/postgres.yaml b/.gitea/workflows/postgres.yaml index d01e4db..bca5e44 100644 --- a/.gitea/workflows/postgres.yaml +++ b/.gitea/workflows/postgres.yaml @@ -33,7 +33,7 @@ concurrency: jobs: gitea_vault_auth: name: Auth with gitea for vault - runs-on: ubuntu-latest + runs-on: ubuntu-latest-ca outputs: gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}} steps: @@ -47,7 +47,7 @@ jobs: name: Tofu - Postgres needs: - gitea_vault_auth - runs-on: ubuntu-latest + runs-on: ubuntu-latest-ca env: OPENTOFU_VERSION: 1.8.2 TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}