fix(ci): run factory tofu workflows on the CA-trusting runner #11

arcodange · 2026-06-24T11:23:12+02:00

arcodange commented

2026-06-24 11:23:12 +02:00

What

Switch the factory iac and postgres OpenTofu workflows from runs-on: ubuntu-latest to runs-on: ubuntu-latest-ca (both the gitea_vault_auth and tofu jobs in each file).

Why

Since the move to the self-signed internal DNS (gitea.arcodange.lab / vault.arcodange.lab), the default ubuntu-latest runner image does not trust the homelab CA. The first thing each job does is uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main, which clones the action over HTTPS and fails x509 verification on the self-signed cert — so the workflow never reaches terraform apply.

The ubuntu-latest-ca runner image ships the homelab CA in its trust store. The webapp repo's vault.yaml already moved to it; this just applies the same fix to the two factory workflows that were missed.

Changes

.gitea/workflows/iac.yaml — both jobs → ubuntu-latest-ca
.gitea/workflows/postgres.yaml — both jobs → ubuntu-latest-ca

No logic change beyond the runner label.

Note: this unblocks the clone/TLS failure. The OVH/Cloudflare admin credentials in kvv1/admin/** (lost in the earlier Vault incident, since regenerated) still need to be verified against what the providers expect — tracked separately, not in this PR.

🤖 Generated with Claude Code

## What Switch the factory **`iac`** and **`postgres`** OpenTofu workflows from `runs-on: ubuntu-latest` to `runs-on: ubuntu-latest-ca` (both the `gitea_vault_auth` and `tofu` jobs in each file). ## Why Since the move to the self-signed internal DNS (`gitea.arcodange.lab` / `vault.arcodange.lab`), the default `ubuntu-latest` runner image does **not** trust the homelab CA. The first thing each job does is `uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main`, which clones the action over HTTPS and fails x509 verification on the self-signed cert — so the workflow never reaches `terraform apply`. The `ubuntu-latest-ca` runner image ships the homelab CA in its trust store. The **webapp** repo's `vault.yaml` already moved to it; this just applies the same fix to the two factory workflows that were missed. ## Changes - `.gitea/workflows/iac.yaml` — both jobs → `ubuntu-latest-ca` - `.gitea/workflows/postgres.yaml` — both jobs → `ubuntu-latest-ca` No logic change beyond the runner label. > Note: this unblocks the *clone/TLS* failure. The OVH/Cloudflare admin credentials in `kvv1/admin/**` (lost in the earlier Vault incident, since regenerated) still need to be verified against what the providers expect — tracked separately, not in this PR. 🤖 Generated with [Claude Code](https://claude.com/claude-code)

arcodange added 1 commit 2026-06-24 11:23:14 +02:00

fix(ci): run factory tofu workflows on the CA-trusting runner e5c537a967

After the move to the self-signed internal DNS (gitea.arcodange.lab /
vault.arcodange.lab), the default `ubuntu-latest` runner image does not
trust the homelab CA, so the `uses:` clone of the vault-action over HTTPS
fails TLS verification. webapp's workflows already moved to the
`ubuntu-latest-ca` runner (whose image ships the homelab CA); apply the
same to the factory `iac` and `postgres` tofu workflows.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

arcodange referenced this issue from a commit

2026-06-24 12:56:52 +02:00

fix(iac): pin cloudflare provider + lockfile, trust homelab CA in gitea provider

arcodange referenced this pull request

2026-06-24 12:57:11 +02:00

fix(iac): pin cloudflare provider + lockfile, trust homelab CA in gitea provider #12

arcodange merged commit bfa05ff633 into main

2026-06-24 13:03:00 +02:00

arcodange referenced this issue from a commit

2026-06-24 13:03:01 +02:00

Merge pull request 'fix(ci): run factory tofu workflows on the CA-trusting runner' (#11) from arcodange/focused-dirac-151213 into main

arcodange referenced this pull request