From 9f832633b926f0f834f969c5a3d782a662354468 Mon Sep 17 00:00:00 2001 From: jwinterm Date: Tue, 19 May 2026 12:29:53 -0400 Subject: [PATCH 1/2] CI: skip TLS verify on iOS artifact upload + verbose AAB build MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit iOS: - Build itself succeeds (Runner.app sits in build/ios/iphonesimulator/). - actions/upload-artifact's Node.js HTTP client hits git.such.software via LAN (NAT hairpin), bypassing the public NPM/Let's Encrypt cert and landing on Gitea's internal self-signed cert. Node refuses with DEPTH_ZERO_SELF_SIGNED_CERT. - Setting NODE_TLS_REJECT_UNAUTHORIZED=0 at job env disables verification for all Node-based actions in the job. Acceptable here because we're talking to our own server on our own LAN — no external MITM surface. - Long-term cleaner fix: install Gitea's CA cert into the runner's system trust store, or have the runner reach Gitea via the public hostname so NPM's Let's Encrypt cert is presented. Android AAB: - APK built + signed + uploaded fine (~14 min). AAB build then failed at FinalizeBundleTask$BundleToolRunnable / :app:signReleaseBundle with no visible error. - Added --verbose to 'flutter build appbundle' so the next run prints the actual gradle stacktrace. Once we see WHY signReleaseBundle is failing, we can target the real fix. --- .github/workflows/build-android.yml | 6 ++++-- .github/workflows/build-ios-sim.yml | 8 ++++++++ .github/workflows/build-ios-testflight.yml | 4 ++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-android.yml b/.github/workflows/build-android.yml index 81b3f993..34c0577d 100644 --- a/.github/workflows/build-android.yml +++ b/.github/workflows/build-android.yml @@ -237,9 +237,11 @@ jobs: run: flutter build apk --dart-define-from-file=env.json --release # AAB for Play Console upload (Google generates per-ABI APKs server-side - # via Play App Signing). + # via Play App Signing). --verbose surfaces the full gradle stacktrace + # when FinalizeBundleTask / signReleaseBundle fails — without it the + # error is opaque ('FinalizeBundleTask$BundleToolRunnable failed'). - name: Build release AAB - run: flutter build appbundle --dart-define-from-file=env.json --release + run: flutter build appbundle --dart-define-from-file=env.json --release --verbose - name: Sanity-check signature on APK run: | diff --git a/.github/workflows/build-ios-sim.yml b/.github/workflows/build-ios-sim.yml index ea60e50b..93574416 100644 --- a/.github/workflows/build-ios-sim.yml +++ b/.github/workflows/build-ios-sim.yml @@ -32,6 +32,14 @@ jobs: # Gitea runner shell). Force UTF-8 globally so `pod install` succeeds. LANG: en_US.UTF-8 LC_ALL: en_US.UTF-8 + # The Mac runner hits git.such.software via the LAN (NAT hairpin), + # which bypasses the Let's Encrypt-fronted NPM and lands on Gitea's + # internal self-signed cert. Node won't trust it, so artifact upload + # bails with DEPTH_ZERO_SELF_SIGNED_CERT. Acceptable to skip + # validation since we're talking to our own infrastructure on our LAN. + # Long-term fix: point the runner at git.such.software via the public + # IP / NPM cert OR install Gitea's CA into the runner's trust store. + NODE_TLS_REJECT_UNAUTHORIZED: '0' steps: - uses: actions/checkout@v4 diff --git a/.github/workflows/build-ios-testflight.yml b/.github/workflows/build-ios-testflight.yml index f7be36a5..2a0b8f8a 100644 --- a/.github/workflows/build-ios-testflight.yml +++ b/.github/workflows/build-ios-testflight.yml @@ -38,6 +38,10 @@ jobs: # CocoaPods needs UTF-8; Gitea runner shell defaults to ASCII-8BIT. LANG: en_US.UTF-8 LC_ALL: en_US.UTF-8 + # Mac runner hits internal Gitea over LAN (NAT hairpin), bypassing + # the public Let's Encrypt cert. Skip TLS verification for the + # artifact upload — talking to our own server on our own network. + NODE_TLS_REJECT_UNAUTHORIZED: '0' steps: - uses: actions/checkout@v4 -- 2.50.1 (Apple Git-155) From ba5c81e78b5484f84250c4873bcd54e5616df19a Mon Sep 17 00:00:00 2001 From: jwinterm Date: Tue, 19 May 2026 12:52:29 -0400 Subject: [PATCH 2/2] CI: clarify NODE_TLS_REJECT_UNAUTHORIZED is a fallback now MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Gitea is on the same Mac mini as the runner, behind NPM in a separate container. The proper fix is a hosts entry on the Mac that points git.such.software at NPM's LAN IP so the runner reaches Gitea via NPM's Let's Encrypt cert. The env var stays in the workflow as a belt-and-suspenders fallback — no harm if certs already validate cleanly, saves the workflow from breaking again if the hosts entry ever gets blown away (system reset, container migration, etc). --- .github/workflows/build-ios-sim.yml | 12 +++++------- .github/workflows/build-ios-testflight.yml | 5 ++--- 2 files changed, 7 insertions(+), 10 deletions(-) diff --git a/.github/workflows/build-ios-sim.yml b/.github/workflows/build-ios-sim.yml index 93574416..4a0d6fa6 100644 --- a/.github/workflows/build-ios-sim.yml +++ b/.github/workflows/build-ios-sim.yml @@ -32,13 +32,11 @@ jobs: # Gitea runner shell). Force UTF-8 globally so `pod install` succeeds. LANG: en_US.UTF-8 LC_ALL: en_US.UTF-8 - # The Mac runner hits git.such.software via the LAN (NAT hairpin), - # which bypasses the Let's Encrypt-fronted NPM and lands on Gitea's - # internal self-signed cert. Node won't trust it, so artifact upload - # bails with DEPTH_ZERO_SELF_SIGNED_CERT. Acceptable to skip - # validation since we're talking to our own infrastructure on our LAN. - # Long-term fix: point the runner at git.such.software via the public - # IP / NPM cert OR install Gitea's CA into the runner's trust store. + # If you added an /etc/hosts entry on the Mac mini that points + # git.such.software at NPM's LAN IP (so the runner hits NPM's + # Let's Encrypt cert instead of Gitea's internal self-signed), + # this env var can be removed. Left in as a belt-and-suspenders + # fallback — has no effect if certs already verify. NODE_TLS_REJECT_UNAUTHORIZED: '0' steps: diff --git a/.github/workflows/build-ios-testflight.yml b/.github/workflows/build-ios-testflight.yml index 2a0b8f8a..51228754 100644 --- a/.github/workflows/build-ios-testflight.yml +++ b/.github/workflows/build-ios-testflight.yml @@ -38,9 +38,8 @@ jobs: # CocoaPods needs UTF-8; Gitea runner shell defaults to ASCII-8BIT. LANG: en_US.UTF-8 LC_ALL: en_US.UTF-8 - # Mac runner hits internal Gitea over LAN (NAT hairpin), bypassing - # the public Let's Encrypt cert. Skip TLS verification for the - # artifact upload — talking to our own server on our own network. + # See note in build-ios-sim.yml — fallback if /etc/hosts trick + # isn't in place. Safe no-op once it is. NODE_TLS_REJECT_UNAUTHORIZED: '0' steps: -- 2.50.1 (Apple Git-155)