fix(ci): move grpc-tools to optionalDependencies (revert NODE_OPTIONS attempt)
CI / commits (pull_request) Successful in 3m57s
CI / scan (pull_request) Successful in 4m20s
CI / check (pull_request) Successful in 6m13s
CI / a11y (pull_request) Successful in 2m53s
Docs site / build (pull_request) Successful in 4m0s
CI / perf (pull_request) Successful in 7m41s

The NODE_OPTIONS=--use-system-ca workaround merged in #199 did not
clear the failure — the same TLS-chain rejection still trips the
runner. Either the runner's OS CA store also lacks the missing
intermediate, or `--use-system-ca` does not propagate down to the
node-fetch@2 used by node-pre-gyp. Without runner shell access the
exact reason is not worth investigating.

Different angle: grpc-tools is never invoked in CI. The protoc
binary it downloads is only used by `pnpm run grpc:codegen`, which
runs on a developer's machine when a proto file changes. The
generated TypeScript stubs in apps/portal-bff/src/grpc/gen/ are
committed (per ADR-0024 §"Sub-decision 3 — vendored protos"), so
CI only needs to type-check them — protoc is dead weight there.

Move grpc-tools from devDependencies to optionalDependencies. Per
pnpm semantics, an optional dependency whose install (including
postinstall) fails is logged as a warning and the overall install
continues. On the runner: postinstall still fails on TLS, pnpm
emits a warning, ci:check proceeds. On a developer machine: TLS
validates, postinstall runs, protoc binary lands, `pnpm grpc:codegen`
works exactly as before. No dev-side friction; no workflow env
vars to maintain.

Reverts the workflow `env:` blocks added in #199 — they did not
help and adding noise to the workflow YAML for a non-working
workaround is worse than removing it.
This commit is contained in:
Julien Gautier
2026-05-20 15:03:37 +02:00
parent 219b7a2143
commit 204727b1a7
4 changed files with 12 additions and 24 deletions
-12
View File
@@ -11,18 +11,6 @@ on:
push:
branches: [main]
# Node 24's bundled CA set does not include every intermediate the
# self-hosted runner's network path serves (the precompiled-binary
# CDN behind grpc-tools is the first surface where this surfaced).
# `--use-system-ca` tells Node to consult the OS CA store in
# addition to its bundled set — supported since Node 22 and the
# documented Node-team fix for exactly this class of TLS-chain
# rejection. The runner image (`catthehacker/ubuntu:act-22.04` per
# ADR-0015) carries the standard Ubuntu `ca-certificates` bundle,
# which validates the impacted chains.
env:
NODE_OPTIONS: --use-system-ca
jobs:
check:
runs-on: [self-hosted, on-prem]
-7
View File
@@ -28,13 +28,6 @@ on:
- 'pnpm-lock.yaml'
- '.gitea/workflows/docs-site.yml'
# See `.gitea/workflows/ci.yml` for the rationale — Node 24's
# bundled CA set rejects some chains the runner's OS trust store
# validates, and `--use-system-ca` (Node ≥ 22) tells Node to
# consult the OS CA bundle alongside its own.
env:
NODE_OPTIONS: --use-system-ca
jobs:
build:
runs-on: [self-hosted, on-prem]