Add insecure TLS support, CA bundle handling, and package update for SunOS environments

This commit introduces the following updates:
- Adds an environment variable (`SOLSTICE_ALLOW_INSECURE`) to enable insecure TLS as a fallback for curl.
- Improves CA certificate handling and automatic installation on SunOS using IPS or pkgin.
- Extends fallback logic for repository fetching to cover scenarios with missing CA bundles.
- Updates Solstice job script dependencies to include `cmake`.

.solstice/job.sh

@@ -29,7 +29,7 @@ install_linux() {
     apt)
       sudo -n true 2>/dev/null || true
       sudo apt-get update -y || apt-get update -y || true
-      sudo apt-get install -y --no-install-recommends curl ca-certificates git build-essential pkg-config libssl-dev protobuf-compiler || true
+      sudo apt-get install -y --no-install-recommends curl ca-certificates git build-essential pkg-config libssl-dev protobuf-compiler cmake || true
       ;;
     dnf)
       sudo dnf install -y curl ca-certificates git gcc gcc-c++ make pkgconf-pkg-config openssl-devel protobuf-compiler || true

crates/workflow-runner/src/main.rs

@@ -78,9 +78,13 @@ async fn fetch_repo_via_archive(repo_https: &str, sha: &str, workdir: &str) -> R
     let base = repo_https.trim_end_matches('.').trim_end_matches(".git");
     let url = format!("{}/archive/{}.tar.gz", base, sha);
 
+    // Check if we should allow insecure TLS (last resort)
+    let insecure = std::env::var("SOLSTICE_ALLOW_INSECURE").ok().map(|v| v == "1" || v.eq_ignore_ascii_case("true")).unwrap_or(false);
+    let curl_flags = if insecure { "-fSLk" } else { "-fSL" };
+
     // Try curl | tar, then wget | tar
     let cmd_curl = format!(
-        "mkdir -p {workdir} && curl -fSL {url} | tar -xz -C {workdir} --strip-components=1"
+        "mkdir -p {workdir} && curl {curl_flags} {url} | tar -xz -C {workdir} --strip-components=1"
     );
     if run_shell(&cmd_curl).await.is_ok() {
         return Ok(());
@@ -92,7 +96,7 @@ async fn fetch_repo_via_archive(repo_https: &str, sha: &str, workdir: &str) -> R
         return Ok(());
     }
 
-    // On illumos/SunOS images, curl/wget may be missing. Try to install curl and retry.
+    // On illumos/SunOS images, curl/wget may be missing or CA bundle absent. Try to install tools and CA certs, then retry.
     let os = std::env::var("SOLSTICE_OS_OVERRIDE").ok().unwrap_or_else(|| {
         // Best-effort OS detection
         std::env::consts::OS.to_string()
@@ -104,16 +108,33 @@ async fn fetch_repo_via_archive(repo_https: &str, sha: &str, workdir: &str) -> R
     if is_sunos {
         // Try IPS (pkg) first, then pkgin
         let _ = run_shell("sudo pkg refresh || true").await;
+        // curl
         if run_shell("sudo pkg install -v web/curl").await.is_err() {
             let _ = run_shell("sudo pkgin -y install curl").await;
         }
-        // Retry with curl
+        // CA certificates (package name may differ per distro)
+        let _ = run_shell("sudo pkg install -v web/ca-certificates || sudo pkg install -v library/security/ca-certificates || true").await;
+        let _ = run_shell("sudo pkgin -y install mozilla-rootcerts || true").await;
+        let _ = run_shell("sudo mozilla-rootcerts install || true").await;
+
+        // Retry with curl and wget
         if run_shell(&cmd_curl).await.is_ok() {
             return Ok(());
         }
         if run_shell(&cmd_wget).await.is_ok() {
             return Ok(());
         }
+
+        // As a last resort with explicit opt-in, try curl --insecure
+        if insecure {
+            let cmd_curl_insecure = format!(
+                "mkdir -p {workdir} && curl -fSLk {url} | tar -xz -C {workdir} --strip-components=1"
+            );
+            if run_shell(&cmd_curl_insecure).await.is_ok() {
+                warn!("used curl --insecure to fetch repo archive on SunOS");
+                return Ok(());
+            }
+        }
     }
 
     Err(miette::miette!("failed to fetch repo archive via HTTP for {url}"))