fix(user-entrypoint): combine system CA bundle with corporate cert for git SSL

wilcorrea · Copilot · wilcorrea · commit 81af38a5669f · 2026-03-02T13:39:29.000-03:00
The init container (phase 1) runs update-ca-certificates but is discarded.
Phase 2 gets a fresh container where the system bundle has no corporate cert.
Fix: concatenate both into /tmp/combined-ca.crt and point GIT_SSL_CAINFO there.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/copilot-sandbox/user-entrypoint.sh b/copilot-sandbox/user-entrypoint.sh
@@ -62,7 +62,10 @@ fi
 # Corporate CA certificate
 if [ -f /usr/local/share/ca-certificates/extra-ca.crt ]; then
   export NODE_EXTRA_CA_CERTS=/usr/local/share/ca-certificates/extra-ca.crt
-  export GIT_SSL_CAINFO=/etc/ssl/certs/ca-certificates.crt
+  # Combine system CA bundle with corporate cert so git/curl trust both
+  _combined_ca="/tmp/combined-ca.crt"
+  cat /etc/ssl/certs/ca-certificates.crt /usr/local/share/ca-certificates/extra-ca.crt > "$_combined_ca"
+  export GIT_SSL_CAINFO="$_combined_ca"
 fi
 
 # SSH config — reconstruct from host keys (init phase runs in a separate container)
