Add CA debug

.forgejo/workflows/ci.yaml

@@ -40,6 +40,25 @@ jobs:
           cp /etc/cluster-ca/root-ca.crt /usr/local/share/ca-certificates/cluster-root-ca.crt
           update-ca-certificates
 
+      - name: Debug CA trust
+        run: |
+          echo "== cluster CA file =="
+          ls -l /etc/cluster-ca || true
+          ls -l /etc/cluster-ca/root-ca.crt || true
+          echo "== ca-certificates directory =="
+          ls -l /usr/local/share/ca-certificates || true
+          ls -l /etc/ssl/certs | head -n 20
+          echo "== CA content (cluster) =="
+          openssl x509 -in /etc/cluster-ca/root-ca.crt -noout -subject -issuer -dates -fingerprint -sha256 || true
+          echo "== CA in system trust store? =="
+          grep -R "BEGIN CERTIFICATE" -n /etc/ssl/certs || true
+
+      - name: Debug docker registry trust
+        run: |
+          echo "== docker certs.d (job container) =="
+          ls -l /etc/docker/certs.d || true
+          ls -l /etc/docker/certs.d/harbor.k8s.sk4.nz || true
+
       - name: Install required dependencies
         run: |
           apt-get update