diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 7123a19..1bd0753 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -11,6 +11,18 @@ on: push: branches: [main] +# Node 24's bundled CA set does not include every intermediate the +# self-hosted runner's network path serves (the precompiled-binary +# CDN behind grpc-tools is the first surface where this surfaced). +# `--use-system-ca` tells Node to consult the OS CA store in +# addition to its bundled set — supported since Node 22 and the +# documented Node-team fix for exactly this class of TLS-chain +# rejection. The runner image (`catthehacker/ubuntu:act-22.04` per +# ADR-0015) carries the standard Ubuntu `ca-certificates` bundle, +# which validates the impacted chains. +env: + NODE_OPTIONS: --use-system-ca + jobs: check: runs-on: [self-hosted, on-prem] diff --git a/.gitea/workflows/docs-site.yml b/.gitea/workflows/docs-site.yml index 1d271e1..113bbce 100644 --- a/.gitea/workflows/docs-site.yml +++ b/.gitea/workflows/docs-site.yml @@ -28,6 +28,13 @@ on: - 'pnpm-lock.yaml' - '.gitea/workflows/docs-site.yml' +# See `.gitea/workflows/ci.yml` for the rationale — Node 24's +# bundled CA set rejects some chains the runner's OS trust store +# validates, and `--use-system-ca` (Node ≥ 22) tells Node to +# consult the OS CA bundle alongside its own. +env: + NODE_OPTIONS: --use-system-ca + jobs: build: runs-on: [self-hosted, on-prem]