From c0f125a33b0b20d4c0aa9c9638281fe7f2c49d10 Mon Sep 17 00:00:00 2001
From: Skylar Simoncelli <skylar@skylar.email>
Date: Fri, 12 Jun 2026 11:10:08 +0100
Subject: [PATCH] ci: disable earthly TLS in bot workflows (settings-hash
 parity with CI)

---
 .github/workflows/rebuild-chainspec-bot.yml | 10 ++++++++++
 .github/workflows/rebuild-metadata-bot.yml  | 10 ++++++++++
 2 files changed, 20 insertions(+)

diff --git a/.github/workflows/rebuild-chainspec-bot.yml b/.github/workflows/rebuild-chainspec-bot.yml
index e46dd98ab..38117109c 100644
--- a/.github/workflows/rebuild-chainspec-bot.yml
+++ b/.github/workflows/rebuild-chainspec-bot.yml
@@ -143,6 +143,16 @@ jobs:
           username: MidnightCI
           password: ${{ secrets.MIDNIGHTCI_PACKAGES_READ }}
 
+      # Self-hosted-runner-specific: earthly's managed buildkitd defaults to TLS
+      # but no certs are provisioned on the runner. Beyond fixing this job's own
+      # TLS failure, this keeps the buildkit settings hash byte-identical with
+      # every other self-hosted earthly caller (see continuous-integration.yml) —
+      # a mismatched hash makes earthly force-recreate the shared buildkitd,
+      # cancelling every in-flight build on the box.
+      - name: Disable earthly TLS (self-hosted runner has no certs)
+        run: |
+          echo "    tls_enabled: false" >> .earthly/config.yml
+
       - name: Run rebuild-chainspec
         env:
           EARTHLY_CONFIG: .earthly/config.yml
diff --git a/.github/workflows/rebuild-metadata-bot.yml b/.github/workflows/rebuild-metadata-bot.yml
index 918e9691a..80cc2ed2d 100644
--- a/.github/workflows/rebuild-metadata-bot.yml
+++ b/.github/workflows/rebuild-metadata-bot.yml
@@ -97,6 +97,16 @@ jobs:
           username: MidnightCI
           password: ${{ secrets.MIDNIGHTCI_PACKAGES_READ }}
 
+      # Self-hosted-runner-specific: earthly's managed buildkitd defaults to TLS
+      # but no certs are provisioned on the runner. Beyond fixing this job's own
+      # TLS failure, this keeps the buildkit settings hash byte-identical with
+      # every other self-hosted earthly caller (see continuous-integration.yml) —
+      # a mismatched hash makes earthly force-recreate the shared buildkitd,
+      # cancelling every in-flight build on the box.
+      - name: Disable earthly TLS (self-hosted runner has no certs)
+        run: |
+          echo "    tls_enabled: false" >> .earthly/config.yml
+
       - name: Run rebuild-metadata
         env:
           EARTHLY_CONFIG: .earthly/config.yml