Drop http scheme from CA-bundle guard in gitDownload

InstallProtocol("https", ...) has no effect on plain http:// URLs, so
including u.Scheme == "http" in the condition only needlessly locked
the mutex and performed a no-op protocol registration.

Author: thardeck

internal/bundlereader/gitclone.go

@@ -54,7 +54,8 @@ func gitDownload(ctx context.Context, dst, rawURL string, auth Auth) error {
 	// When a CA bundle is supplied for an HTTPS URL, install a custom transport
 	// that trusts only that CA (not the system pool). Serialise with a mutex
 	// because go-git's protocol registry is process-global.
-	if len(auth.CABundle) > 0 && (u.Scheme == "https" || u.Scheme == "http") {
+	// Plain HTTP does not use TLS, so a CA bundle has no effect there.
+	if len(auth.CABundle) > 0 && u.Scheme == "https" {
 		caCloneMutex.Lock()
 		defer caCloneMutex.Unlock()