From 5503be1fb3be00f14515306b04c35497d699a41b Mon Sep 17 00:00:00 2001
From: Ettore Di Giacinto <mudler@localai.io>
Date: Sun, 3 May 2026 23:29:53 +0000
Subject: [PATCH] =?UTF-8?q?fix(ci):=20use=20http=20for=20the=20kernel.org?=
 =?UTF-8?q?=20mirror=20=E2=80=94=20bare=20ubuntu=20image=20has=20no=20CA?=
 =?UTF-8?q?=20bundle?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Docker build runs on the minimal ubuntu:24.04 base image, which
ships *without* ca-certificates. The very first apt-get update over
HTTPS therefore fails the TLS handshake ("No system certificates
available. Try installing ca-certificates."), and apt can't reach
ca-certificates itself to fix the situation — chicken and egg.

Apt validates package integrity via GPG-signed Release files, so plain
HTTP is safe for the archive. archive.ubuntu.com / azure.archive are
already accessed over HTTP for the same reason. Switch the kernel.org
defaults from https://mirrors.edge.kernel.org to
http://mirrors.edge.kernel.org so the in-Dockerfile rewrite works on
self-hosted runners too.

Assisted-by: Claude:claude-opus-4-7[1m] [Claude Code]
Signed-off-by: Ettore Di Giacinto <mudler@localai.io>
---
 .github/actions/configure-apt-mirror/action.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/actions/configure-apt-mirror/action.yml b/.github/actions/configure-apt-mirror/action.yml
index ec5f42784..84e5e7650 100644
--- a/.github/actions/configure-apt-mirror/action.yml
+++ b/.github/actions/configure-apt-mirror/action.yml
@@ -28,11 +28,16 @@ inputs:
   self-hosted-mirror:
     description: 'archive/security mirror URL for self-hosted runners (empty = upstream)'
     required: false
-    default: 'https://mirrors.edge.kernel.org'
+    # HTTP, not HTTPS: the bare ubuntu:24.04 builder image doesn't ship
+    # ca-certificates, so the very first apt-get update over TLS would
+    # fail with "No system certificates available" before it can install
+    # anything. apt validates package integrity via GPG signatures, so
+    # plain HTTP is safe for the archive itself.
+    default: 'http://mirrors.edge.kernel.org'
   self-hosted-ports-mirror:
     description: 'ports.ubuntu.com mirror URL for self-hosted runners (empty = upstream)'
     required: false
-    default: 'https://mirrors.edge.kernel.org'
+    default: 'http://mirrors.edge.kernel.org'
 
 outputs:
   effective-mirror: