Switch minreq TLS from webpki-roots to native certs (fixes #541)

[svarlamov]

Switch minreq TLS to native OS certificate store (fixes #541)

Summary

Changes the minreq feature flag from https-rustls to https-rustls-probe so that TLS connections use the OS certificate store (rustls-native-certs) instead of the compiled-in Mozilla root CA bundle (webpki-roots). This allows users running self-hosted GitLab with custom/internal CA certificates to use git-ai ci gitlab by installing their CA into the system trust store.

The one-line Cargo.toml change affects all minreq HTTPS calls (GitLab CI API, main API client, Sentry, PostHog, JetBrains plugin downloads).

Also adds unit tests for the GitLab CI module (MR JSON deserialization, template YAML) and an integration test verifying the native cert store can be loaded.

Updates since last revision

• Updated rustls-native-certs dev-dependency from 0.6 → 0.8 (latest)
• Removed all tests that hit external URLs (gitlab.com, httpbin.org, etc.) — no more network-dependent tests
• Removed env-var-manipulating #[serial] tests (the unsafe set_var/remove_var tests)
• Remaining tests are all pure/deterministic: 4 deserialization/template unit tests + 1 local cert store loading test

Review & Testing Checklist for Human

• Verify fallback in minimal containers: webpki-roots is fully removed from the dep tree. In stripped Docker images (e.g., FROM scratch or minimal Alpine without ca-certificates), the bundled Mozilla roots were silently making things work. With https-rustls-probe, if the OS cert store is empty, TLS connections will fail. Confirm this trade-off is acceptable for your user base.
• Note: two versions of rustls-native-certs in lockfile: minreq internally pulls 0.6.3 (its own dependency); the dev-dep for tests is 0.8.3. This is harmless (test-only) but worth being aware of.
• Recommended manual test: In a Docker container with a self-signed CA cert installed to the system store, run git-ai ci gitlab run against a self-hosted GitLab instance and confirm the UnknownIssuer error from Add an explicit configuration way to support custom TLS certificates #541 is resolved.

Notes

• No test exercises a custom/self-signed CA end-to-end — the integration test only confirms the native cert store loads successfully. The actual fix is validated by the manual test above.
• Requested by: @svarlamov
• Link to Devin run

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[git-ai-cloud-dev]

No AI authorship found for these commits. Please install git-ai to start tracking AI generated code in your commits.

[git-ai-cloud]

No AI authorship found for these commits. Please install git-ai to start tracking AI generated code in your commits.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 4 additional findings.

[Mingela]

That's a stunning speed of reaction and change suggestion @svarlamov! I'd also appreciate compiled executables available after the change is merged so that I could test those at my setup quickly. Thanks again.

[svarlamov]

Hey @Mingela happy to help! I'll run a pre-release soon after this is merged so you can get binaries